What You Need to Know About the New NIST Privacy Framework

NIST Privacy Framework
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

The internet and newly created technologies powered by data being collected from individuals have created many advantages for society. From using Internet of Things (IoT) devices like Alexa or Google Home to connecting with friends and family on social media platforms like Facebook or Instagram, mankind has brought itself to a new frontier. But satisfying an urge to propel headfirst into the digital revolution has come at the expense of our data being shared, possibly without our knowledge.

Due to the technical nature of this development, people may not take the time or be able to understand the potential consequences as it relates to their privacy when communicating with programs, products and services.

Organizations may not realize the full extent of these consequences for individuals or their businesses, which may influence their products, their bottom line, and their potential for future growth.

In the past few years, millions of people have been affected by privacy data breaches from tech giants like Google and Facebook.

  • Google exposed hundreds of thousands of users’ Google+ social network data without properly notifying them of the issue for months.
  • Facebook faced public outrage after Cambridge Analytica harvested millions of users’ information without their knowledge; prompting many users to leave the social media platform out of distrust.
  • Consumer Reports found Samsung and Roku smart TVs could be hacked, leading the FBI to issue a warning to all smart TV owners regarding privacy concerns.

Privacy concerns will only continue to grow as technology becomes more integrated into our everyday lives; furthermore, companies will need to shift their focus to protecting user privacy.

NIST Privacy Framework

In that vein, the National Institute of Standards and Technology (NIST) has published the Privacy Framework version 1.0 with the intent to require better engineering practices. The guidelines support privacy through design concepts, and help organizations to protect individuals’ privacy.

The Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation.

NIST explains that the Privacy Framework can support organizations in:

  • Building customer trust by fostering ethical decision-making in product and service design or delivery that optimizes the beneficial use of data while reducing adverse consequences for the privacy of individuals and society.
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

Like it’s predecessor, the Cybersecurity Framework, NIST’s Privacy Framework is composed of three sections: Core, Profiles, and Implementation Tiers.

  • The Core enables a dialogue—from the executive level to the implementation/operations level—about important privacy protection activities and desired outcomes.
  • Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks.
  • Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk.

Privacy Risk Assessment Process

NIST describes privacy risk management as a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals. The Privacy Framework explains how to develop effective solutions to manage such risks.

In general, privacy risk assessments provide information that can help organizations balance against risks and the advantages of data processing to determine the appropriate response.

Organizations can choose to prioritize and adapt to the risk of privacy in various ways based on the potential impact on individuals and the resulting impact on organizations.

Response approaches include:

  • Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
  • Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
  • Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing); or
  • Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).

Consumer Privacy Laws

While US privacy laws have yet to be enforced, interest in privacy issues as part of the application development process is on the rise following legislation such as the EU General Data Protection Regulation (GDPR) and the 2018 California Consumer Privacy Act (CCPA).

The Privacy Framework is considered complementary with the NIST Cybersecurity Framework. By using both, it is possible to have a good understanding of the different origins of cybersecurity and privacy risks. This empowers an organization to determine the most effective solutions in order to address the risks.

Over time, the NIST privacy risk assessment will help companies differentiate between the risk of privacy and the risk of compliance. Identifying how data processing may create problems for people, even if an entity is fully compliant with relevant laws or regulations, can help with ethical decision making in the design or implementation of systems, products, and services.

In summary, the Privacy Framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.

Avertium specializes in the NIST Privacy Framework and the NIST Cybersecurity Framework, as well as related compliance and other security frameworks. 

To find out how we can help you achieve your desired risk management profile and security posture, reach out for a consultation.

Andrew Ange, CCSFP

Andrew Ange, CCSFP

Andrew Ange is a healthcare consultant with Avertium. Andrew specializes in HIPAA and HITRUST compliance and has extensive experience designing, developing, managing and implementing IT security solutions in compliance with IT security standards and best practices.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates

We use cookies to personalize your experience. By using our website, you agree to our Privacy Policy.