The NIST Privacy Framework: Updates and Opportunities

While federal legislators still appear unable to reach consensus on the content of national privacy legislation, the National Institute of Standards and Technology (NIST) is moving forward with its plan to issue a “Privacy Framework” by the end of the year. Organizations should be on the lookout for the next draft, scheduled for release in early August, and consider whether to submit feedback in the ensuing comment period.

Although it has not received as much press as the multitude of legislative privacy proposals, the Privacy Framework could become as influential as the related NIST Cybersecurity Framework, which serves as an objective standard against which companies compare their policies and practices.

NIST has already proved responsive to industry input regarding this new framework, and there will be one more opportunity for companies to weigh in on the details of this important proposal later this summer during a formal review and comment period.

Developing a Voluntary Process to Address Privacy Risk

NIST announced the Privacy Framework initiative last fall with the goal of developing a voluntary process helping organizations “better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.” Spurred on in part by increasing privacy concerns regarding the Internet of Things, artificial intelligence, and other new technologies, NIST intends the Framework to be a tool for companies of any size to systematically manage the privacy risks they face and create flexible solutions.

The discussion draft of the Privacy Framework, released April 30, 2019, used the same general structure as its companion Cybersecurity Framework which was first published in 2014 and then updated last year. This decision was based on stakeholder feedback to facilitate compatibility between the two frameworks and has carried over into the most recent drafts of the Privacy Framework. Both frameworks are based around a Core of activities and desired outcomes, separated into high-level “functions” as well as more specific “categories” and “subcategories.”

The Privacy Framework proposal includes the functions “Identify,” “Govern,” “Control,” and “Communicate.” Examples of categories within the “Identify” function are “Inventory and Mapping” and “Risk Assessment.” Organizations can then use the frameworks to prioritize the outcomes that are most important to them.

The final part of both frameworks is a set of “Implementation Tiers,” which help companies better understand how well they are responding to risks and how they can improve their processes.

Working drafts and related materials can be found on NIST’s Privacy Framework website.

Separated vs. Integrated Cores

While the Privacy Framework is being developed to work in tandem with NIST’s guiding Cybersecurity Framework, how the two documents will interact is still unclear. Two of the Core functions of the Cybersecurity Framework, “Protect” and “Respond,” would be natural to include in the Privacy Framework as well, which NIST did in its initial discussion draft.

Earlier this month, NIST released two proposed Cores for the Privacy Framework, representing different possible “levels of alignment” with the Cybersecurity Framework. One option would be to have “separated” Core functions between the two frameworks, meaning that the Privacy Framework would not include the overlapping data security-related Protect or Respond functions. This separated approach would require organizations to address those issues through the Cybersecurity Framework alone.

The other approach, with “integrated” Core functions, would keep the Protect and Respond functions in the Privacy Framework. The pros and cons of each approach were a major point of discussion at a recent public workshop on the Privacy Framework in Boise, Idaho. There was a perception that “larger organizations with a mature cybersecurity program favored a separated approach, while smaller organizations support an ‘integrated’ framework to ease use of both the cybersecurity and privacy documents.”

Whichever route NIST chooses, both draft Privacy Framework formulations touch on many of the issues seen in recent data privacy legislation. They prompt organizations to, among other things:

• Notify the public of the organization’s data processing practices and the privacy rights available to individuals;
• Draft and implement policies limiting the use and disclosure of personal information;
• Follow data minimization principles;
• Require by contract that other entities that process the organization’s information have sufficient measures in place to protect privacy (and audit them for compliance);
• Put mechanisms in place to effectuate individuals’ privacy preferences such as accessing, amending, or deleting their information;
• Set up procedures to respond to individuals’ data privacy requests; and
• Maintain records of all data disclosures.

While the Framework does not address appropriate sanctions for privacy violations, it does promote accountability by requiring entities to monitor and review their privacy risks and policies on an ongoing basis.

Because the Privacy Framework is not specific to any particular privacy law, organizations cannot rely on it to meet all their statutory obligations in the jurisdictions where they operate, but it will help them ask the right questions and provide them an overview of what a comprehensive privacy program might look like in practice.

Final Privacy Framework Coming in October

The development of the Privacy Framework involved significant collaboration with private and public stakeholders. NIST held three public workshops over the last year and released revised versions of key documents based on the input gathered. A preliminary draft Privacy Framework is scheduled for release within a month, with a formal comment period to follow.

NIST tentatively plans to publish the final Privacy Framework this October.

Leveraging the Privacy Framework as a Tool for Broader Compliance

While the Privacy Framework does not specifically address the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), or other specific privacy statutes, it will nevertheless provide a tool for companies to better comply with those laws. It can help coordinate efforts between an organization’s legal department, executives, IT department, customer service, and employees by providing a strategic approach to current and future privacy obligations and setting best practices.