Earlier this month, I discussed ISO 27701, a standard that assists organizations in establishing and maintaining a Privacy Information Management System. The complete standard needs to be purchased from the International Organization for Standardization, and for many organizations, certification may not be desirable or practical based on a cost-benefit analysis. There are many other great tools available for developing an effective privacy management program. This short blog piece discusses the Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (the Privacy Framework) published by the U.S. Department of Commerce National Institute of Standards and Technology (NIST) in January 2020. This tool compliments and follows the same structure as the NIST Cybersecurity Framework that was released in 2014.
The NIST Privacy Framework is intended to be widely usable by organizations of all sizes, helping them identify and manage privacy risks when designing and deploying systems, products, and services that affect individuals. It also addresses communication of privacy practices and cross-collaboration among executives, legal, and information technology (IT). The framework includes a useful discussion of the importance of privacy risk assessments, noting that they should address more than compliance risk to minimize adverse consequences and promote ethical decision making.
With an emphasis on strengthening accountability, establishing or improving a privacy program, and applying privacy activities and outcomes to the system development lifecycle, the Privacy Framework is an excellent resource for organizations looking to mature their privacy position. The functions or privacy activities in Appendix A (Table 2) of the framework provide detailed tasks to consider under the broad categories of Identify, Govern, Control, Communicate and Protect. The Framework acknowledges that organizations may not need to achieve every activity, but can select or tailor the functions to their specific needs and unique organizational risks. Thus, the framework allows for flexibility in implementation based on the business objectives, privacy values, risk tolerance and legal/regulatory requirements as well as industry best practices that apply.
I highly recommend that Privacy Officers consider the guidance offered by the NIST Privacy Framework. For assistance with the framework or evaluating/improving your privacy management privacy program, contact PRIVATECH.