NIST Releases Enterprise Risk Management Privacy Framework
by Rick Kuwahara CMO of Paubox
The National Institute of Standards and Technology (NIST) recently shared its privacy framework that guides organizations on how to improve their approach to protecting sensitive data.
The framework also highlights privacy risk management concepts while helping organizations identify the privacy outcomes they want to achieve and the steps needed to meet their goals.
The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management was created in collaboration with industry stakeholders and follows the structure of the NIST Cybersecurity Framework that’s complementary to the privacy guide.
What the privacy framework supports
The privacy framework outlines enhanced privacy engineering practices that support privacy with design concepts.
Organizations can also find insights on ways to build consumer trust through ethical decision making in product and service design and to minimize unwanted consequences around protecting individuals’ security and privacy.
The framework also provides guidelines on maintaining compliance obligations and methods for achieving this in an ever-changing technological and policy environment.
Facilitating communication on privacy practices with partners, regulators, and individuals is also outlined.
How the framework ensures privacy compliance
Given the increasing amount of large data and privacy breaches, many industry stakeholders have noted that the two-decades-old HIPAA Privacy Rule has some critical gaps for the digital age.
NIST’s privacy framework can be used to demonstrate compliance with laws like the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD).
The framework covers three main areas:
- Privacy protection activities
- Profiles that help organizations choose the activities relevant to their privacy goals
- Tiers to optimize privacy risk management resources.
NIST intends to continue building the framework to maximize its benefits for organizations far into the future.
This way even organizations with strong existing privacy and security practices can be sure that all privacy requirements are addressed throughout any advances in compliance laws and the digital environment.