On September 6, 2019, the National Institute of Standards and Technology (“NIST”) released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).
Created in collaboration with private and public stakeholders, the voluntary Privacy Framework is intended to help organizations build and develop privacy foundations by integrating privacy considerations with their broader enterprise risk portfolio. The Privacy Framework has a three-part structure; each section is intended to reinforce privacy risk management. The “Core” section covers a set of privacy protection activities and outcomes used to manage risk and encourage communication across the organization. The “Profiles” section draws on particular Core elements that the organization has prioritized and allows organizations to compare a “Current” Profile (the organization’s “as is” state) with a “Target” Profile as a form of self-assessment. The third section, “Implementation Tiers,” concerns how an organization views privacy risk and the sufficiency of processes and resources meant to manage that risk.
This three-part structure purposely tracks NIST’s existing Cybersecurity Framework. Once the Privacy Framework is finalized, organizations will ideally be able to use both Frameworks to address privacy and security risks.
NIST seeks comment on the preliminary draft of the Privacy Framework. The comment period closes on October 24, 2019.