NIST Releases Privacy Framework | Practical Law

NIST Releases Privacy Framework | Practical Law

The National Institute of Standards and Technology (NIST) released the first version of Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, to assist organizations in developing privacy engineering practices that help protect individuals' privacy.

NIST Releases Privacy Framework

Practical Law Legal Update w-023-6671 (Approx. 3 pages)

NIST Releases Privacy Framework

by Practical Law Data Privacy Advisor
Published on 17 Jan 2020USA (National/Federal)
The National Institute of Standards and Technology (NIST) released the first version of Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, to assist organizations in developing privacy engineering practices that help protect individuals' privacy.
On January 16, 2020, the National Institute of Standards and Technology (NIST) released Version 1.0 of the Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (Privacy Framework). NIST developed the Privacy Framework to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals' privacy. Specifically, the Framework can help organizations:
  • Build customer trust by supporting decision-making that optimizes the beneficial use of personal data while minimizing the impact on individuals' privacy.
  • Comply with current obligations and prepare products and services to meet future obligations in a changing technological and policy environment.
  • Communicate about privacy practices with individuals, business partners, assessors, and regulators.
The Privacy Framework follows the structure of the widely used Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), and NIST expects that organizations will use both frameworks together. Like the Cybersecurity Framework, the Privacy Framework is composed of three tiers:
  • The Core, which enables a dialogue among business units about important privacy protection activities and desired outcomes.
  • Profiles, which helps organizations prioritize the outcomes and activities that best meet the organization's values, mission, or needs.
  • The Implementation Tiers, which support decision-making and communication about organizational processes and resources to manage privacy risks.
NIST relied on public comment and collaboration with various stakeholders in creating the Privacy Framework.