With issues around the collection and handling of personal data becoming the focus of increased scrutiny among regulators, policymakers, and consumers, interest has continued to grow among organizations to better understand and address privacy risk. Seeking to support innovation in the market and to accommodate the increasingly global nature of data processing ecosystems, the National Institute of Standards and Technology (“NIST”) released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (“NIST Privacy Framework”) on January 16, 2020. The recent publication aims to outline an adaptable approach to privacy risk for organizations of all sizes by providing a “framework for privacy management, not just a checklist of tasks.”
The NIST Privacy Framework is a voluntary tool intended to assist organizations in managing privacy risks that may arise due to system, product, or service operations that involve personal data, or in connection to new regulatory regimes such as the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”). As noted in the Executive Summary, the NIST Privacy Framework is intended to “enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.” Notably, the Federal Trade Commission (“FTC”), recognized by many as the U.S. government’s top privacy watchdog, had applauded the preliminary draft of the NIST Privacy Framework in Fall 2019 – indicating that the finalized publication could potentially serve as a credible benchmark for organizations seeking to address privacy risk across the data processing lifecycle.
The NIST Privacy Framework
The NIST Privacy Framework utilizes an analogous structure to the NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST Cybersecurity Framework”) to help organizations leverage both frameworks in a complementary fashion. With the release of the NIST Privacy Framework, NIST noted that the publication “is intended to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction.” The NIST Privacy Framework explains that “[p]rivacy risk management is not a static process” and emphasizes the importance of monitoring industry and regulatory changes. Accordingly, the Framework states that the document is also meant to help individuals and organizations adapt to emerging technology trends, such as artificial intelligence, the Internet of Things, and the use of algorithms.
Using a common approach—adaptable to the size and complexity of an organization, the scope and nature of its data processing activities, the volume and sensitivity of the personal data at stake, and its role(s) in the data processing ecosystem—the NIST Privacy Framework seeks to assist organizations in managing privacy risks by:
- Taking privacy into account as they design and deploy systems, products, and services that affect individuals;
- Communicating about their privacy practices; and
- Encouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (“IT”)—through the development of Profiles, selection of Tiers, and achievement of outcomes.”
Similar to the NIST Cybersecurity Framework, the NIST Privacy Framework includes three key parts: (1) The Core; (2) Profiles; and (3) Implementation Tiers. Each of these components underscores the critical focus on privacy risk management and emphasizes “the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.” The Core is meant to promote a dialogue throughout the organization—from the executive to the implementation and operations levels—regarding privacy protection initiatives and goals. Profiles allow the organization to prioritize those initiatives and goals that best suit its privacy values, business needs, and risk areas. Finally, Implementation Tiers bolster decision-making and communication related to the sufficiency of organizational processes and resources to handle privacy risks.
Similar to the approach taken with the NIST Cybersecurity Framework core functions (i.e., Identify, Protect, Detect, Respond, and Recover), the Privacy Framework lays out five functions, defined as follows:
- Identify-P – Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
- Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
- Control-P – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- Communicate-P – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
- Protect-P – Develop and implement appropriate data processing safeguards.
While originally intended to support cyber security in critical infrastructure, commercial organizations have also sought to adopt the NIST Cybersecurity Framework as a benchmark to evaluate their own information security controls (see here, here, and here for Sidley’s prior discussions on this topic). In this vein, the FTC identified the NIST Cybersecurity Framework as consistent with its approach to data security enforcement. In October 2019, the FTC provided positive feedback on a preliminary draft of the NIST Privacy Framework, indicating that it may in the future decide to view this newer publication through a similar lens.
The FTC’s comment on the draft NIST Privacy Framework praised NIST’s “flexible framework” approach, but proposed five high-level suggestions for “clarifying” the guidance. Version 1.0 of the NIST Privacy Framework appears to incorporate some of the FTC’s suggestions, including providing additional context about how an organization should approach conducting a privacy risk assessment and constructing a Target Profile. Notably, however, NIST did deviate from the FTC’s suggestions in important respects. For instance, the FTC suggested that NIST should place greater emphasis throughout the Framework on privacy issues stemming from cybersecurity-related events, such as “privacy breaches.” The revised NIST Privacy Framework; however, instead clarifies that cybersecurity-related issues are appropriately dealt with through an approach that incorporates both the Protect-P function of the NIST Privacy Framework and the “Detect,” “Respond,” and “Recover” functions of the NIST Cybersecurity Framework.
The NIST Privacy Framework is consistent with and complements several existing privacy frameworks and principles that privacy practitioners may already have communicated and adapted to their organizations. Indeed, the NIST Privacy Framework stresses the importance for organizations to engage in a dialogue concerning how data is processed and associated privacy risks. Additionally, for those practitioners looking to FTC comprehensive privacy program cases, such as the October 2018 Uber Decision and Order, for guidance in designing their risk-based programs, the NIST Privacy Framework provides a concrete roadmap for consideration.