4 Key Values of the New NIST Privacy Framework

The world is rapidly turning into a tangled web of data privacy regulations. First, the General Data Protection Regulation (GDPR) shook up businesses with EU resident customers by setting high expectations for consumer data privacy, as well as large penalties for companies that didn’t comply. That groundbreaking regulation was followed by a host of U.S. state privacy laws, including the California Consumer Privacy Act (CCPA), the Nevada Privacy Law and the New York SHIELD Act. Internationally, over 80 countries and independent territories have now adopted some form of data privacy laws, and even more far-reaching privacy legislation is slated to be passed this year.

While this new focus on data privacy is certainly beneficial to consumers, it introduces unprecedented challenges for organizations, which often must comply with multiple regulations that may overlap in some ways and may seem contradictory in others. The solution is to educate the organization on the importance and fundamentals of data privacy, which will result in implementing a holistic data privacy program. It’s much easier to demonstrate compliance when privacy is “baked in” to the DNA of an organization and implemented by design in its processes and systems, rather than imposed by multiple and often inconsistent regulations.

How can this be accomplished? Enter the new National Institute of Standards and Technology (NIST) Privacy Framework, which provides the building blocks organizations need to reach those goals. The framework aims to help organizations “do privacy right,” regardless of which regulations they are subject to. Here are some of the NIST Privacy Framework’s key values:

1. It establishes overall best practices for privacy.

The NIST Privacy Framework helps companies internalize data privacy as a core element of business culture. A firm following these guidelines will develop and maintain data privacy policies specific to its business, and it will educate the entire company and its third parties (suppliers, partners, etc.) about them. NIST Privacy Framework helps a firm implement the tools to enforce its privacy policies.

Before creating privacy policies, the firm must understand the data it holds, and how that data is collected, processed and eventually deleted. NIST directs us to start this by mapping out all of the company’s data systems — including those operated by vendors and partners — and assessing them from the perspective of the privacy of the individuals whose data they contain and process, as well as the risks these efforts pose to the business. This isn’t a one-time event. It’s actually a continuous process, as management must understand the privacy risk picture at all times. With an inventory and mapping in hand, the company can build privacy policies based on the NIST Privacy Framework guidelines.

Next, the company must translate privacy policies into working safeguards, both technical and procedural, to actually protect the privacy of data subjects and to ensure the rights to see, correct, transfer, delete and restrict the processing of that data.

2. It creates a common, business-friendly language for discussing privacy processes.

Complying with regulations like GDPR, CCPA and the New York SHIELD Act may be a compelling driver for investing in data privacy, but it’s unlikely to inspire an organization to make privacy a core part of its strategy.

NIST addresses this issue by articulating the core principles of data privacy in business-friendly language. It presents privacy as a series of high-level business processes, with very specific, well-defined goals. Businesspeople will find the NIST Privacy Framework to be a quick, easily digestible read, especially when compared to the 100 pages of GDPR or the dense legal terms of CCPA.

3. It presents the gold standard benchmark for measuring a company’s privacy efforts.

The NIST Privacy Framework outlines a process that will ultimately lead to what is known as “privacy by design,” meaning that privacy will be taken into account throughout the systems engineering and maintenance processes.

When a company implements privacy by design, it considers the rights and interests of the people whose data is processed before creating a new data system or updating an existing one. Every step in a data process must be cognitive and respectful of the consumer or data subject. Organizations must address questions such as:

• Why should someone give me personal data?
• How long do I have to keep the data to satisfy the implied or explicit contract with the individual?
• What am I doing to ensure that I am scrupulously following all the terms of that agreement?

Companies adopting the NIST Privacy Framework will have tools to measure their systems against a robust yardstick of privacy as a fundamental consumer right.

4. It’s a foundation that will simplify compliance to all regulations.

Perhaps most significantly, the NIST Privacy Framework succeeds in introducing an approach to privacy that will ultimately streamline organizations’ compliance. Instead of struggling with the particulars of each regulation, organizations that adopt the framework’s overarching, comprehensive program for privacy by design will have the building blocks in place to easily comply with all privacy requirements.

The company that learns and implements the NIST Privacy Framework will be prepared with the language needed to communicate with stakeholders, constituents and third-party partners about privacy, as well as the best practices to safeguard consumer privacy and engender trust. With this foundational work in place, demonstrating compliance with any one privacy regulation will simply be a matter of mapping existing efforts and documentation to the particular regulation, rather than starting from scratch each time. This is a forward-thinking and welcome way to untangle the current privacy regulations web organizations currently find themselves in.