The National Institute of Standards and Technology (NIST) has released version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management on January 16, 2020. This framework was developed starting in September 2018 using a “robust, transparent, consensus-based collaboration with private and public sector stakeholders.” W. Capra was among those organizations that contributed to the collaboration efforts, and we believe this voluntary tool will become the standard by which all companies in any industry identify and manage privacy risk. Moving forward, W. Capra will be implementing the NIST Privacy Framework as a foundation for all data privacy engagements.
NIST Privacy Framework Overview
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers.
The core provides a set of increasingly granular activities and outcomes to help companies communicate and prioritize privacy activities across an organization, from an executive level to the implementation level.
The Profile is used to benchmark an organization’s current privacy activities and can also be used to set goals for desired privacy program outcomes. These profiles can be individualized to each organization based on risk factors such as data processing ecosystem roles, types of data processing, and individual’s privacy needs.
Lastly, the Implementation Tiers are used to support communication about whether the organization has sufficient policies, processes, and people to achieve its target privacy Profile. Collectively the Core, Profiles and Implementation Tiers provide a way for organizations to asses, communicate, prioritize and implement privacy goals.
Why should I adopt the NIST Privacy Framework?
Contrary to laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the NIST Privacy Framework is a voluntary tool that organizations may use to reduce their privacy risk. There are no mandates or penalties for not aligning with the NIST Privacy Framework.
However, taking a holistic approach to data privacy through implementing the NIST Privacy Framework will help organizations in achieving privacy goals and potentially reduce work efforts in the future, as more data privacy legislation passes in the U.S. The Privacy Framework is designed to be a useful tool for organizations at all levels of privacy maturity.
How can W. Capra help?
W. Capra has a team of data privacy consultants that have real-world experience developing privacy programs, meeting and maintaining compliance with laws such as the CCPA, and helping organizations reduce privacy risk. Using the NIST Privacy Framework as a foundation for approaching data privacy projects, we leverage industry best practices and our experience to help clients meet their privacy goals.
Interested in learning more? Reach out to the author Danny Omiliak at [email protected].