In preparing to write an article about the NIST Privacy Framework I asked some friends who work in infosec and data protection for their thoughts. With few exceptions the conversation went:
“Oh, you mean the NIST CyberSecurity Framework.”
“No, the Privacy Framework”, I’d reply.
“I’m pretty sure it’s Cybersecurity.”
“I’ll send you a link.”
It’s not surprising that it’s gone under the radar for many people for whom it could be relevant. In January when it was launched a lot of companies were just hoping that they were CCPA compliant, and not necessarily looking for the next big data rights thing to get stuck into. Also, the Privacy Framework is not a regulatory or compliance requirement and not something to have to worry about unlike, you know, everything else that suddenly happened.
Why am I talking about it?
Increased consumer privacy protection is the current direction of travel. Recent state and international regulations like the GDPR and CCPA have caused organizations to have to look at all their data handling procedures and make necessary changes and additions. One problem with this is that these regulations, and ones which will inevitably come after, read very much from the point of view of what the particular rights of the consumer are at that moment in time.
This has led some companies down the road of ‘Checkbox compliance’, where they carry out the minimum effort to meet a particular legal requirement. Personal data needs to be encrypted at rest? OK, I’ll make the changes on the customer database. People need to be able to see a copy of their data? OK, I’ll create a form and update the privacy policy. Cookie control? There’s a tool for that we can stick on the website.
Of course when one set of regulations is checked off, another one comes along and the process starts again.
The NIST Privacy Framework helps turn this reactive process into a proactive one. It embeds the idea of privacy by design into business process analysis. While there is a path to follow, it is very much not a prescriptive or ‘one size fits all’ approach. Companies will interpret their risk and response appropriate to their personally-defined risk profile.
The fundamental advantage of the NIST approach is that, if done properly and treated as a continuous process, other regulations can sit on top, making the job of compliance a whole lot easier.
So it’s for everyone, right?
Certainly if you’re already following the NIST Cybersecurity Framework then the NIST Privacy Framework has been designed so that you follow a similar path. Even if you’re not, this will give a solid bedrock for all privacy management and save a lot of headaches with new regulations. And by implementing this you would also be getting your head round the process of implementing the Cybersecurity Framework, with which this overlaps so the work can be done concurrently.
However, if your company is ISO 27001 compliant, then it might well make more sense to go for the ISO 27701 which is the Privacy Information Management extension. It’s based on the requirements, control objectives and controls of ISO 27001.
Here’s my checklist of the ‘Whys’
Next time, I’ll look at how it’s structured and implemented.
If you want to smooth your path to future compliance and can already see a place for the NIST Framework in your organization, get in touch with TBG Security. Their experts can help you at every stage of the process.