The National Institute of Standards and Technology’s new draft Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management highlights three factors to help firms manage privacy and cyber-risk: the core—five functions that act as a checklist for activities and outcomes; profiles—a selection of categories and functions for prioritization; and implementation—four tiers to assess the availability and adaptability of company resources.
UNDERSTANDING THE NIST PRIVACY FRAMEWORK
Below is a description of each function within the Privacy Framework and a select few examples of a corresponding category, as well examples of that category’s respective subcategories:
Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
- Category: Inventory and Mapping: Data processing by systems, products, or services is understood and informs the management of privacy risk
- Subcategory: Systems/products/services that process data are inventoried (ID.IM-P1); Owners or operators (e.g., the organization or third parties—such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried (ID.IM-P2); Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried (ID.IM-P3).
Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
- Category: Awareness and training: The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values
- Subcategory: The workforce is informed and trained on its roles and responsibilities (GV.AT-P1); Senior executives understand their roles and responsibilities (GV.AT-P2); Privacy personnel understand their roles and responsibilities (GV.AT-P3); and third parties (e.g., service providers, customers, partners) understand their roles and responsibilities (GV.AT-P4).
Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- Category: Data Management: Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).
- Subcategories: Data elements can be accessed for alteration (CT.DM-P3); Data elements can be accessed for deletion (CT.DM-P4); Data are destroyed according to policy (CT.DM-P5).
Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data are processed and associated privacy risks.
- Category: Communication Policies, Processes, and Procedures: Policies, processes, and procedures are maintained and used to increase transparency of the organization’s data processing practices (e.g., purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities) and associated privacy risks.
- Subcategory: Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place (CM.PP-P1); Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established (CM.PP-P2).
Protect-P: Develop and implement appropriate data processing safeguards.
- Category: Data Security: Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability.
- Subcategory: Data-at-rest are protected (PR.DS-P1); Data-in-transit are protected (PR.DS-P2); Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition (PR.DS-P3); Adequate capacity to ensure availability is maintained (PR.DS-P4); Protections against data leaks are implemented (PR.DS-P5).
The highly anticipated release of NIST’s Privacy Framework followed a year of extensive engagement with stakeholders through a series of public workshops and roundtables on the challenges of protecting data privacy and how to develop guidelines to assist companies in addressing these challenges. As the Privacy Framework is still under development, NIST encourages the submission of comments through Oct. 24 (submission instructions can be found here).
In developing the Privacy Framework, a major focus of discussion concentrated on the relationship between privacy and cyber-security, tackling such questions as how to align privacy risk management with cyber-security risk management, as well as within an organization’s broader enterprise risk portfolio; how to address the overlap between data security and privacy breaches in cost-effective and practical ways; and how NIST’s Cybersecurity Framework can play a role.
Like the NIST Cybersecurity Framework, the Privacy Framework is composed of three parts: core activities and outcomes, profiles, and implementation tiers. A description of each section is below.
Core activities and outcomes (‘the core’)
The core provides an increasingly granular set of activities and outcomes that enable an organizational dialogue about managing privacy risk. Five key functions make up the core: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, where the “-P” distinguishes privacy from cyber-security risk management activities. These five functions are broken down further into underlying categories and subcategories. They are not intended to be a checklist, but a guide.
Since NIST kicked off discussions in October 2018, the Privacy Framework has gone through some important changes, Lefkovitz explained on a recent Webinar. For example, based on stakeholder feedback around the importance of governance, NIST decided to break out some of the categories that were under the “Identify-P” function and elevate them into the newly added function, “Govern-P.” Additionally, the category of “awareness and training” that originally was in the “Protect-P” function was moved into the “Govern-P” function to make it an overall organizational governance exercise, she said.
The second component of the Privacy Framework is a selection of specific functions, categories, and subcategories from the core that companies are expected to prioritize to help it manage privacy risk. The focus here, as with NIST’s Cybersecurity Framework, is customization.
The selection of profiles should be based on organizational or industry-sector goals, legal and regulatory requirements, the company’s own risk management priorities, and the privacy needs of individuals. Those factors help determine what companies are currently doing and forecast where they need to be, according to Lefkovitz. NIST further provides two hypothetical use cases to improve understanding of the core and to demonstrate how the development of profiles can increase collaboration and dialogue across companies and support risk-based decisions.
The third component is meant to support conversations around whether the company has sufficient resources and processes in place to manage privacy risk and achieve its target profile. When selecting tiers, NIST recommends that a company consider its current risk management practices; its data-processing systems, products, or services; legal and regulatory requirements; business objectives; organizational privacy values and individuals’ privacy needs; and organizational constraints.
The Privacy Framework describes four distinct tiers: Partial (Tier 1); Risk Informed (Tier 2); Repeatable (Tier 3); and Adaptive (Tier 4).
“Tiers do not represent maturity levels,” the Privacy Framework states. “Progression to higher tiers is appropriate when an organization’s processes or resources at its current tier are insufficient to help it manage its privacy risks.”
Companies should take further comfort in the fact that there is no right or wrong way to apply the Privacy Framework. While some companies may “choose to use the implementation tiers to articulate [their] envisioned privacy risk management processes,” NIST said in the framework, “another organization may already have robust privacy risk management processes but may use the core’s five functions to analyze and articulate any gaps. Alternatively, an organization seeking to establish a privacy program can use the core’s categories and subcategories as a reference.”
Privacy vs. cyber-security risks
One significant focus of discussion leading up to release of the preliminary draft of the Privacy Framework was how to align it with NIST’s Cybersecurity Framework and how the different functions can be used to manage these different sources of risk. The core of the Privacy Framework was purposely designed in such a way that companies have flexibility to use both frameworks cohesively.
While cyber-security risk management contributes to privacy risk management, privacy risk can still arise outside the scope of cyber-risk. NIST uses a Venn diagram (a mathematical illustration of the relationships among sets) to illustrate both the differences and overlap between the two risks, where privacy risk is associated with “the unintended consequences of data processing” on the one side and cyber-security risk is associated with “loss of confidentiality, integrity, or availability” of data on the other. Where these two risks overlap in is in the area of privacy breaches.
Companies can use the first four functions—Identify-P, Govern-P, Control-P, Communicate-P—to manage privacy risk arising from data processing, while the Protect-P function can help companies manage privacy risk associated with privacy breaches, along with the Detect, Respond, and Recover functions from the Cybersecurity Framework, Lefkovitz said. “That might work very well for organizations that are still maturing their privacy program or don’t necessarily have a close collaboration with the cyber-security team, and so it’s important for both sides to understand the privacy perspective of data protection,” she said.
Alternatively, as the framework suggests, “organizations could use all of the Cybersecurity Framework functions, in conjunction with Identify-P, Govern-P, Control-P, and Communicate-P, to collectively address privacy and cyber-security risks.”
As with the Cybersecurity Framework, the Privacy Framework comes at a critical time, as privacy breaches proliferate and furthermore as regulators draw increasing attention to individual privacy rights under the EU’s General Data Protection Regulation (GDPR) and, in the United States, the California Consumer Privacy Act (CCPA).
Understanding the relationship between individual privacy risk, particularly arising from data processing activities, and the resulting impact imposed on a company—such as customer abandonment, non-compliance costs, harm to reputation or internal culture—can serve as an organizational driver in terms of how to allocate budget and resources to strengthen the privacy program. “We hope that will help bring privacy into parity with the other risks that organizations are trying to manage in their enterprise risk management portfolio,” Lefkovitz said.
Privacy executives say that shift is already taking place. “This is a business differentiator,” said SunTrust Chief Privacy Officer Ron Whitworth during last year’s kickoff workshop. “We’ve always tried to make that case as privacy professionals dating back many years; but I think we’re really seeing that now where the executives and boards are jumping in and saying, ‘This is a critical business issue. This is not a compliance exercise.’”
The Privacy Framework will help privacy and risk professionals have better conversations with regulators, executives, and boards by helping to frame conversations around what a best-practice privacy risk management program should like. “This is going to be hugely important, as much as it was in the cyber-security context,” Whitworth said. “This is going to help lift everybody up to a standard we all need to reach.”