The Federal Trade Commission has submitted comment on the preliminary draft of the National Institute of Standards and Technology’s Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management.
In its comments, staff of the FTC’s Bureau of Consumer Protection commended NIST for proposing a voluntary tool aimed at helping organizations start a dialogue about managing privacy risks within their organizations.
The regulator also:
- Called for greater attention to the need to address the risk of privacy breaches at each step of the draft Privacy Framework;
- Recommended the Privacy Framework clarify procedures for managing privacy risks should account for the sensitivity of the information;
- Recommended NIST consider including a more robust discussion of the analysis companies should undertake to ensure consumers understand a company’s data privacy practices, including reviewing whether a company’s actual data practices align with consumer expectations and public-facing statements;
- Suggested the Privacy Framework include the designation of one or more specific individuals to be in charge of creating, implementing, and maintaining an organization’s privacy program; and
- Recommended the Framework highlight the importance of conducting a comprehensive risk assessment as a necessary first step before making decisions about which privacy controls should be implemented.
The Commission voted 5-0 to authorize staff to submit comment to NIST.