The Federal Trade Commission has submitted comment on the preliminary draft of the National Institute of Standards and Technology’s Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management.

In its comments, staff of the FTC’s Bureau of Consumer Protection commended NIST for proposing a voluntary tool aimed at helping organizations start a dialogue about managing privacy risks within their organizations.

The regulator also:

  • Called for greater attention to the need to address the risk of privacy breaches at each step of the draft Privacy Framework;
  • Recommended the Privacy Framework clarify procedures for managing privacy risks should account for the sensitivity of the information;
  • Recommended NIST consider including a more robust discussion of the analysis companies should undertake to ensure consumers understand a company’s data privacy practices, including reviewing whether a company’s actual data practices align with consumer expectations and public-facing statements;
  • Suggested the Privacy Framework include the designation of one or more specific individuals to be in charge of creating, implementing, and maintaining an organization’s privacy program; and
  • Recommended the Framework highlight the importance of conducting a comprehensive risk assessment as a necessary first step before making decisions about which privacy controls should be implemented.

The Commission voted 5-0 to authorize staff to submit comment to NIST.