Within both the private and public sector, organizations are waking up to the reality that they need to be doing more to safeguard data privacy. With that in mind, the National Institute of Standards and Technology (NIST) has released a preliminary draft document (“NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management”) with guidelines for protecting individual privacy. The NIST will accept public comments on this Privacy Framework until October 24. At that time, the NIST will aggregate all of the feedback that it has received into a final, comprehensive privacy framework that all organizations, regardless of size or sector within the economy, can use to improve both privacy and security.
Context for the NIST Privacy Framework
According to the NIST, which is part of the United States Department of Commerce, privacy should be seen as an intangible that safeguards human values like dignity and autonomy. As such, organizations need to be taking steps to adapt their systems, products and services in such a way as to maximize the beneficial uses of data within the enterprise while simultaneously minimizing the potential privacy problems for individuals. Thus, collecting data for public safety purposes might be a beneficial use of data – but that benefit would have to take into account the possibility that any form of data collection (such as collecting facial recognition data in large urban crowds) might infringe on the personal privacy of individuals.
In order to optimize this trade-off between the costs and benefits of collecting data in the digital era, the draft risk management privacy framework suggests that organizations take a flexible approach to protecting individuals’ privacy and security, focusing on those methods and practices that are the best fit for their existing business processes, rather than blindly accepting a “one-size-fits-all” approach or settling for a “checklist approach.” Thus, in order to safeguard personal privacy and minimize cybersecurity risks, one organization might prefer to use cryptography, while another organization might prefer to use de-identification techniques that essentially anonymize user data.
In addition, the NIST website advises that organizations align their thinking on privacy and security with the existing NIST Cybersecurity Framework. For that reason, the NIST Privacy Framework is structured in much the same way as the Cybersecurity Framework, thereby ensuring that organizations won’t need to rip up existing business processes and start over from scratch. The framework is a voluntary tool for improving privacy and security, and can be extraordinarily powerful in helping companies utilize personal data more effectively.
George Wrenn, Founder and CEO of CyberSaint Security, offers his thoughts on the new Privacy Framework: “In years past, privacy and security were seen as two distinct functions within an organization. However, while security can exist without privacy, privacy cannot exist without security. At the highest level, aligning the new Privacy Framework draft core with the Cybersecurity Framework core indicates that NIST recognizes that these two functions are serving the same goal of protecting the consumer. By integrating privacy and security together, organizations can take a more holistic view of their integrated risk management program.”
Key parts of the new draft NIST privacy framework
There are three key parts to the draft NIST Privacy Framework, referred to as “The Core,” “Profiles” and “Implementation Tiers.” The first section lays out a potential set of privacy protection activities that an organization might carry out. The second section provides guidance on which activities laid out in “The Core” an organization should pursue as part of its own privacy and security approach. And, finally, the third section provides additional guidance on how an organization should optimize any resources allocated to managing privacy risk.
In short, the draft NIST Privacy Framework provides guidance on how organizations should be thinking about privacy and security. It then walks them through some of the various innovative approaches to protecting privacy that are available to them, with a focus on increasing trust in systems and products. According to the NIST, there are three specific goals that any organization should be looking to achieve by adapting the NIST Privacy Framework: building customer trust (which is in short supply these days, due to all the privacy scandals unfolding on a regular basis); fulfilling current and future compliance obligations (an especially salient point, given the current focus on regulations like the European GDPR); and facilitating communication about privacy practices between an organization and all of its stakeholders and customers.
Public commentary on the NIST privacy framework
While this is an excellent, high-level approach to personal privacy, there is still room to tighten it up even further, says the NIST. That’s why the NIST is inviting public commentary on the draft NIST Privacy Framework. Specifically, the NIST is looking for feedback related to whether or not this privacy framework enables cost-effective implementation. In other words, just how burdensome – from an economic perspective – will this new NIST Privacy Framework be for organizations?
In addition, the NIST is looking to ascertain whether it has adequately and appropriately defined the relationship between privacy and security. As currently configured, the NIST Privacy Framework presents privacy and security as a sort of yin and yang that must be in constant equilibrium: push too much on security, and you start to infringe on personal privacy, but enable too much privacy, and you might create security risks.
And, finally, the NIST is looking for feedback as to whether or not the draft NIST Privacy Framework is forward-looking enough to account for rapid technological change in the form of the Internet of Things (IoT) and artificial intelligence (AI). This is an especially important point, given the rapid pace of technological change, in which regulations and legislation often have a hard time keeping up with reality in the business world. Notably, the NIST is very involved with emerging information technologies such as nanotech and smart grids, so it will be interesting to see what kind of feedback it receives from the tech and scientific community.
One thing is certain: notions of personal privacy are rapidly changing, and all organizations in both the private and public sector must be doing a better job of keeping up with these changes. The draft NIST Privacy Framework appears to be a good first step in helping organizations optimize the beneficial uses of data and regain the trust of consumers.