• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • * Join Us *
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Support Services
    • Return-to-Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardian
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • Christmyths
    • The Full GDPR Text
  • Contact us
  • Home
  • Data Security & Encryption
  • NIST Draft Privacy Framework
NIS
NIS Regulations and the need for representation
December 24, 2019
COOKIE
Cookie Consent – The DPO Centre Guidance
January 20, 2020

NIST Draft Privacy Framework

January 6, 2020
Categories
  • Data Security & Encryption
  • GDPR
Tags
  • data breach
  • data class action
  • data protection
NIST

On the 6th September 2019, the USA’s National Institute of Standards and Technology (NIST) published a preliminary draft of its new privacy framework entitled ‘Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management’. This framework focuses upon how organisations processA series of actions or steps taken in order to achieve a particular end.... data for business purposes, acknowledging that whilst privacy risks can be managed by implementing good cybersecurity, they can still arise from data processing in the course of business practices. The drafting process began in October 2018 and the comment period closed on the 24th October 2019. During this time, NIST collaborated with public and private stakeholders in a variety of sectors including healthcare, education, finance, civil society and telecommunications. 

 

The new voluntary framework proposed by NIST seeks to help any type of organisation to implement practices which will aid them in complying with current data protection obligations, as well as future obligations in a constantly changing technological and policy environment. It takes a risk- and outcome-based approach which allows for flexibility in addressing diverse privacy needs across sectors and staying up to date with new technology trends such as artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc.....  

 

What does the Framework include? 

The Privacy Framework is structured in a similar way to NIST’s well-established 2014 Cybersecurity Framework in the hope that they will be used in conjunction with one another. It is split into three sections: the Core; Profiles; and Implementation Tiers. 

 

The Core: The Core is essentially a document providing organisations with a set of activities and outcomes which if implemented help to manage privacy risk. The Core is split into five different functions or areas where risk can be managed: Identify; Govern; Control; Communicate; and Protect. These functions cover the various stages of data processing where privacy risks may arise. Within each function, there are several subcategories of specific desired privacy outcomes which can be achieved by management or technical action. Privacy outcomes with similar programmatic needs or concerned with similar activities are grouped into categories. 

  

Function  Category  Subcategory 
IDENTIFY  Inventory and Mapping  Systems/products/services that process data are inventoried 
Data actions of systems/products/services are inventoried 
Business Environment  The organisation’s role in the data processing ecosystem is identified 
Organisational priorities are established and communicated 
Risk Assessment  Data analytic inputs and outputs are identified and evaluated for bias 

Fig. 1 Examples taken from the Privacy Framework Core 

 

Organisations do not need to try to fulfil all outcomes but can pick and choose which they want to prioritise within their organisation, depending on which are most appropriate for them.  

 

Profiles: When choosing which outcomes an organisation wants to prioritise, each Function, Category and Subcategory can be tailored to the organisation’s specific needs and they can also develop new ones if they feel that would be beneficial. Needs can be determined by considering their business goals, legal and regulatory requirements, industry best practice and the privacy needs of individuals. Once these factors have been considered, a Target Profile can be created listing all the privacy outcomes that the organisation wants to achieve. A Current Profile which shows the privacy outcomes already being achieved can also be created; comparison between the Current and Target Profiles then provides a road map for improving privacy risk management.  

 

Personal Profiles allow for an organisation’s efforts to be focused, resulting in more cost-effective and successful outcomes. The flexibility of this approach also ensures that it can apply to a wide range of sectors with varying needs, considerations, purposes etc.  

 

Implementation Tiers: Implementation Tiers are a way of communicating to stakeholders how an organisation views privacy risk and whether it has the processes and resources in place to manage that risk. There are four tiers: Partial; Risk Informed; Repeatable; and Adaptive. These progress from informal, reactive approaches to privacy risks to proactive and risk informed responses. Each tier is defined through four areas: Privacy Risk Management Process; Integrated Privacy Risk Management Program; Data Processing Ecosystem Relationships; and Workforce.  

 

Tier  Area: Workforce 
Partial  Staff have a limited understanding of privacy risk or privacy management. Training is either non-existent or on an ad hoc basis 

Risk Informed 

Staff have specific privacy responsibilities but may have non-privacy responsibilities as well. Regular training for privacy personnel but no consistent process for updates or best practice 

Repeatable 

Staff with only privacy responsibilities who have the knowledge and skills to perform their roles. Regular, up-to-date training for all staff. 
Adaptive  Staff with specialised privacy skill-sets throughout the organisation. Regular, up-to-date and specialised privacy training for all staff. All staff realise the organisational privacy values and their role in maintaining them. 

Fig. 2 Example of how each Implementation Tier is defined  

 

When deciding which tier an organisation fits within, its Current Profile and Target Profile should be considered along with any legal/regulatory obligations, business objectives, individuals’ privacy needs and organisational constraints. 

 

Tiers help organisational decision-making as it determines whether an organisation has sufficient processes and resources to achieve its Target Profile. Where processes and resources are insufficient, they should aim to progress to a higher implementation tier. This self-reflection should influence prioritisation decisions within the Target Profile to enable better progress in managing privacy risk. 

 

How will the Framework impact privacy? 

The draft states that the Privacy Framework can be used in risk management to help answer the question: “How are we considering the impacts to individuals as we develop our systems, products and services?” Having answered this question, organisations can then use the Framework to create a new privacy program or improve an existing one by creating Target Profiles and positioning themselves within the Implementation Tiers. The Framework can also aid accountability as it provides a way of demonstrating and communicating organisations’ privacy risk management programs to staff at all levels and key stakeholders.  

 

When completed, the Framework will apply at a National level. This is opposed to previous policies in the USA which have been enacted at State-level (for instance California’s CCPA and New York’s Privacy Act). This represents a huge step forward as it indicates that privacy is being taken seriously at a Federal level and promotes consistency in privacy standards across the USA.  

 

Whilst all sounding very promising, there is one caveat – the Framework is voluntary! With no way to ensure that organisations use the Framework, the impact it will have on privacy practices within the USA is hard to say. However, it must be noted that the earlier Cybersecurity Framework that this draft is based upon is also voluntary, yet it has now become a de facto standard in many areas due to demand from both public and private clients. In the current climate where people are becoming increasingly aware of privacy and their rights surrounding their data, there seems to be no reason why the same won’t be said of the Privacy Framework in years to come. 

 

About the DPO Centre

The DPO Centre is the UK’s data protection officerAn independent data protection expert whose role includes the monitoring of internal compliance, advising on data protection obligations and acting as a contact point for data subjects and the supervisory authority.... resource centre. We provide ‘fractional’ outsourced Data Protection Officer resources to over 250 organisations across the UK, ranging from 1 to 8 days per month. We also provide EU Representation services to a range of Asian and US based medical and technology organisations.

 

Share

Related posts

EUDP Guidance Controller Processor Blog
January 11, 2021

Updated EDPB Guidance on Controllers and Processors – Part 1


Read more
December 28, 2020

The DPO Centre’s Research Results – 7 steps for handling customer data


Read more
Accountability guidance blog part 3
December 11, 2020

ICO Accountability Framework: Part 3


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2020 DPO Centre. All Rights Reserved.