On Sept. 6, 2019, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management.
NIST began working on the Privacy Framework after the release of its Cybersecurity Framework in October 2018. The organization hosted workshops and roundtables to gather public and private stakeholder input to develop the framework. NIST is now seeking public feedback on this preliminary draft prior to releasing version 1.0, which is expected to be available at the end of 2019.
According to a press release, the NIST Privacy Framework provides a tool that “helps organizations communicate better about privacy risks when designing and deploying products and services, provide more effective solutions that can lead to better privacy outcomes, and facilitate compliance with their legal obligations.”
The NIST Privacy Framework ties to the popular NIST Cybersecurity Framework, as it brings privacy and cybersecurity teams together to address privacy breach risks. Similar to the Cybersecurity Framework, the Privacy Framework is written in accessible language to allow people with non-technical backgrounds to understand shared privacy goals.
In the Profiles section of the framework, the NIST Privacy Framework encourages businesses to create current and target profiles to select outcomes that are relevant to its specific privacy goals and risk tolerance. Buyers can then use these profiles to inform decisions and understand any trade-offs they are willing to accept when buying software, products, and services.
Adding your input
The preliminary draft of the NIST Privacy Framework is available for public comment through 5 PM EDT on Oct. 24, 2019.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*