The most valuable public companies in the world today are all driven by data.
Some of the most significant companies in the world, including Facebook, Apple, Amazon, Netflix, and Google (collectively known as FAANG on the stock market), have built their business models on data in areas such as advertising, e-commerce, technology products, and subscription models. Data remains a driving force on the road toward the Fourth Industrial Revolution where artificial intelligence, the internet of things (IoT), machine learning, and biotechnology, among others, define the future of our work and society.
And while there is no question that data has generated enormous economic value in the age of digital transformation, it's also true that behind most data points are people. People care about how their personal data is used. They want to protect their reputations, maintain their autonomy, and honor their own dignity. They care about privacy; people need to know which companies they can trust.
Trust is now a critical component to a company’s success. Trust creates long-term brand loyalty and advocacy among customers. A loss of trust, possibly stemming from misused or hacked personal data, emboldens customers to take their business elsewhere which negatively impacts company valuations. (Just look at Yahoo as one example: After an extensive data breach, customers fled in droves, contributing to millions in lost valuation.) Companies can build trust while respecting consumers’ privacy and providing value to their customers’ lives. However, this must be done methodically; companies can garner customers’ trust through ethical decision-making built in to their business models.
Companies understand that trust and privacy are critical, but what does it look like in practice? How do businesses and organizations protect people’s privacy, while still using people’s data? How do companies address privacy risks, which can pose reputational risks, and compliance risks, which can cause legal issues for a company? Are privacy risks included alongside other items in your company’s enterprise risk portfolio? Does your company have a budget allocated with the correct resources in place to adequately tackle privacy risk?
With so many moving parts in the privacy landscape, it can be difficult to know where to start. What’s missing in this equation is common language and practical tools to address privacy needs. That’s exactly what the NIST Privacy Framework wants to solve.
What is the NIST Privacy Framework?
The NIST Privacy Framework is a voluntary framework that helps businesses and organizations understand, evaluate, and mitigate their privacy risks. NIST stands for the National Institute of Standards and Technology, a unit of the United States Commerce Department, that promotes innovation through development of scientific and technological standards. NIST released a preliminary draft of the framework in Sept. 2019 and hopes to have version 1.0 finalized by the end of 2019. The framework, written in layman’s terms, strives to include stakeholders across industries and seniority to define privacy goals and implement shared privacy policies.
The NIST Privacy Framework provides:
Within this framework, businesses and organizations can meet their current privacy compliance goals, as well as anticipate future technological advancements and privacy regulations for their future products and services. The Privacy Framework is tech-agnostic, applies regardless of any specific law and jurisdiction, and works in collaboration with existing NIST Cybersecurity Framework released in 2018.
How the NIST Privacy Framework works
The preliminary draft of the NIST Privacy Framework is composed of three parts: the Core, Profiles, and Implementation Tiers.
The Core helps organizations identify their overarching privacy goals.
Profiles help organizations understand theircurrent privacy risk and understand the gaps to achieve desired privacy risk management. The five main function areas include:
Implementation Tiers support organizational decision-making about privacy risk. This accounts for an organization’s specific systems, products, services, and resources available to help manage risks.
How privacy framework & cybersecurity framework relate
How does the NIST Privacy Framework relate to the NIST Cybersecurity Framework? Two words: privacy breaches. Cybersecurity and privacy risks go hand in hand.
Both frameworks—the NIST Privacy Framework and the NIST Cybersecurity Framework—collaboratively address privacy breach risks. This is especially important considering emerging technologies such as IoT and AI.
The NIST Privacy Framework has five functions: Identify, Govern, Control, Communicate, and Protect.
The NIST Cybersecurity Framework has five functions: Identify, Protect, Detect, Respond, and Recover.
The “Protect” function of the NIST Privacy Framework overlaps with the NIST Cybersecurity Framework. This relates to:
- Identity management, authentication, and access control
- Data security
- Data protection policies, processes, and procedures
- Protective technology
How to use the Privacy Framework
Company executives, legal teams, security teams, and related departments use the NIST Privacy Framework as an informative reference for a variety of things. They might use the framework to strengthen accountability within their organization, establish or improve a privacy program, apply to the system development lifecycle, use in a company’s data processing ecosystem, and make informed buying decisions about which vendors to work with.
Keep in mind that the NIST Privacy Framework is just that, a framework. It is not a standard. It is not a certification. It is a starting point for organizations to understand their privacy risks and adopt a plan that best addresses those risks.
What is the value?
The Privacy Framework helps businesses build trust with their customers, meet current and future privacy regulation compliance obligations, and facilitate a privacy dialogue in a company. Trust is built over time with a company’s customers, third parties, and regulators.
With the Privacy Framework’s help, companies can create better privacy engineering practices such as privacy by design or privacy by default. This helps businesses anticipate new privacy laws and encourages them to be proactive.
Making informed buying decisions
While the draft NIST Privacy Framework is tech-agnostic, it does encourage people to utilize NIST's privacy risk requirements to make informed buying decisions when purchasing products, software, and services, and when working with third parties.
What you can do now
NIST is seeking public comment on the NIST Privacy Framework preliminary draft now through 5 PM EDT on Oct. 24, 2019. After incorporating any updates based on the public comment period, NIST expects to release version 1.0 of the NIST Privacy framework by the end of 2019.
NIST’s future topics regarding privacy risk
After the release of the NIST Privacy Framework Version 1.0 in late 2019, NIST plans to address other privacy-related topics, including emerging technologies, privacy risk assessments, privacy workforce, re-identification risk, and technical standards.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*