By Marcus Grazette, Europe Policy Lead at Privitar
The National Institute for Standards and Technology (NIST) is a leading standards body. Earlier this year they released the NIST Privacy Framework, a voluntary tool intended to help organizations identify and manage privacy risk. This blog post will introduce the Framework, explain some of the outcomes it recommends and show how Privitar can help you to achieve them.
The Privacy Framework
The Framework is divided into two main parts:
The Core, a set of privacy outcomes which are in turn broken down into five functions (Identify, Govern, Control, Communicate and Protect).
The Profiles and the Implementation Tiers, which allow an organization to benchmark progress. Together, these form a maturity matrix which organizations can use to measure progress towards a mature, robust approach to privacy.
The NIST Privacy Framework complements the NIST Cybersecurity Framework, published in 2014. The functions in the Privacy Framework are labelled with the appendix “-P” to distinguish them from the Cybersecurity Framework.
The Framework is not a checklist. It was designed to help organizations answer the question: “How are we considering privacy impacts as we develop systems, products and services?” As such, the Framework is outcome based. It describes the ideal outcome, without being prescriptive about how to achieve it.
The five functions are further broken down into 18 categories and 100 outcomes (subcategories). Each function, category and outcome has a unique code assigned to it. For example, the “Identify” function (ID-P), the “inventory and mapping” category (ID.IM-P) and the “systems that process data are inventoried” outcome (ID.IM-P1). We’ll use these codes when referring to specific outcomes in this blog post.
There is no ‘silver bullet.’ Achieving the majority of outcomes will require a combination of measures. The outcomes fall on a spectrum from technical to non-technical. To help you to understand that range, we grouped them into 11 technical (i.e. applied to the data or the processing system), 36 non-technical (i.e. processes and procedures) and 53 semi-technical (i.e. blending the two) outcomes.
- Technical outcomes: Data should be transmitted using standardized formats (CT.DM-P6). The data format is a purely technical feature of your processing.
- Non-technical outcomes: Ensuring that senior executives understand their roles and responsibilities with respect to privacy (GV.AT-P2) is a non-technical outcome. An organization might achieve it through training or including privacy in HR processes like job specifications or annual reviews.
- Semi-technical outcomes: Protecting removable media and restricting its use according to policy (PR.PT-P1) is a semi-technical outcome. There are technical options (e.g. encryption) or non technical options (e.g. requiring that removable media is stored in a locked safe) for protecting data on removable media like USB memory sticks. These can operate alongside organisational controls (e.g. a policy banning the use of removable media, unless in exceptional circumstances and only with encryption).
Privitar Supports Implementation
Privitar is a privacy engineering company. We focus on technical controls and support efforts to achieve semi or non technical controls.
- Technical outcomes. We enable the range of controls in the Framework’s disassociated processing (CT.DP-P) category. For example, our platform can ensure selective disclosure of data elements (CT.DP-P4) because it allows data to be provisioned for specific purposes, into Protected Data Domains (PDDs) where you can control the degree of linkability. PDDs in turn enable outcome CT.DP-P1 which requires data to be processed to limit linkability. Our comprehensive set of data de-identification tools, including masking, tokenization and generalization, can help you to achieve the outcome “data are processed to limit the identification of individuals” (CT.DP-P2).
- Semi-technical outcomes. We allow organizations to embed watermarks in data that has been provisioned. Watermarks support accountability, because information e.g. on the purpose for which the data was provisioned, who is responsible for it or retention rules can be embedded in the data. Accountability underpins efforts to establish privacy roles and responsibilities (GV.PO-P3) and supports risk management processes (GV.RM-P1). Organizations can also use watermarks to support forensic investigations of problematic data actions (GV.MT-P4) or to map data processing (ID.IM-P).
- Non-technical outcomes. We also support organizations in achieving non-technical outcomes. For example, informing risk assessments or increasing privacy awareness through training. Our training materials on privacy harms can support outcomes on raising awareness of privacy roles and responsibilities (e.g. under the Govern function.)
The Framework provides a detailed set of outcomes describing a comprehensive approach to privacy. Some elements are technical, but most require a mix of technical and organizational controls. There are no technical silver bullets. A combination of Privitar features will, in many cases, help organizations to achieve the recommended outcomes. Against the backdrop of an uncertain legal context, with new privacy regulations emerging and being debated, the framework offers a concrete set of outcomes that all companies can act on today.