By Marcus Grazette, Europe Policy Lead at Privitar
The National Institute for Standards and Technology (NIST) is a leading standards body. Earlier this year they released the NIST Privacy Framework, a voluntary tool intended to help organizations identify and manage privacy risk. This blog post will introduce the Framework, explain some of the outcomes it recommends and show how Privitar can help you to achieve them.
The Framework is divided into two main parts:
The Core, a set of privacy outcomes which are in turn broken down into five functions (Identify, Govern, Control, Communicate and Protect).
The Profiles and the Implementation Tiers, which allow an organization to benchmark progress. Together, these form a maturity matrix which organizations can use to measure progress towards a mature, robust approach to privacy.
The NIST Privacy Framework complements the NIST Cybersecurity Framework, published in 2014. The functions in the Privacy Framework are labelled with the appendix “-P” to distinguish them from the Cybersecurity Framework.
The Framework is not a checklist. It was designed to help organizations answer the question: “How are we considering privacy impacts as we develop systems, products and services?” As such, the Framework is outcome based. It describes the ideal outcome, without being prescriptive about how to achieve it.
The five functions are further broken down into 18 categories and 100 outcomes (subcategories). Each function, category and outcome has a unique code assigned to it. For example, the “Identify” function (ID-P), the “inventory and mapping” category (ID.IM-P) and the “systems that process data are inventoried” outcome (ID.IM-P1). We’ll use these codes when referring to specific outcomes in this blog post.
There is no ‘silver bullet.’ Achieving the majority of outcomes will require a combination of measures. The outcomes fall on a spectrum from technical to non-technical. To help you to understand that range, we grouped them into 11 technical (i.e. applied to the data or the processing system), 36 non-technical (i.e. processes and procedures) and 53 semi-technical (i.e. blending the two) outcomes.
Privitar is a privacy engineering company. We focus on technical controls and support efforts to achieve semi or non technical controls.
The Framework provides a detailed set of outcomes describing a comprehensive approach to privacy. Some elements are technical, but most require a mix of technical and organizational controls. There are no technical silver bullets. A combination of Privitar features will, in many cases, help organizations to achieve the recommended outcomes. Against the backdrop of an uncertain legal context, with new privacy regulations emerging and being debated, the framework offers a concrete set of outcomes that all companies can act on today.