Security and privacy have long been considered “two peas in a pod,” but security is often the primary focus of the two. This is because it is possible to have a nearly perfect secure system without worrying about privacy. (Imagine Fort Knox with nothing inside of it to protect.) However, it is impossible to have a privacy-centric system without any focus or worry about security principles and technologies. When you put the data first and truly understand what it is you’re protecting, you are able to scale security to make it commensurate to the data under protection.
After more than a decade of its Cybersecurity Framework (CSF), in January of 2020, the National Institute of Standards and Technology (NIST) spoke on the topic of privacy. The new and simply named NIST Privacy Framework was created to complement the CSF and lays a foundation for early privacy program adopters to follow as they build out more comprehensive programs. According to NIST, the framework considers “privacy events as potential problems individuals could experience from system, product, or service operations with data, whether in digital or non-digital form, through a complete life cycle from data collection through disposal.” In other words, any form in which the data of an individual could become public in any way, causing harm. NIST further breaks down harm categories into the following areas: embarrassment or stigma, discrimination, economic loss, or physical harm.
It helps businesses better identify, prioritize, and manage privacy risks to protect the privacy of individuals everywhere. It does this by closely mirroring the same approach as the CSF—CSF functions include: Identify, Protect, Respond, Recover; while the functions of the Privacy Framework are: Identify, Govern, Control, Communicate, Protect. The two clearly borrow from each other and overlap—showing how integral the two concepts are to mutual success.
Framework Structure and Use
Like the CSF, the Privacy Framework is made up of three parts: Core, Profiles, and Implementation Tiers. The Core is a set of activities and outcomes to help organizations begin to think and talk about their privacy risk. Its Profiles dive into the above-mentioned functions of Identify, Govern, Control, and Communicate. The Implementation Tier helps businesses understand whether they have the resources currently in place to manage privacy risk and achieve their goals.
Any organization can use the framework to assess and reduce its privacy risk. In fact, NIST provides hypothetical use cases featuring both a large corporation and a small business to illustrate its implementation within various environments.
So What Does This Mean for Businesses?
Privacy as an industry has long been complicated with compliance and legal regulations and standards with a lot of uncertainty around where regulatory boundaries start and end. There are also multiple industry and government regulations which have taken the spotlight in recent times—GDPR, HIPAA, CCPA, PIPEDA, FERPA—this list goes on and on. However, these existing (and often required) regulations are specific to certain industries, governments, and even geographical areas. NIST’s purpose when developing the Privacy Framework was to develop an industry-, geography-, and sector-agnostic approach that is readily available as a voluntary foundation to anyone who is interested in adopting it. It serves as a great starting point for organizations to use while developing basic, intermediate, and even advanced privacy programs.