• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

NIST Publishes Privacy Framework Version 1.0

January 17, 2020 By Aaron Wasser

On January 16, 2020, the National Institute of Standards and Technology (“NIST”) published Version 1.0 of its Privacy Framework:  A Tool for Improving Privacy through Enterprise Risk Management (“Privacy Framework”). A draft version was initially published for public comment on September 6, 2019.

The new Privacy Framework is designed to support organizations in building customer’s trust by fostering ethical, privacy-focused decision making, fulfilling compliance obligations, and facilitating communication about privacy practice with individuals, business partners, assessors, and regulators.

The Privacy Framework follows the structure of the existing NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”). Released in 2014, and updated in 2018, the Cybersecurity Framework has sought to help organizations manage and communicate cybersecurity risk. While some privacy risks arise directly from cybersecurity incidents, many do not. Accordingly, the Privacy and Cybersecurity Frameworks are designed to be used in conjunction with one another to develop comprehensive privacy and cybersecurity procedures.

Like the Cybersecurity Framework, the Privacy Framework is comprised of three parts: the Core, Profiles, and Implementation Tiers.

The Core is a set of privacy activities and outcomes that allow for communicating priorities across different levels of an organization. Effectively, the Core facilitates dialogue between executive level decision makers and implementation and operations specialists. The Core is then further divided into key Categories and Subcategories to allow for increasing granularity.

Profiles represent an organization’s privacy activities and desired outcomes. Organizations develop profiles after reviewing the activities in the Core and determining which are the most significant based on various drivers including business mission, data processing ecosystem roles, types of data privacy, and individuals’ specific privacy needs. In this way, profiles can be used to identify opportunities to improve an organizations’ approach to privacy.

Lastly, Implementation Tiers provide a reference point for how an organization views a specific privacy risk. This reference point can be used to determine whether an organization has devoted sufficient resources, attention, or procedures to a given risk. There are four distinct Implementation Tiers representing increasingly formalized states of preparedness. These are: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4).

The Privacy Framework also includes a section instructing organizations on how to use the Privacy Framework. Within this section, the Framework advises organizations to use the Framework to map informative references, strengthen accountability, establish or improve privacy programs, apply the system development life cycle, identify the organization’s role within the data processing ecosystem, and inform buying decisions.

Filed Under: Cyber Risk, Cybercrime, Cybersecurity, Data Breach, Data Security, Online Privacy, Privacy, Privacy Policy, Workplace Privacy

About Aaron Wasser

Aaron Wasser is an associate in Alston & Bird’s Privacy & Data Security Team. Aaron focuses his practice on helping clients develop tailored solutions to complex privacy and cybersecurity problems.

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.