Mastering Privacy Protection: The Guide to the NIST Privacy Framework
The NIST Privacy Framework, finalized earlier this year, is a set of guidelines to help organizations manage privacy risk. Created by the National Institute of Standards and Technology (NIST), the privacy framework establishes a common understanding and set of practices to improve data privacy postures and reduce risk – and can serve as the foundation upon which organizations build their privacy programs.
Traditional data security programs are no longer enough to manage data privacy concerns, align with regulations, and protect consumer data. They need to be coordinated with purpose-built data privacy programs – and together build a stronger security posture across the entire data landscape.
The key goals of the NIST Privacy Framework are to:
- Help organizations improve their data privacy standards through enterprise risk management
- Provide organizations with a set of guidelines that address current privacy practices
- Adapt to upcoming changes and challenges that emerging data privacy regulations present
- Align with the NIST Cybersecurity Framework
Privacy Builds on Security: NIST Cybersecurity Framework
NIST’s Privacy Framework complements the existing NIST Cybersecurity Framework (CSF), both of which offer steps for organizations to adopt a stronger stance on risk, privacy and security.
The NIST Cybersecurity Framework (CSF) was originally drafted to address the gap in third party standards for cybersecurity in the first place – to help address the emerging (and growing) issue of cyberattacks and data leaks, while maintaining a defense in depth approach. These guidelines were built to help build a shared mindset, create alignment, and better arm organizations to develop strong security postures to address increased risk.
The CSF enables organizations to assess, evaluate and mature their ability to prevent, detect, and respond to cyberattacks. All in the name of protecting data – so that organizations can minimize risk and build a sustainable cybersecurity program.
It was so successful and well-received that they then decided to make a privacy framework – as parallel and complementary guidelines to manage privacy risk.
Together, these two frameworks are designed to help companies prioritize and develop the right strategy for data privacy & data protection, and bridge the gap between privacy and security.
Building Blocks for Data Privacy
The NIST CSF breaks out into five key core functions: Identify, Protect, Detect, Respond, and Recover. The Privacy Framework adopts that same structure, but instead focuses on the key functions to Identify, Govern, Control, Communicate, and Protect.
Identify: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
Within the identify function, organizations need to be able to know their data in order to accurately inventory and map their data (along with their entire business environment), assess risk, and get a single pane of glass for full visibility on their data – wherever it might live.
In order to effectively identify risk that arises from data processing, organizations should take a discovery-in-depth approach to be able to create an inventory of whose data is being processed, record the purpose of processing, and identify high-risk data.
Govern: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
The governance function highlights the need for a strong risk management strategy: in order to manage risk, organizations should identify regulatory and compliance requirements, establish policy workflows, enact data retention policies, and establish data quality benchmarks.
Control: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
The NIST Privacy Framework’s control function outlines the need for data processing policies, processes, and procedures. The first step to addressing this is to create a unified data inventory that maps all data, everywhere – along with a data catalog view to easily manage, monitor, and track data that’s being processed. Organizations can then incorporate access intelligence to identify who can (and who should) have access to personal and sensitive data, apply and enforce policies on sensitive data, and get full visibility across their data environments to effectively manage risk.
Communicate: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks
Organizations need to be able to communicate what data is being processed and why – making sure there’s transparency in data collection and processing. They should be able to report on what data is being processed (and why), monitor (and disclose) data sharing, report and validate data deletion, and be able to identify and notify individuals if their data has been compromised in a breach.
Protect: Develop and implement appropriate data processing safeguards.
In order to protect personal and sensitive data, organizations must establish baseline security practices, identify and manage risk, and maintain consistent policies to protect sensitive and personal data. This spans from establishing incident response plans to proactively managing and monitoring sensitive data across the entire organization – for both data at rest and data in motion. It’s critical to be able to manage and monitor access to sensitive data, protect vulnerable data against potential data leaks and cyberattacks, and be able to automatically enforce policy violations.
A Framework for Privacy Management
As data privacy and protection regulations continue to evolve, it’s more important than ever to establish a framework for privacy management.
Regulations from the New York SHIELD Act to the CCPA to the EU’s GDPR underscore the importance of establishing a privacy program that not only aligns with security, but that can adapt to evolving definitions of sensitive data:
“A class of personal data that we consider to be of low-value today may have a whole new use in a couple of years,” says Naomi Lefkovitz, a senior privacy policy adviser at NIST, “Or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit. That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”
BigID is purpose-built for the privacy era: as a modern data intelligence platform with a foundation of discovery-in-depth, BigID aligns with privacy frameworks to deliver sustainable privacy compliance, actionable data protection, and next-generation data intelligence. See how BigID maps to the NIST Privacy Framework with a live demo – and learn how to take action for privacy, protection, and perspective.