NIST’s new privacy rules – what you need to know
You’ve waded through the relevant privacy regulations until your brain hurts, and you understand the basic requirements under GDPR, CCPA, or whatever industry rules you must abide by. But how do you ensure that you’re compliant? Worry no more. NIST has released a Privacy Framework to help you get your house in order.
The federal US government’s National Institute of Standards and Technology (NIST) has a good track advising organisations on cybersecurity. It published a set of password rules in 2016. It also publishes a Cybersecurity Framework that has become a litmus test for those trying to secure their data.
The brand new Privacy Framework 1.0 is the equivalent document for protecting peoples’ personal privacy. As NIST points out, cybersecurity and privacy are connected, but different. Some privacy events aren’t related to cybersecurity incidents, but stem from other issues like over-aggressive data collection, poorly thought-out marketing practices, or manual mishandling of data.
You can use the Privacy Framework when developing new products and services to ensure that they tick all your privacy boxes. It’s a good tool when conducting the privacy impact assessments that regulations like GDPR demand. It isn’t a compliance toolkit for meeting the requirements of specific regulations. Instead, it’s a voluntary toolkit that you can use to think about your approach to privacy. You can use bits of or all of it – NIST isn’t prescriptive.
The Framework breaks down into three broad areas: the core, the profiles, and the implementation tiers. The core contains a set of five functions that you work through as part of your privacy assessment process.
The first, Identify-P, involves spotting and understanding privacy risks.
The second, Govern-P, is where you define the rules to deal with them, thinking up your privacy policies to help meet risk and regulatory requirements.
The Control-P function is the sharp end, where you manage data in line with your governance structure. You then establish lines of communication to tell people about those risks and controls as part of the Communicate-P function.
The final function, Protect-P, is the part of the core framework that governs cybersecurity risk. It’s where you take the appropriate cybersecurity measures, and it’s the part where you can follow the guidelines outlined in NIST’s Cybersecurity Framework. They’re designed to dovetail together.
Each of these functions has a set of categories and subcategories that get into detail, with tasks like a risk assessment, and mapping out the data processing activities that your systems perform, who owns them, who’s data they’re handling, and what they’re doing with it.
The outputs from these exercises give you the data you need to tackle the second part of the framework, where you profile your privacy stance. You create a set of outcomes that you are currently achieving in your core categories, which forms your current profile. You also create a target profile which shows you which outcomes you want to achieve. It’s effectively a gap analysis that you can use to work out what your privacy goals are, and what you need to achieve them.
Your target profile forms the basis for the final element of the framework: the implementation tiers. These tiers, called partial, risk informed, repeatable, and adaptive, help you gauge how far along you are in your privacy journey.
If you’re only at partial, NIST says, then moving to the second tier would be a good idea. Not all companies would need to achieve the third or fourth tiers, though. You assess whether it’s worthwhile by looking at your target profile and privacy risks.
After you’ve done all this work, what’s to stop your privacy profile from becoming just another piece of shelfware that no one ever looks at?
There’s another interesting use for profiles, and that’s in dealing with other entities. NIST acknowledges that the role of an organisation is important. Your legal obligations and privacy risks might change depending on whether you are an individual, a government entity, an educational institution or a cloud service provider, for example. You will also likely have complex relationships with one or more of those entities. How can you ensure that their privacy practices meet your own targets?
You can develop profiles representing your privacy requirements for service providers or product vendors, the Framework says, presenting these profiles to them as a set of requirements. Their ability to meet those requirements can help shape your buying decisions.
The NIST Privacy Framework isn’t a checkbox for your GDPR or CCPA compliance, but it is a useful tool to help you when meeting those requirements, or those of your own customers or business partners.
In the unlikely event that you aren’t subject to any official privacy regulations in 2020, you can still use it to meet your own ethical guidelines, NIST points out. And if you want a concrete structure around which to drape a privacy initiative, there are worse places to start.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.