On Feb. 27, the National Institute of Standards and Technology released an outline of its forthcoming Privacy Framework, providing the first real glimpse of what the framework might include and calling attention to the need for privacy workforce development. NIST Senior Privacy Policy Advisor Naomi Lefkovitz and NIST Senior IT Policy Advisor Adam Sedgewick presented that outline during a public webinar March 14. Nearly 400 stakeholders participated.
In the webinar, Lefkovitz and Sedgewick focused on NIST’s interest in an open, transparent and collaborative framework development process. They emphasized the importance of privacy professionals’ engagement in NIST’s process, helping to answer the questions: “Is this going to be a good communication tool? Is it going to be accessible to non-privacy professionals, as well as to privacy professionals? Will [this] help privacy professionals talk with business lines or senior executives?”
One opportunity for such engagement will be during NIST’s session at the IAPP Summit May 3 and another during NIST’s next Privacy Framework workshop May 14–15 at Georgia Tech.
NIST’s planned Privacy Framework similar to Cybersecurity Framework
The Privacy Framework outline NIST presented is structurally similar to its 2014 Cybersecurity Framework. It is organized around the functions an organization must undertake to manage privacy risk, the profile of the organization using it, and a tiered implementation structure. The outline suggests that the framework will be designed to meet an organization where it is and help it improve its privacy protections, based on its business requirements, risk tolerance, privacy objectives and resources.
The five functions or activities identified in this initial outline are: identify, protect, control, inform and respond. In the forthcoming discussion draft, which NIST plans to release prior to the May workshop, each function will be divided into categories linked to programmatic needs and specific privacy outcomes.
Lefkovitz offered an example to illustrate the framework’s outcomes-based approach. She said that one outcome tied to control might be the ability to delete data. That will not be prescribed but is a capability that an organization may want, particularly if it is subject to certain laws or regulations. She cited the EU General Data Protection Regulation’s right to be forgotten as one such reason organizations might want such a capability. In using this example, Lefkovitz made clear that the framework will not be designed around any specific law, standard or regulation. “Compatibility doesn’t necessarily mean mirroring any one law,” Lefkovitz said. Rather, the framework will serve as a tool to help organizations achieve outcomes that could be necessary to comply with laws, address risks or fill business needs.
Risk-based approach with new emphasis on workforce
The framework’s tiered structure will guide organizations through framework implementation. Organizations will be able to assess themselves against and progress through tiers in four areas of focus, depending on the nature of the risk they face and their desired privacy outcomes.
The first two areas will be familiar to those who have implemented the Cybersecurity Framework. They are Risk Management Process and Risk Management Program, each with a privacy slant.
The third area, titled Ecosystem Relationships, has some similarity to the Cybersecurity Framework’s External Participation component. Rather than focusing on sharing information on risks with external partners, it refers to the organization’s understanding of its role and contribution to privacy risk management in the broader ecosystem. This difference recognizes the increasingly complex and interconnected environment organizations face today and the exponential growth of third parties engaging with data.
The fourth area is more novel, having received only minimal attention in the Cybersecurity Framework: Workforce. NIST added Workforce as a fourth area of focus due to “RFI responses recognizing that privacy workforce development is a critical need.” NIST highlighted the importance of coordination between training certification organizations, academic institutions and organizations implementing the framework. NIST also called on organizations to communicate their privacy risk management needs and desired skill sets.
Opportunity for input
In presenting their outline, Lefkovitz and Sedgewick emphasized that this is only a proposal, which will continue to evolve as the Cybersecurity Framework itself did. Sedgewick indicated that they are looking for consensus. While that is an elusive concept in the field of privacy, so far commenters have largely agreed that this framework must be compatible with state, national and international laws, regulations and standards, as well as NIST’s Cybersecurity Framework. NIST aims to achieve that level of compatibility but stressed that to do so, they need stakeholder input, including on the range of international standards to which they should look.
Lefkovitz and Sedgewick solicited input via email at privacyframework@nist.gov, during the IAPP Summit and NIST’s May workshop. Sedgewick emphasized the “work” in workshop, noting that they hope people will come ready “to roll up their sleeves.” NIST aims to complete the framework by October.
Top image taken by Jedidiah Bracy at NIST's initial 2018 hearing on the planned Privacy Framework in Austin, Texas.