Standards and frameworks provide real benefits for privacy management. Standards are established norms to be applied consistently across organizations, while frameworks are a set of basic guidelines to be adapted to an organization's needs. Both can help to fulfill compliance obligations, build trust, benchmark against industry best practices, support strategic planning and evaluation, enable global interoperability, and strengthen an organization's market position.

Just as in information security, the International Organization for Standardization in cooperation with the International Electrotechnical Commission, and the U.S. National Institute for Standards and Technology, are the main players for offering general guidance for privacy risk management. ISO and IEC are non-governmental international organizations with all member states of the United Nations having a vote in their standardization processes. NIST is a non-regulatory government agency within the U.S. Department of Commerce. In furtherance of its mission to promote American innovation and industrial competitiveness, NIST provides a wide variety of standards and technology resources, tools, and guidelines for use by U.S. federal agencies as well as by private industry, both domestically and abroad.

On a European level, three distinct private international nonprofit organizations are officially recognized by the EU as being responsible for developing and defining voluntary standards. They also collaborate with ENISA, the EU Agency for Cybersecurity. The European Telecommunications Standards Institute covers a variety of privacy-related sector specific standards. The European Committee for Standardization and the European Committee for Electrotechnical Standardization are currently working on privacy information management systems for a European context.

In Asia, the APEC Privacy Framework provides privacy principles and implementation guidelines, forming the basis for a regional system called the APEC Cross-Border Privacy Rules. A more recent development was the approval of the ASEAN Data Management Framework in January 2021, based on the 2016 ASEAN Framework on Personal Data Protection. Those frameworks used the OECD Privacy Framework – the first international consensus on privacy protection in the context of free flow of personal data – as their key reference.

Another prominent global organization in the field is the Standards Association of the Institute of Electrical and Electronics Engineers which has developed a large number of industry standards for privacy and security architectures. Additionally, the Privacy Community Group of the World Wide Web Consortium is chartered to incubate privacy-focused web features and APIs to improve user privacy on the web. Other groups involved in the developments in standards and frameworks include the Internet Engineering Task Force and OASIS Open.

Apart from that, there are national privacy standards, among them the newly developed standards for data privacy assurance by the Bureau of Indian Standards or the German standard data protection model. Also, national standards organizations like the UK's national standards body BSI or Standards Australia partner closely with ISO or CEN in the field of privacy standards.

Despite the abundance of external standards and frameworks, many companies chose to develop their own. Even in those cases, an organization can benefit greatly from becoming familiar with the concepts and thought processes offered by the mentioned bodies and initiatives. Those insights can be used to assess and improve an organization's own privacy program. Improvements could include incorporating additional privacy management principles or closing gaps in internal objectives and controls.

Beginning with this article, we provide a general overview of the existing standards and frameworks in the realm of privacy. This article is the first one in a series of three and will focus on NIST's ground-breaking Privacy Framework, released in January 2020.

A first overview of the NIST Privacy Framework

"The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management" is a voluntary framework that helps organizations answer fundamental questions: How are we considering the privacy impacts to individuals as we develop our systems, products, and services? How can we manage privacy risks in a consistent way across business units and markets? How do we ensure a quality privacy program that adapts to business needs and new regulatory requirements?

The intention of the NIST Privacy Framework is to support better privacy practices in enterprises of all sizes, all sectors and all jurisdictions. Organizations can rely on the Framework to create a new privacy program from scratch or to improve an existing privacy program.

The Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from data processing throughout the complete data lifecycle, from collection through disposal. Potential problems range from violating a person's dignity to discrimination, economic loss or physical harm. Privacy risks can arise by means unrelated to cybersecurity risks, which are characterized by a loss of confidentiality, integrity or availability of personal information.

The Framework defines privacy risk as the likelihood that individuals (singly or in groups) will experience privacy problems resulting from data processing and the impact should those problems occur. While individuals experience the direct impact of privacy events, organizations can experience impacts in a big way as well, such as noncompliance costs, loss of clients and customers, a decline in sales, and negative brand image.

Against this backdrop, the NIST Privacy Framework supports ethical decision-making around privacy risk management in the context of enterprise risk management. It enables finding the right balance between building innovative systems, products, and services while protecting individuals' privacy.

NIST acknowledges that privacy risk management is a cross-disciplinary function that requires support and engagement from stakeholders across an organization. Therefore, one of the main purposes of the Framework is to provide a common language for legal, technical, design and product teams to drive internal collaboration. This goal can be achieved if the Framework is used in a lightweight manner or in the context of a more advanced privacy-risk management. In any case, using the NIST Privacy Framework as a reference and guideline for cross-organizational dialogue can strengthen accountability for privacy risk management throughout an organization.

The NIST Privacy Framework was modeled after the widely adopted NIST Cybersecurity Framework. However, the adoption of the Privacy Framework is independent from the implementation of the Cybersecurity Framework. Both Frameworks are designed for guidance only and are not auditable.

The three components of the NIST Privacy Framework 

The NIST Privacy Framework consists of three parts, following the structure of the NIST Cybersecurity Framework.

The Core

The first component of the Privacy Framework is called the "Core." The Core consists of a table of Functions, Categories and Subcategories that describe specific privacy activities and outcomes to better manage privacy risks across the whole organization.

The Core first raises a high-level awareness for the different areas of privacy risk management that can be addressed. Those are referred to as "Functions."

Two of the Functions in the Privacy Framework, Identify-P and Protect-P, have identical names as in the Cybersecurity Framework. As a distinction, the Privacy Framework's Functions carry a "-P" at the end.

Assigned to each of the Functions are several key categories. They define general privacy outcomes. In total, the Framework lists 18 categories or privacy outcomes across all five Functions.

The Functions and related categories or privacy outcomes are the following:

  1. Identify-P provides the basis for privacy risks management in an organization. It refers to Inventory and Mapping, Business Environment, Risk Assessment, and Data Processing Ecosystem Risk Management.
  2. Govern-P includes the following outcomes: Governance Policies, Processes, and Procedures, Risk Management Strategy, Awareness and Training, Monitoring and Reviewing.
  3. Control-P refers to Data Processing Policies, Processes, and Procedures, Data Processing, Management, and Disassociated Processing.
  4. Communicate-P points at Communication Policies, Processes, and Procedures, as well as Data Processing Awareness.
  5. Protect-P regards data processing safeguards and is where privacy and cybersecurity risk management overlap, including Data Protection Policies, Processes, and Procedures, Identity Management, Authentication, and Access Control, Data Security, Maintenance, and Protective Technology.

The Categories are then further broken down into 100 Subcategories. The Subcategories are the building blocks between policies and capabilities so that legal, compliance and engineering domains can collaborate on implementation with more specificity to achieve the organization's desired privacy outcomes.

For example, the Function "Identify-P" refers to developing the organizational understanding to manage privacy risk for individuals arising from data processing.

One of the categories of this Function is "Inventory and Mapping," described as: "Data processing by systems, products, or services is understood and informs the management of privacy risk."

To achieve this outcome of "Inventory and Mapping," the following subcategories could be prioritized: "Systems/products/services that process data are inventoried" or "The purposes for the data actions are inventoried."

While they represent best practices for privacy risk management, the Core is not meant to be a checklist. Rather, the individual elements of the Core can be selected as priority outcomes and activities according to an organization's needs. Ideally, the selection in made through a constructive dialogue from the executive level to the implementation/operations level.

Finally, it is good to know that the subcategories are not controls. According to the NIST Privacy Framework, controls get selected in the context of privacy capabilities and requirements that describe the "what" and "how" of systems, products, or services helping achieve the desired privacy outcomes in the Framework Core.

As support for determining privacy capabilities, NIST created the privacy engineering objectives of predictability, manageability, or disassociability, introduced in NISTIR 8062, An Introduction to Privacy Engineering and Risk Management, in Federal Systems from January 2017. The selection of appropriate controls is addressed in the Crosswalk of NIST Privacy Framework and Cybersecurity Framework to NIST Special Publication 800-53, Revision 5.

Profiles

The second component of the NIST Framework is called "Profiles." Profiles are the next step in helping organizations have a privacy risk management conversation. An organization can use the Core like a menu and select which Functions, Categories, and Subcategories to prioritize to help it manage privacy risk.

Organizations can build a Current Profile to reflect where its privacy program is and a Target Profile to reflect where it needs to be. When building its Profiles, the organization takes into account its business objectives, privacy values, risk tolerance, legal and regulatory requirements, industry best practices, priorities and resources, types of data processing, and individuals' privacy needs.

In this step, an organization might want to add its own Functions, Categories and Subcategories to account for unique organizational risks.

An organization's definition of the privacy goals it wants to achieve forms the basis for appropriate strategic planning and implementation processes, supported by the third and final part of the Privacy Framework.

Implementation Tiers

The third and final component of the Privacy Framework is called "Implementation Tiers." They serve as a benchmark of current privacy risk management practices. Tiers classify an organization's overall privacy risk management practices and help to determine if an organization has sufficient processes and resources to achieve its Target Profile.

Internal roadblocks like the lack of integration of privacy risk into an organization's enterprise risk management portfolio, insufficient staffing or lack of training could prevent an organization from reaching its Target Profiles. The Implementation Tiers can help start an internal communication process about those or other reasons that challenge an organization's capability to manage privacy.

The Privacy Framework describes four progressing Tiers, from informal, reactive responses to more agile and risk-informed approaches. In Tier 1 ("Partial"), organizations have adopted risk management methods only to some extent. Tier 2 ("Risk Informed") indicates informal risk management methods that do not entail an organization-wide approach. Risk management methods within Tier 3 ("Repeatable") are well-defined and structured, and in Tier 4 ("Adaptive"), organizations actively adapt to evolving privacy risks.

Each of the Implementation Tiers looks at four main components of an organization's privacy program: Privacy Risk Management Process (the degree of development of the privacy risk management in particular), Integrated Privacy Risk Management Program (the extent to which the privacy risk management is integrated in an organization-wide approach), Data Processing Ecosystem Relationships (understanding of the role of the organization in relation to buyers, suppliers, service providers, etc.), and Workforce (roles dedicated to privacy and training of employees).

Tiers help determine whether risk management practices in those different areas are sufficient given their mission, regulatory requirements, and risk appetite or if additional processes or resources are needed. This can support investigating specific aspects of the overall privacy program management or help with budget planning, hiring plans or setting up training curriculums.

At the same time, the Implementation Tiers are not meant to be a comprehensive privacy maturity model. An organization may be at Tier 2, which could be sufficient to manage the types of privacy risks it has. On the other hand, another organization may be at Tier 2 but really need to get to Tier 3 to manage their privacy risks.

Integration of compliance and risk management 

While the NIST Privacy Framework is agnostic to any particular law, it can help organizations fulfill compliance obligations. The Framework enables the creation of a foundational privacy program that can be tailored to different jurisdictions.

To help with this task, NIST provides a variety of so-called "regulatory crosswalks." These crosswalks map the risk management outcomes and activities in the Privacy Framework Core to the requirements of a specific law or regulation. In the Privacy Framework's online Resource Repository, one can already find references regarding the CCPA, CPRA, GDPR, LGPD and the VCDPA.

With the help of the crosswalks, the Framework's privacy risk management building blocks can be mapped back to the organization's compliance obligations to demonstrate the activities and concrete steps taken to meet those obligations. This is meant to bridge the gap between compliance requirements and system, product, and service design or deployment with a forward-looking risk management approach to privacy.

The crosswalks also facilitate the integration of the Privacy Framework and other standards and frameworks. Available mappings can be found for ISO/IEC 27701, NIST Cybersecurity Framework, FIPPs, the IAPP-CIPM, and NIST 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations.

The Privacy Framework in action

NIST emphasizes that its Privacy Framework is a flexible and practical tool that is adaptable to any organization's role in the data processing ecosystem.

One example of this is the well thought out adoption achieved by Booking Holdings, a Fortune 500 global travel retail company. "The NIST Privacy Framework provided a scope to standardize our privacy obligations throughout our six international brands," explained Global Privacy Senior Manager Michelle Gall.

For this purpose, the categories and subcategories were re-grouped and reformulated into internalized objective statements and risk statements, still grouped under the NIST Privacy Framework's Function structure. To further aid the organization in standardizing the expectations to operationalize mitigating the risk statements, the Company adopted and customized two additional collaborating tools: 1) a people, process, technology framework for measuring maturity and capability across the risks, and 2) an attribute library, which provides providing descriptive and actionable operationalizable expectations to provide an even clearer picture of the business units' responsibilities for risk mitigation and operationalization of the objectives for each risk area. "These tools allow us to facilitate standardizing risk mitigation objectives without defining the processes or controls for the brands."

The people, process, technology framework was designed by combining the Capability Maturity Model Integration with the NIST Privacy Framework's Implementation Tiers as a crosswalk. In this way, the granularity of the self-assessment was increased to a quantitative approach allowing for monitoring and measuring success of the global program throughout all affected business units and brands.

"By adapting the NIST Privacy Framework to our company's needs," Michelle summarized, "we could provide our organizational business capabilities with a holistic and clear guidance where they are and where they need to go in terms of their privacy risk management."

Further steps ahead

The NIST Privacy Framework is relatively nascent. Over the next few years, we will very likely witness its increased use and adoption. With a growing number of freely available Crosswalks, mapping the Privacy Framework to international regulations and standards, NIST provides a sophisticated, flexible, and far-reaching approach to manage privacy risk. Everyone can contribute to the guidance and tools to support the Framework's usability.

Another part of the broad Roadmap for Advancing the NIST Privacy Framework is the NIST Privacy Workforce Public Working Group. It supports the development of a workforce that has the knowledge and skills to manage privacy risk. In all its efforts, NIST is pursuing an open and accessible approach, seeking dialogue with the private and public sector, academia, and civil society, to collaboratively improve the implementation of the Privacy Framework. The NIST Privacy Workforce Public Working Group, too, welcomes stakeholder inputs from a wide range of roles.

Photo by FORREST CAVALE on Unsplash