NIST requests comments on draft privacy framework
On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s Cybersecurity Framework (previously covered by InfoBytes here), which provides guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. The draft framework establishes three components to reinforce privacy risk management: (i) the “Core” describes a set of privacy activities and outcomes used to manage risks that arise from data processing or are associated with privacy breaches; (ii) “Profiles” cover an organization’s current privacy activities or desired outcomes that have been prioritized to manage privacy risk; and (iii) “Implementation Tiers” address how organizations see privacy risk, and whether they have sufficient processes and resources in place to manage that risk. According to NIST, “Finding ways to continue to derive benefits from data while simultaneously protecting individuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.” Public comments will be accepted through October 24.