The National Institute of Standards and Technology (NIST) has published the definitive version of its privacy risk management framework, after seeking comment on a draft version of the framework last year.
Version 1.0 of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management,” provides a “useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data,” NIST said.
“The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework,” the agency explained. The two frameworks are designed to be complementary, and also updated over time, NIST said.
NIST emphasized that the privacy framework is not a law or a regulation, but a “voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them” including the California Consumer Privacy Act and the European Union’s General Data Protection Regulation.
“It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so,” NIST said.
“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the agency’s framework effort. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”