The National Institute of Standards and Technology (NIST) recently released a discussion draft of the NIST Privacy Framework in preparation for the 2nd Drafting Workshop hosted in Atlanta on May 13-14, 2019. The primary attributes of the framework are that it is voluntary, risk and outcome-based, non-prescriptive, written in accessible language, adaptable to diverse sectors, and compatible with all legal regimes, to ensure individuals can confidently utilize innovative technologies. Our team was able to attend this two-day workshop, where all stakeholders came together to engage in a facilitated discussion on the advancement of the privacy framework.
Day one of the workshop consisted of a plenary session, starting with a presentation by Peter Swire – Professor of Law and Ethics at the Georgia Tech Scheller College of Business, and Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy – who discussed the possible expansion of the OSI Stack to describe privacy tasks, followed by three panel discussions.
During the panel discussion, NIST personnel and numerous stakeholders from the private and government sector discussed the drafting process and the primary objectives while creating the NIST Privacy Framework. Experts from diverse sectors also provided opinions regarding the discussion draft and how the framework could integrate into the global privacy landscape. Additionally, the panel stressed that the privacy framework should ensure all stakeholders involved in enterprise risk management consider the privacy impacts on individuals as the organization develops systems, products, and services.
The discussion draft defines five core functions that organizations use to operationalize a culture that addresses privacy risk. The five core functions are:
- Identify – Develop the organizational understanding to manage privacy risk for individuals arising from data processing or their interactions with systems, products, or services.
- Protect – Develop and implement appropriate data processing safeguards.
- Control – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- Inform – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding of how data are processed.
- Respond – Develop and implement appropriate activities to take action regarding a privacy breach or event. 2
The five core functions are intended to align with the NIST Cybersecurity Framework where appropriate.
On day 2, there were five working sessions where small groups provided feedback on all aspects of the NIST Privacy Framework. During these sessions, workshop participants engaged in discussions of each category and subcategory of the core functions. 3 The workshop has provided a great opportunity to learn about the development of the framework and enhance the understanding of the challenges faced by privacy professionals as legal requirements and technology evolve. The NIST anticipates that a final draft of the Privacy Framework will be released by August 2019 with Version 1.0 to follow in October 2019.
1NIST, NIST Privacy Framework: An Enterprise Risk Management Tool (Apr. 30, 2019), https://www.nist.gov/sites/default/files/documents/2019/04/30/nist-privacy-framework-discussion-draft.pdf
2Id. at 9.
3Id. at 19-26.