Seeking to help delineate a middle ground between privacy protections and data collection, the National Institute of Standards and Technology (NIST) has published a preliminary draft of its major new set of guidelines. Called the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, the publication has been posted in the Federal Register, and NIST is seeking comment from any and all concerned parties.
In announcing the publication, NIST noted that it’s based on almost a year of “extensive public conversations,” and explained that many industry stakeholders had asked the standards body to align the Privacy Framework with its already issued Cybersecurity Framework. NIST has taken these suggestions to heart, and says that the two Frameworks are aligned “both structurally and conceptually, and they are designed to be used together.”
Like the Cybersecurity Framework, the new Privacy Framework is built around three key parts. The “Core” lays out a set of potential privacy protection activities an organization can undertake and prompts its management to establish their goals, while the “Profiles” section is designed to help organizations determine which activities they should pursue to meet their goals; finally, the “Implementation Tiers” section is aimed at helping organizations to figure out what kinds of resources they really need to invest in managing privacy risks, bearing in mind that a small company won’t necessarily need to spend the kind of money that, say, Facebook ought to put into privacy protections.
NIST is currently inviting public comments on its draft Privacy Framework, with the window to remain open until 5:00pm EDT on October 24th. From there, the organization is hoping to have version 1.0 of the Framework published by the end of this year.