On January 16, 2020, the National Institute of Standards and Technology published the Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The purpose of the Privacy Framework is to guide organizations in managing privacy risks, by taking privacy into account in the design and deployment of products and services, communicating about their privacy practices, and encouraging cross-organizational collaboration.
The Privacy Framework is structured along the lines of the Framework for Improving Critical Infrastructure Cybersecurity, which was most recently updated by NIST in April 2018. The Privacy Framework is divided into three parts: the Core, which identifies the activities and outcomes; the Implementation Tiers, which provide a reference point for measuring an organization’s privacy risk management processes and resources; and the Profiles, which are designed to help organizations prioritize the outcomes and activities best suited to their needs, risks and values.
Alignment with the Privacy Framework is intended to be voluntary, but NIST encourages organizations to use the Privacy Framework to strengthen their accountability, to establish or enhance existing privacy programs, to inform purchasing decisions, and to take privacy into account when developing new products and services, and to develop profiles relevant to the organization’s role in the broader data processing ecosystem.
NIST news release | Privacy Framework | Cybersecurity Framework