The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

NIST Issues Version 1.0 of Privacy Framework

by Chris Brook on Wednesday January 22, 2020

Contact Us
Free Demo
Chat

NIST released its inaugural Privacy Framework last week. The document can be used by organizations as a risk management tool, to answer questions about its privacy posture, or establish its own program.

NIST's popular Cybersecurity Framework has a new companion.

The National Institute of Standards and Technology (NIST) - an arm of the U.S. Department of Commerce - last week issued new Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy (.PDF) through Enterprise Risk Management, new guidance designed to help organizations better manage privacy risk.

The document is designed to complement NIST's Cybersecurity Framework by offering tips for using and protecting personal data.

The 43-page document was borne from a draft privacy framework NIST circulated last September. It sought public comments on the document until October 24; Version 1.0 was actually expected before the end of 2019 but apparently needed a few extra weeks to finalize.

The Framework takes into account the relationship that exists between privacy risk and organizational risk and outlines five functions for organizations to manage privacy risks around data processing: Identify, govern, control, communicate, and protect.

  • Identify-P - Develop the organizational understanding to manage privacy risk for individuals
  • Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
  • Control-P - Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate-P - Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
  • Protect- Develop and implement appropriate data processing safeguards

NIST released its landmark Cybersecurity Framework, a set of best practices, standards, and recommendations to help organizations across all infrastructure sectors, like government, healthcare, and financial services, improve their cybersecurity measures, in 2014. The Framework, which is periodically updated, is a collaborative effort, involving input from government, industry, and academic experts.

With the recent passage of domestic legislation like the California Consumer Privacy Act and the New York SHIELD Act, which amended the state's data breach notification law and data protection requirements last summer, the still relevant General Data Protection Regulation (GDPR) in the EU, the guidance should be welcomed by privacy stakeholders looking to achieve compliance.

It will be interesting to see if the Privacy Framework becomes as widely embraced as the Cybersecurity Framework over time. While the latter was developed for voluntary use in the private sector, it eventually became mandatory for U.S. federal agencies after a 2017 Presidential Executive Order directed agency heads to immediately follow NIST’s guidance.

Tags: Compliance

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.