What the New NIST Privacy Framework Means to You

Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.

The rash of laws is in response to the very real threats to privacy that are endemic to the digital age in which we live. But there is good news. The National Institute of Standards and Technology (NIST) is on the case, facilitating the creation of a Privacy Framework, along the lines of its highly acclaimed Cyber Security Framework. Work began in October 2018 and version 1.0 is due in October 2019 following a public comment period that is soon to begin.

As with the Cyber Security Framework, NIST is playing the role of facilitator for public and private companies and other organizations to meet, discuss, and decide what should be in, and not in, the framework. I am honored to be participating in the process as Symantec’s representative. When NIST asks for input, I work with the Symantec team to submit a response.

Progress update

At the heart of the privacy discussion is data. To safeguard privacy, you need to understand what data you have, where it’s located and how it’s classified. If it’s personally-identifiable information (PII), you need to know whether it’s relevant to GDPR or CCPA or another privacy regulation such as HIPAA in healthcare and FERPA in the academic world. Like the Cyber Security Framework, the Privacy Framework identifies four key activities regarding risks: identify, assess, manage, and communicate. 

A major point of debate is whether to integrate the Privacy Framework with the Cyber Security Framework, either completely, partially, or not at all. This discussion is proceeding along two proposed paths: Integrated Core vs. Separated Core. NIST is looking for feedback for which core participants prefer. My view is that it should be more integrated, rather than less.

Although security and privacy are not identical, they are closely related. The saying goes, “You can have security without privacy, but you can’t have privacy without security.” Security is fundamental to protecting an organization’s privacy or the privacy rights of the data subject.

Data protection, fundamental to security, is also fundamental to privacy. If you can see who is interacting with what data and what they are doing with it, you can assert control. For example, when a spreadsheet containing PII is sent as an email attachment, it can be automatically blocked.

Protection against ransomware, a key goal of a cyber security plan, is also highly relevant to privacy. For example, if a piece of ransomware should take data, rather than just encrypt it, a privacy compromise will have occurred.

A challenging topic on the agenda is the impact of AI and machine learning (ML) on privacy. For example, data analytic inputs can betray bias in such processes as facial recognition. Biased ML actions in turn could result in the incorrect classification of data or the release of PII about a data subject.

The Privacy Framework, like the Cyber Security Framework, will be written in language that is understandable by a wide range of readers, not just technology experts. And it will be flexible enough to be tailored to the different sizes and missions of a variety of organizations. Organizational leaders are responsible to determine how to implement the Privacy Framework based on risk tolerance and what makes sense for their organizations. And keep in mind when organizations implement the framework, they don’t automatically achieve compliance with GDPR, CCPR or other regulations. The Privacy Framework will be a key tool, but compliance itself remains the responsibility the organizations themselves.

There is no doubt NIST’s role of facilitator is no easy task. But NIST is doing a great job, demonstrating the skills they so ably developed in the creation of the Cyber Security Framework. The stakes are high. Privacy, we all agree, is essential. But I am confident the NIST Privacy Framework will get the job done, for businesses, governments, and most important, people.