On January 16, 2020 the National Institute of Standards and Technology (NIST) released its Privacy Framework. This is not a law or regulation, but a voluntary tool to help organizations manage their privacy risk and comply with government regulations.
Summarizing a Locke Lord "Quick Study", the aim of the Framework is to foster customer trust by promoting ethical, privacy-focused decision making, fulfilling compliance obligations, and facilitating communications. It is flexible enough to be used by any size business.
Like its previously released Cybersecurity Framework, the Privacy Framework is composed of three parts or tiers:
- Core - a set of privacy activities and outcomes comprising five functions: identify, govern, control, communicate, protect.
- Profiles - a selection of specific functions, categories and sub-categories from the core. Profiles should be specific to an organization's activities and desired outcomes.
- Tiers - a reference point for organizations to determine their status and support decision making on handling privacy risks. Tiers are defined as 1) partial 2) risk informed 3) repeatable and 4) adoptive. It is not necessary for an organization to reach tier 4 in all areas, but to reach its target using best practices.