Implementing the NIST Privacy Framework

Data breaches happen regularly and worldwide, which compromises the financial position of companies and put data subjects at risks. There are various ways to avoid these breaches or significantly reduce these breaches. One of those sure proven ways is by implementing the National Institute of Standards and Technology (NIST) privacy framework. This is a tried-and-true process which can help any company in any industry and size of organisation.

According to NIST the privacy framework can help organisation in “building customers’ trust by supporting ethical decision making in product and service design or deployment that optimizes beneficial uses of data while minimising adverse consequences for individuals’ privacy and society as whole.” Yet, most organisations fail to find the appropriate framework that is fit for purpose and more importantly fail to follow proven steps that can prevent them from exposing their customers to harm.

In addition, the framework also fulfils current compliance obligation and provides what is described as “future proofing products and services to meet regulatory obligations in a changing technological and policy environment. It is enough to understand the theoretical part of the law and its another thing to implement the regulatory requests. What smart companies do is follow globally known and reputable frameworks like NIST. But what exactly does this entail?

The NIST privacy framework is modelled after the cybersecurity framework which has three parts which includes core, profiles, and implementation. Core provides a granular breakdown of activities and outcomes that enable organisational dialogue about managing privacy risk. This could establish the various functions within the business that would ensure that privacy drivers drive the regulatory requirement well.

The core includes three main areas: functions, categories, and subcategories. Function includes five main features: identify, govern, control, communicate and protect (these are areas I have extensively covered in various articles in this space) and this allows privacy to work at the highest level. Function enhances operational culture that addresses the dynamic nature of privacy risks. While categories are the subdivision of a function into groups of privacy outcomes closely tied to programme needs and activities. These are areas I would explain in further details in another article. Subcategories focus creating another division of categories in specific outcomes or controls of technical and management activities. But let’s break down features in the function.

Identify is the foundational piece of any data privacy strategy. It comes in various rubrics: data mapping, data assessment, data inventory etc however, here is where writes a set of question and work with various departmental heads to understand how data is managed in each process. Governance structure focuses on enabling an ongoing understanding of organisational risk priorities.

Control function considers data processing management from the standpoint of both organisations, customers, and employees. While communication recognises the need for both employees and third-party stakeholders to understand how data is processed to manage privacy risk effectively. The protect function covers the privacy safeguards that are put in place to prevent the company from for example, network intrusion, detection of strange behaviours in the network etc.

This is not an exhaustive detail of the NIST framework. This scratches the surface. Companies should seek expertise in the implementation of this framework, and it would help them meet various regulatory demands.

business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com.