The internet and newly created technologies powered by data being collected from individuals have created many advantages for society. From using Internet of Things (IoT) devices like Alexa or Google Home to connecting with friends and family on social media platforms like Facebook or Instagram, mankind has brought itself to a new frontier. But satisfying an urge to propel headfirst into the digital revolution has come at the expense of our data being shared, possibly without our knowledge.
Due to the technical nature of this development, people may not take the time or be able to understand the potential consequences as it relates to their privacy when communicating with programs, products, and services.
Organizations may not realize the full extent of these consequences for individuals or their businesses, which may influence their products, their bottom line, and their potential for future growth.
In the past few years, millions of people have been affected by privacy data breaches from tech giants like Google and Facebook.
Privacy concerns will only continue to grow as technology becomes more integrated into our everyday lives; furthermore, companies will need to shift their focus to protecting user privacy.
In that vein, the National Institute of Standards and Technology (NIST) has published the Privacy Framework version 1.0 with the intent to require better engineering practices. The guidelines support privacy through design concepts and help organizations to protect individuals’ privacy.
A Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation.
NIST explains that the Privacy Framework can support organizations in:
Like its predecessor, the Cybersecurity Framework, NIST's Privacy Framework is composed of three sections: Core, Profiles, and Implementation Tiers.
NIST describes privacy risk management as a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals. The Privacy Framework explains how to develop effective solutions to manage such risks.
In general, privacy risk assessments provide information that can help organizations balance against risks and the advantages of data processing to determine the appropriate response.
Organizations can choose to prioritize and adapt to the risk of privacy in various ways based on the potential impact on individuals and the resulting impact on organizations.
Response approaches include:
While US privacy laws have yet to be enforced, interest in privacy issues as part of the application development process is on the rise following legislation such as the EU General Data Protection Regulation (GDPR) and the 2018 California Consumer Privacy Act (CCPA).
The Privacy Framework is considered complementary with the NIST Cybersecurity Framework. By using both, it is possible to have a good understanding of the different origins of cybersecurity and privacy risks. This empowers an organization to determine the most effective solutions in order to address the risks.
Over time, the NIST privacy risk assessment will help companies differentiate between the risk of privacy and the risk of compliance. Identifying how data processing may create problems for people, even if an entity is fully compliant with relevant laws or regulations, can help with ethical decision-making in the design or implementation of systems, products, and services.
In summary, the Privacy Framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.
Avertium specializes in the NIST Privacy Framework and the NIST Cybersecurity Framework, as well as related compliance and other security frameworks.
To find out how we can help you achieve your desired risk management profile and security posture, reach out for a consultation.