As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities.
What the PF Does
The PF purports to improve risk management through mitigation, transfer, avoidance, and acceptance principles. It is designed for all types of organizations regardless of category or size and their objectives and needs and can be “adaptable to any organization’s role(s) in the data processing ecosystem.” It can be found here: https://www.nist.gov/privacy-framework/privacy-framework.
How to Use the PF
Like NIST’s Cybersecurity Framework, the PF is divided into five functions with slightly different purposes:
- Identify – to understand the risks to individuals from data processing
- Govern – to understand an organization’s risk management priorities
- Control – to understand privacy risks with enough granularity
- Communicate – to have dialogue about data processing and risks
- Protect – to prevent cybersecurity-related privacy events
While the PF itself is only 39 pages, it is a living document that will evolve based on lessons learned by various stakeholders with NIST being the convener and coordinator. But already the PF includes additional resources that help understand what is otherwise quite abstract. For example, the PF includes a vast resource repository that provides detailed directions on implementation strategies. In the repository’s Guidance and Tools section, each of the five functions is examined.[2]
In relation to legal risks, if you are an organization that maintains personally identifiable information (“PII”) of Colorado residents you must have “a written policy for the destruction or proper disposal” of that PII. The PF provides guidance on disposal strategies. If you are a covered entity under the California Consumer Privacy Act and are required to provide training to those that handle consumer inquiries, the PF provides guidance. If you collect information about Massachusetts residents, you must limit the amount of PII that is collected. The PF provides guidance here also.
The PF is also designed to help organizations keep up with technology advancements and new uses for data and is likely to have regulatory support. The FTC already supports the CSF[3] and last October it submitted suggestions to NIST on how the PF should be structured, some of which were adopted. Given the heightened emphasis the FTC placed on privacy enforcement in 2018-2019, this is meaningful. Organizations that use the CSF for their cybersecurity programs will have a leg up if they decide to implement the PF for their privacy programs as they are designed to work together.
[1] See, e.g., here, here, and here for brief articles about important aspects of the California Consumer Privacy Act.
[2] https://www.nist.gov/privacy-framework/resource-repository/browse/guidance-and-tools
[3] https://www.stoelprivacyblog.com/2019/10/articles/privacy/achieving-industry-standards/