National Institute of Standards and Technology, ISO Release Privacy Guidance

Written by

Paula Bruening

Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act.

The NIST Privacy Framework  

In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).

The framework, which was created in collaboration with private and public stakeholders, is designed to help organizations integrate privacy risk into their broader enterprise risk portfolio. The Privacy Framework has three parts:  

  • The “Core,” which suggests the implementation of a set of privacy protection activities and outcomes and encourages communication about privacy protection activities across the organization – from the executive suite to the operations level;
  • “Profiles” that draw on particular values, business needs and risks the organization identifies as priorities and encourages comparison of an organization’s “Current” Profile (the organization’s “as is” state) with a “Target” Profile as a form of self-assessment; and
  • “Implementation Tiers,” which help the organization understand privacy risks and whether the processes and resources it has implemented to manage those risks are sufficient.

This three-part structure purposely tracks NIST’s existing Cybersecurity Framework. Once the Privacy Framework is finalized, organizations will ideally be able to use both Frameworks to address privacy and security risks.

NIST seeks to comment on the preliminary draft of the Privacy Framework. The comment period closes on October 24, 2019.

The ISO Standard

In August, the International Organization for Standardization (ISO) published the first International Standards for privacy information management – ISO/IEC 27701:2019. The design goal of the standard is to enhance the existing Information Security Management System (ISMS) in order to establish, implement, and maintain a Privacy Information Management System (PIMS).

In an announcement, ISO stated that ISO/IEC 27701 specifies requirements “for establishing, implementing, maintaining and continually improving a privacy-specific information security management system.” The standard outlines a framework to manage privacy controls in a way that reduces the risk to the privacy of individuals.

Significantly, the new standard references how it can assist organizations in complying with regulatory regimes. It also notes that organizations that fulfill the requirements of the standard will “generate documentary evidence of how it handles PII (personally identifiable information).” It highlights the value of such evidence as companies negotiate contracts with business partners and deal with other stakeholders. The GDPR, for example, requires companies to document their work to assess and mitigate privacy risks, and to implement measures that promote privacy within their organizations – and be prepared to show that documentation to regulators. Compliance with the ISO standard may serve as one tool to assist them in meeting that requirement.

At Achieved Compliance, we provide compliance solutions to companies navigating the complex world of privacy law and regulation. If you need assistance, call us or send us a message to find out how we can help.