Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act.
In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).
The framework, which was created in collaboration with private and public stakeholders, is designed to help organizations integrate privacy risk into their broader enterprise risk portfolio. The Privacy Framework has three parts:
This three-part structure purposely tracks NIST’s existing Cybersecurity Framework. Once the Privacy Framework is finalized, organizations will ideally be able to use both Frameworks to address privacy and security risks.
NIST seeks to comment on the preliminary draft of the Privacy Framework. The comment period closes on October 24, 2019.
In August, the International Organization for Standardization (ISO) published the first International Standards for privacy information management – ISO/IEC 27701:2019. The design goal of the standard is to enhance the existing Information Security Management System (ISMS) in order to establish, implement, and maintain a Privacy Information Management System (PIMS).
In an announcement, ISO stated that ISO/IEC 27701 specifies requirements “for establishing, implementing, maintaining and continually improving a privacy-specific information security management system.” The standard outlines a framework to manage privacy controls in a way that reduces the risk to the privacy of individuals.
Significantly, the new standard references how it can assist organizations in complying with regulatory regimes. It also notes that organizations that fulfill the requirements of the standard will “generate documentary evidence of how it handles PII (personally identifiable information).” It highlights the value of such evidence as companies negotiate contracts with business partners and deal with other stakeholders. The GDPR, for example, requires companies to document their work to assess and mitigate privacy risks, and to implement measures that promote privacy within their organizations – and be prepared to show that documentation to regulators. Compliance with the ISO standard may serve as one tool to assist them in meeting that requirement.
At Achieved Compliance, we provide compliance solutions to companies navigating the complex world of privacy law and regulation. If you need assistance, call us or send us a message to find out how we can help.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.