Companies seeking privacy guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. Furthermore, designers created these tools to complement existing cybersecurity guidelines and meet the demands of emerging laws like the General Data Protection Regulation and the California Consumer Privacy Act.

The NIST Privacy Framework  

In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).

Private and public stakeholders collaborated to create the framework, aiming to assist organizations in integrating privacy risk into their broader enterprise risk portfolio. The Privacy Framework has three parts:  

• The “Core,” which suggests the implementation of a set of privacy protection activities and outcomes and encourages communication about privacy protection activities across the organization – from the executive suite to the operations level;
• “Profiles” that draw on particular values, business needs and risks the organization identifies as priorities and encourages comparison of an organization’s “Current” Profile (the organization’s “as is” state) with a “Target” Profile as a form of self-assessment; and
• “Implementation Tiers,” which help the organization understand privacy risks and whether the processes and resources it has implemented to manage those risks are sufficient.

This three-part structure purposely tracks NIST’s existing Cybersecurity Framework. Then, once the Privacy Framework is finalized, organizations will ideally be able to use both Frameworks to address privacy and security risks.

NIST seeks to comment on the preliminary draft of the Privacy Framework. However, the comment period closes on October 24, 2019.

The ISO Standard

In August, the International Organization for Standardization (ISO) published the first International Standards for privacy information management – ISO/IEC 27701:2019. Importantly, the design goal of the standard is to enhance the existing Information Security Management System (ISMS) in order to establish, implement, and maintain a Privacy Information Management System (PIMS).

In an announcement, ISO stated that ISO/IEC 27701 specifies requirements “for establishing, implementing, maintaining and continually improving a privacy-specific information security management system.” The standard outlines a framework to manage privacy controls in a way that reduces the risk to the privacy of individuals.

Significantly, the new standard references how it can assist organizations in complying with regulatory regimes. Furthermore, it notes that organizations that fulfill the requirements of the standard will “generate documentary evidence of how it handles PII (personally identifiable information).” It highlights the value of such evidence as companies negotiate contracts with business partners and deal with other stakeholders. For example, the GDPR requires companies to document their work to assess and mitigate privacy risks, and to implement measures that promote privacy within their organizations – and be prepared to show that documentation to regulators. Undoubtedly, compliance with the ISO standard may serve as one tool to assist them in meeting that requirement.

At Achieved Compliance, we provide compliance solutions to companies navigating the complex world of privacy law and regulation. Contact us today to discover how we can be of assistance to you.