Companies seeking privacy guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. Furthermore, designers created these tools to complement existing cybersecurity guidelines and meet the demands of emerging laws like the General Data Protection Regulation and the California Consumer Privacy Act.
In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (“Privacy Framework”).
Private and public stakeholders collaborated to create the framework, aiming to assist organizations in integrating privacy risk into their broader enterprise risk portfolio. The Privacy Framework has three parts:
This three-part structure purposely tracks NIST’s existing Cybersecurity Framework. Then, once the Privacy Framework is finalized, organizations will ideally be able to use both Frameworks to address privacy and security risks.
NIST seeks to comment on the preliminary draft of the Privacy Framework. However, the comment period closes on October 24, 2019.
In August, the International Organization for Standardization (ISO) published the first International Standards for privacy information management – ISO/IEC 27701:2019. Importantly, the design goal of the standard is to enhance the existing Information Security Management System (ISMS) in order to establish, implement, and maintain a Privacy Information Management System (PIMS).
In an announcement, ISO stated that ISO/IEC 27701 specifies requirements “for establishing, implementing, maintaining and continually improving a privacy-specific information security management system.” The standard outlines a framework to manage privacy controls in a way that reduces the risk to the privacy of individuals.
Significantly, the new standard references how it can assist organizations in complying with regulatory regimes. Furthermore, it notes that organizations that fulfill the requirements of the standard will “generate documentary evidence of how it handles PII (personally identifiable information).” It highlights the value of such evidence as companies negotiate contracts with business partners and deal with other stakeholders. For example, the GDPR requires companies to document their work to assess and mitigate privacy risks, and to implement measures that promote privacy within their organizations – and be prepared to show that documentation to regulators. Undoubtedly, compliance with the ISO standard may serve as one tool to assist them in meeting that requirement.
At Achieved Compliance, we provide compliance solutions to companies navigating the complex world of privacy law and regulation. Contact us today to discover how we can be of assistance to you.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.