The National Institute of Standards and Technology (NIST) released its preliminary draft of new privacy standards Sept. 9 in an effort to help organizations better manage privacy risk.
The framework “provides a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It can be used to help identify and prioritize actions for reducing privacy risk,” NIST wrote.
There are five privacy functions within the core elements laid out by NIST: identify, govern, control, communicate and protect. The core elements are supposed to help establish communication across all levels of the organization about privacy risk management.
“The first four can be used to manage privacy risks arising from data processing, while [protect] can help organizations manage privacy risks associated with privacy breaches,” NIST wrote.
Each of the functions is broken down into categories and subcategories.
The privacy risk management plan from NIST is meant to complement NIST’s cybersecurity framework, bridging the gap between cybersecurity risks and privacy risk that can lead to privacy breaches.
“While managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, as privacy risks can also arise outside the scope of cybersecurity risks,” NIST wrote.
The document focuses heavily on data security, calling on organizations to understand who is impacted by the data, how it is processed and managed.
“When used as a risk management tool, the privacy framework can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals,” NIST wrote.
NIST is accepting public comments until Oct. 24.