An Analysis of the Upcoming NIST Privacy Framework

An Analysis of the Upcoming NIST Privacy Framework

“The world is more interconnected than ever before” – an expression that has become so common that it’s safe to say it has reached the cliché status. Nevertheless, whether one is annoyed by this expression or feels sympathetic toward it, he or she cannot deny its truth. The rapid advancements in information technology from the 1990s onwards, have given individuals an unprecedented degree of comfort, and businesses a remarkable opportunity to operate swiftly and create enormous economic value. To a large extent, it is the data provided by individuals that serve as fuel to this data-driven and information-hungry machine. At any given point, there is a gargantuan amount of data being moved from a server to the other.

What makes privacy matters more complex is that the movement of information is often not confined within the borders of a single country but is scattered among multiple parts of the world, where views on privacy are different, and the laws and regulations to enforce privacy protections vary. However, as individuals interact with the systems, products, and services that businesses offer, and are more or less voluntarily sharing their private information, it has become increasingly difficult for them to understand the impacts or deal with the potential consequences regarding their privacy that come as a result of this interaction.

Throughout the world, governments and independent organizations have taken measures and are launching initiatives to tackle these privacy challenges. The European Union, for example, which has the right to privacy enshrined in its Charter of Fundamental Rights (Article 7, “Everyone has the right to respect for his or her private and family life, home and communication”) has created the General Data Protection Regulation (GDPR), which aims to offer data protection and privacy for all EU and EEA individuals and citizens. On the other hand, at the non-governmental side, ISO has published ISO/ IEC 29100, which provides a privacy framework applicable to any system or service that requires Personally Identifiable Information (PII) processing. Furthermore, ISO is also working on adding ISO/IEC 27552 to its highly successful ISO/IEC 27000 family of standards. This standard is currently under development and it specifies requirements and provides guidance for establishing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension to an ISMS based on the requirements of ISO/IEC 27001 and the guidance of ISO/IEC 27002. In the United States, the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, is currently developing a voluntary privacy framework. According to NIST, this privacy framework can help organizations answer the fundamental question: “How are we considering the impacts to individuals as we develop our systems, products, and services?”

This privacy framework is going to be an enterprise risk management tool for organizations to help them consider:

  • How their systems, products, and services affect individuals and,
  • how to integrate privacy practices into their organizational processes that result in effective solutions to mitigate these impacts and protect individuals’ privacy.

Among other objectives, through this privacy framework, NIST aims to establish a common taxonomy that is neither country, nor region-specific. By doing this, NIST allows organizations inside and outside the United States to use it for strengthening their own privacy efforts, while at the same time, contributes to developing a common language for international cooperation on privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *