Standards and frameworks provide real benefits for privacy management. Standards are established norms to be applied consistently across organizations, while frameworks are a set of basic guidelines to be adapted to an organization’s needs. Both can help to fulfill compliance obligations, build trust, benchmark against industry best practices, support strategic planning and evaluation, enable global interoperability, and strengthen an organization’s market position.
Just as in information security, the International Organization for Standardization in cooperation with the International Electrotechnical Commission, and the U.S. National Institute for Standards and Technology, are the main players for offering general guidance for privacy risk management. ISO and IEC are non-governmental international organizations with all member states of the United Nations having a vote in their standardization processes. NIST is a non-regulatory government agency within the U.S. Department of Commerce. In furtherance of its mission to promote American innovation and industrial competitiveness, NIST provides a wide variety of standards and technology resources, tools, and guidelines for use by U.S. federal agencies as well as by private industry, both domestically and abroad.
On a European level, three distinct private international nonprofit organizations are officially recognized by the EU as being responsible for developing and defining voluntary standards. They also collaborate with ENISA, the EU Agency for Cybersecurity. The European Telecommunications Standards Institute covers a variety of privacy-related sector specific standards. The European Committee for Standardization and the European Committee for Electrotechnical Standardization are currently working on privacy information management systems for a European context.
In Asia, the APEC Privacy Framework provides privacy principles and implementation guidelines, forming the basis for a regional system called the APEC Cross-Border Privacy Rules. A more recent development was the approval of the ASEAN Data Management Framework in January 2021, based on the 2016 ASEAN Framework on Personal Data Protection. Those frameworks used the OECD Privacy Framework – the first international consensus on privacy protection in the context of free flow of personal data – as their key reference.
Another prominent global organization in the field is the Standards Association of the Institute of Electrical and Electronics Engineers which has developed a large number of industry standards for privacy and security architectures. Additionally, the Privacy Community Group of the World Wide Web Consortium is chartered to incubate privacy-focused web features and APIs to improve user privacy on the web. Other groups involved in the developments in standards and frameworks include the Internet Engineering Task Force and OASIS Open.
Apart from that, there are national privacy standards, among them the newly developed standards for data privacy assurance by the Bureau of Indian Standards or the German standard data protection model. Also, national standards organizations like the UK’s national standards body BSI or Standards Australia partner closely with ISO or CEN in the field of privacy standards.
Despite the abundance of external standards and frameworks, many companies chose to develop their own. Even in those cases, an organization can benefit greatly from becoming familiar with the concepts and thought processes offered by the mentioned bodies and initiatives. Those insights can be used to assess and improve an organization’s own privacy program. Improvements could include incorporating additional privacy management principles or closing gaps in internal objectives and controls.
Beginning with this article, we provide a general overview of the existing standards and frameworks in the realm of privacy. This article is the first one in a series of three and will focus on NIST’s ground-breaking Privacy Framework, released in January 2020.
A first overview of the NIST Privacy Framework
“The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management” is a voluntary framework that helps organizations answer fundamental questions: How are we considering the privacy impacts to individuals as we develop our systems, products, and services? How can we manage privacy risks in a consistent way across business units and markets? How do we ensure a quality privacy program that adapts to business needs and new regulatory requirements?
The intention of the NIST Privacy Framework is to support better privacy practices in enterprises of all sizes, all sectors and all jurisdictions. Organizations can rely on the Framework to create a new privacy program from scratch or to improve an existing privacy program.
The Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from data processing throughout the complete data lifecycle, from collection through disposal. Potential problems range from violating a person’s dignity to discrimination, economic loss or physical harm. Privacy risks can arise by means unrelated to cybersecurity risks, which are characterized by a loss of confidentiality, integrity or availability of personal information.
The Framework defines privacy risk as the likelihood that individuals (singly or in groups) will experience privacy problems resulting from data processing and the impact should those problems occur. While individuals experience the direct impact of privacy events, organizations can experience impacts in a big way as well, such as noncompliance costs, loss of clients and customers, a decline in sales, and negative brand image.
Against this backdrop, the NIST Privacy Framework supports ethical decision-making around privacy risk management in the context of enterprise risk management. It enables finding the right balance between building innovative systems, products, and services while protecting individuals’ privacy.
NIST acknowledges that privacy risk management is a cross-disciplinary function that requires support and engagement from stakeholders across an organization. Therefore, one of the main purposes of the Framework is to provide a common language for legal, technical, design and product teams to drive internal collaboration. This goal can be achieved if the Framework is used in a lightweight manner or in the context of a more advanced privacy-risk management. In any case, using the NIST Privacy Framework as a reference and guideline for cross-organizational dialogue can strengthen accountability for privacy risk management throughout an organization.
The NIST Privacy Framework was modeled after the widely adopted NIST Cybersecurity Framework. However, the adoption of the Privacy Framework is independent from the implementation of the Cybersecurity Framework. Both Frameworks are designed for guidance only and are not auditable.