NIST Privacy Framework

Do your business processes meet the Global privacy standards?

Implementing the NIST Privacy Framework allows an organization to be Globally aligned, Locally deployed and Organizationally measured.

In this animated story, privacy experts explain how the Privacy Framework can be used to build trust in their products and services, better communicate their privacy practices, and help meet their compliance obligations.

 

Statistics in the video were taken from Pew Research Center, November 2019, “Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information.”

Overview and Privacy Risk Management Approach

Managing cybersecurity risk contributes to managing privacy risk, but is not sufficient, as privacy risks can also arise by means unrelated to cybersecurity incidents, as illustrated by the Venn diagram. Having a general understanding of the different origins of cybersecurity and privacy risks is important for determining the most effective solutions to address the risks.

The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. The Privacy Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete life cycle from data collection through disposal.

These data operations are described in the singular as a data action and collectively as data processing. The problems individuals, whether singly or in groups (including at a societal level), can experience as a result of data processing can be expressed in various ways, but NIST describes them as ranging from dignity-type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss, or physical harm.

As a result of the problems individuals experience, an organization may experience impacts such as noncompliance costs, revenue loss arising from customer abandonment of products and services, or harm to its external brand reputation or internal culture. Organizations commonly manage these types of impacts at the enterprise risk management level; by connecting problems that individuals experience to these well-understood organizational impacts, organizations can bring privacy risk into parity with other risks they are managing in their broader portfolio and drive more informed decision-making about resource allocation to strengthen privacy programs.

To learn more about our approach, please email us at info@newportthomson.com