Last week, the National Institute of Standards and Technology (NIST) released the NIST Privacy Framework. As a result, one of our best excuses for not dealing with privacy issues in our organizations has disappeared.
This doesn’t mean that further excuses aren’t available. We can always say that we lack the necessary resources or that top management must decide its overall privacy values. But we no longer have to struggle just to get a handle on what managing privacy entails for our organizations.
Up until now, that’s pretty much what we’ve been doing. We’ve been reactive. The question has been about compliance with privacy laws and regulations, such as the General Data Privacy Regulation of the California Consumer Privacy Act. Often, the answer to that question has been that the laws in question do not affect us, so we can go back to sleep.
The Framework’s Promise
The Framework, however, makes several useful distinctions that can get us moving. First, it distinguishes between privacy and confidentiality. We’ve been protecting confidentiality as part of security, but that doesn’t mean we’ve been addressing privacy.
It then defines the major functions that privacy management should include and arranges them in a possible privacy security plan.
As a consultant, I see this document as providing the analytical framework that enables development of privacy management plans. What follows are some examples of the Framework’s analysis. If this is important to you, however, read the document. Despite its enterprise-oriented tone, it can apply to all organizations.
Confidentiality vs. Privacy
As the Framework puts it, “The Privacy Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete life cycle from data collection through disposal.” The problems individuals could experience include things “ranging from dignity-type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss, or physical harm.”
As a result of the harm individuals experience, “An organization may experience impacts such as noncompliance costs, revenue loss arising from customer abandonment of products and services, or harm to its external brand reputation or internal culture.” Thus, individual risk becomes organizational risk.
Confidentiality risk, on the other hand is considered one kind of cybersecurity risk, associated with cybersecurity related events. It may not involve individuals, such as in the case of confidential organizational plans. Privacy risk may not involve cybersecurity, such as when a printed record ends up in somebody’s hands, or a doctor’s office employee mentions something about a patient to the wrong people.
Where to look for cybersecurity related privacy events can then be associated with the data life cycle, including collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission and disposal.
The Functions in Privacy Management
Organizations generally relate to privacy activities through five functions: Identify, Govern, Control, Communicate and Protect. These functions can be used to manage privacy risks, as they identify the necessary activities. NIST is careful to stipulate that many organizations will use them in different sequences or way. Nevertheless, they provide the basis for a plan.
Here are some brief definitions of the functions:
Identify: “Develop the organizational understanding to manage privacy risk for individuals arising from data processing.” This involves, “Inventorying the circumstances under which data are processed, understanding the privacy interests of individuals directly or indirectly served or affected by an organization, and conducting risk assessments,”
Govern: “Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.”
Control: “Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.”
Communicate: “Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.”
Protect: “Develop and implement appropriate data processing safeguards. The Protect Function covers data protection to prevent cybersecurity-related privacy events, the overlap between privacy and cybersecurity risk management.”
Profiles are sets of specific functions and their subsidiary activities. A good step in planning is to establish current and target profiles. Comparing them leads to a kind of gap analysis, which, in turn, can lead to an action plan for improvement. “A Current Profile indicates privacy outcomes that an organization is currently achieving, while a Target Profile indicates the outcomes needed to achieve the desired privacy risk management goals.”
The Framework also provides a simplified method for establishing a privacy program, based on the functions and the action plan, based on “ready, set, go” phases.
Ready: Use the Identify and Govern Functions to get “ready.”
Set: “Set” an action plan based on the differences between Current and Target Profiles.
Go: “Go” forward with implementing the action plan.
What Are You Waiting For?
I hope I’ve conveyed the impression that after reading the Framework, dealing with privacy issues in cybersecurity should be much more manageable. Read the report and give it a try!