NIST Launches First Privacy Framework for Small- and Medium-Sized Businesses

The National Institute of Standards and Technology (NIST) recently released its new Privacy Framework, Version 1.0 to help optimize beneficial uses of data while protecting individual privacy. Modeled on NIST’s Cybersecurity Framework, the two frameworks are meant to work cohesively with one another to provide businesses a guideline on how best to address threats that could sabotage systems, products, and services. The Privacy Framework is comprised of three main sections: (1) a set of privacy protection activities to pursue; (2) ways to determine which of the activities will help the business reach its goals most effectively; and (3) Ways to optimize the resources to best manage privacy risk.

A press release announcing the release of the Privacy Framework states that “the NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them … It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.”

NIST Director Walter Copan is supportive of the initiative and believes the Framework will serve as a critical tool that can help organizations deliver products and services of value while simultaneously protecting consumer privacy.

The Framework came about in response to the European Union’s General Data Protection Regulation and similar U.S. state laws such as the California Consumer Privacy Act. NIST expects to continue to update and evolve the framework as need dictates as it gains grater usage among U.S. companies.

To view NIST’s Privacy Framework Version 1.0, visit: https://www.nist.gov/document/nist-privacy-frameworkv10pdf.