“The world is more interconnected than ever before” – an expression that has become so common that it’s safe to say it has reached the cliché status. Nevertheless, whether one is annoyed by this expression or feels sympathetic toward it, he or she cannot deny its truth. The rapid advancements in information technology from the 1990s onwards, have given individuals an unprecedented degree of comfort, and businesses a remarkable opportunity to operate swiftly and create enormous economic value. To a large extent, it is the data provided by individuals that serve as fuel to this data-driven and information-hungry machine. At any given point, there is a gargantuan amount of data being moved from a server to the other.
What makes privacy matters more complex is that the movement of information is often not confined within the borders of a single country but is scattered among multiple parts of the world, where views on privacy are different, and the laws and regulations to enforce privacy protections vary. However, as individuals interact with the systems, products, and services that businesses offer, and are more or less voluntarily sharing their private information, it has become increasingly difficult for them to understand the impacts or deal with the potential consequences regarding their privacy that come as a result of this interaction.
Throughout the world, governments and independent organizations have taken measures and are launching initiatives to tackle these privacy challenges. The European Union, for example, which has the right to privacy enshrined in its Charter of Fundamental Rights (Article 7, “Everyone has the right to respect for his or her private and family life, home and communication”) has created the General Data Protection Regulation (GDPR), which aims to offer data protection and privacy for all EU and EEA individuals and citizens. On the other hand, at the non-governmental side, ISO has published ISO/ IEC 29100, which provides a privacy framework applicable to any system or service that requires Personally Identifiable Information (PII) processing. Furthermore, ISO is also working on adding ISO/IEC 27552 to its highly successful ISO/IEC 27000 family of standards. This standard is currently under development and it specifies requirements and provides guidance for establishing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension to an ISMS based on the requirements of ISO/IEC 27001 and the guidance of ISO/IEC 27002. In the United States, the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, is currently developing a voluntary privacy framework. According to NIST, this privacy framework can help organizations answer the fundamental question: “How are we considering the impacts to individuals as we develop our systems, products, and services?”
This privacy framework is going to be an enterprise risk management tool for organizations to help them consider:
- How their systems, products, and services affect individuals and,
- how to integrate privacy practices into their organizational processes that result in effective solutions to mitigate these impacts and protect individuals’ privacy.
Among other objectives, through this privacy framework, NIST aims to establish a common taxonomy that is neither country, nor region-specific. By doing this, NIST allows organizations inside and outside the United States to use it for strengthening their own privacy efforts, while at the same time, contributes to developing a common language for international cooperation on privacy.
Why Cybersecurity alone is not enough?
In 2014, NIST published the Framework for Improving Critical Infrastructure Cybersecurity (commonly known as Cybersecurity Framework). Since its release, this framework has helped many organizations communicate and manage cybersecurity risks. As NIST states, these risks arise from “unauthorized activity related to the loss of confidentiality, integrity, or availability of a system or information asset.” However, privacy risks do not occur only as a result of the actions of those with malicious intents. The authorized data processing can also lead to unintended or adverse consequences for individuals. Businesses, for example, when providing services and marketing products, can use individuals’ information in ways that increase their vulnerability to fraud and identity theft. This can have a profound effect on the lives of many individuals. Thus, as stated by NIST, unlike cybersecurity risks, privacy risks arise as “a byproduct of intentional (i.e., authorized) data processing occurring in systems, products, and services that help organizations to achieve their business objectives.”
The NIST Privacy Framework components
The aim of this Privacy Framework is to improve privacy risk management between business/mission drivers and privacy protection activities. It is intended for organizations that use data processing systems, products or services irrespective of their sector, focus or size. The NIST Privacy Framework consists of three components: the Core, the Profiles, and the Implementation Tiers.
The Core is a set of privacy protection activities and preferred outcomes, consisting of five simultaneous and continuous functions, which together provide a high-level and strategic view of the privacy risk management of the organization. These functions are “Identify, Protect, Control, Inform and Respond”, and all of them consist of key categories and subcategories. The Core functions should not be seen as sequential steps to an end state. Additionally, they are effective when performed concurrently and continuously. Functions, categories and subcategories work closely to properly address the privacy risks. The five functions organize the basic privacy activities, where the Identify, Protect and Respond functions can also be used by the Cybersecurity framework for privacy risk management. The categories segment a function into groups of privacy outcomes related to programmatic needs and activities. Likewise, subcategories divide a category into outcomes based on technical and management activities that need to be implemented.
The draft version of the NIST Privacy Framework: “An enterprise risk management tool” has 5 functions, 23 categories and 111 subcategories as presented in Appendix A: “Privacy Framework Core”.
The Profile: The organization establishes a profile in accordance to the functions, categories and subcategories with the business requirements, risk tolerance, privacy values, and resources of the organization. The approach that the Privacy Framework risk-based approach takes, is allowing the organization to tailor the functions, categories and subcategories to its specific needs. This risk-based approach also allows them to take into account new additional functions for unique risks that the specific organizations may face. Profiles are utilized to create a clear picture of the current state of the organization as well as what is the desired target state. This makes it possible to distinguish the privacy outcomes that the organization currently achieves and those that it plans to achieve.
The Implementation Tiers help organizations manage privacy risk by considering the nature of such risks and the competence of processes and resources in place. There are four types of tiers known as Partial — Tier 1, Risk-Informed — Tier 2, Repeatable — Tier 3, and Adaptive — Tier 4. Tier selection affects the Profiles and the privacy risk management within the organization. Thus, before selecting the tier, organizations should consider their current risk management practices, data processing systems, products and services, legal and regulatory requirements, privacy needs of individuals, etc.
How to use the Privacy Framework?
The Privacy Framework supplements the existing development operations, articulate privacy requirements to partners and customers and supports the identification of gaps in the organizations’ privacy practices. It is up to the implementing organization how to use the Privacy Framework. Organizations can use the subcategories in the Core and map them with specific sections of regulations, standards, guidelines and practices in order to support the further development of systems, products and services by taking into consideration the individuals’ privacy needs.
Moreover, the Privacy Framework can be used to compare the existing privacy activities with the activities of the Core. The Current Profile helps an organization analyze the level of outcomes achieved and determine if it needs an action plan to build up the existing privacy practices and minimize privacy risk.
The Privacy Framework helps create a new privacy program or enhance the existing one by using the “ready, set, go” phases. For an organization, it is essential to understand its business environment and the privacy risks of its systems, products or services and then conduct a privacy risk assessment using the Identify function. Then, the organization can set an action plan based on the comparison between the Current Profile and the Target Profile. In order to reach the Target Profile, the organization should adjust its existing privacy practices.
The NIST Privacy Framework comes at a much needed time and it will serve as the go-to guideline for establishing a process of evaluating any organization’s state on privacy and what needs to be done to improve it.
UPDATE: Please note that the name of the ISO/IEC 27552 standard has changed to ISO/IEC 27701.