The National Institute of Standards and Technology has released an initial draft of a framework meant to help organizations improve individuals’ privacy through enterprise risk management.
NIST said Friday that the Privacy Framework seeks to help organizations secure individuals’ privacy through three efforts: establish customer trust by supporting ethical decision-making in service and product design; meet compliance obligations; and facilitate communications with clients and regulators about privacy practices.
The agency noted that the policy follows the structure of the Cybersecurity Framework and is composed of core, profiles and implementation tiers. The core component seeks to facilitate a dialogue about privacy protection operations and desired outcomes, while the profiles part advances the prioritization of activities and outcomes that meet organizational missions and privacy values.
The implementation tiers support communication and decision-making about the organizational processes’ sufficiency to handle privacy risks.
NIST wants stakeholders to assess whether the initial draft defines outcomes that strengthen an individual’s privacy protection or cover existing practices; integrates privacy risk into organizational risk; and allows organizations to adapt to privacy risks arising from the use of artificial intelligence, internet of things and other emerging technologies.
Public comments are due Oct. 24.