Earlier this year, the National Institute of Standards and Technology (NIST) worked with stakeholders in the public and private sectors to develop the NIST Privacy Framework.
According to NIST, the framework is designed “to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.”
Why is this significant?
The NIST Privacy Framework goes above and beyond existing privacy regulations.
The framework gives businesses a way to understand how to start thinking about values and ethics around privacy, even if they do not have a legal obligation to be compliant.
While state laws are starting to address data privacy, federal law in the US still trails behind. The NIST Privacy Framework looks at identifying information about individuals that is not currently regulated in the United States such as:
- Things that people have disclosed on the internet — knowingly or unknowingly.
- Data collected about marketing leads.
- Customer information.
- Information gathered from various sources online.
- Biometric information.
Not a lot of modern frameworks are built with a broad perspective for privacy.
The NIST Privacy Framework incorporates other elements of values and ethics. This is highly unusual for a cyber security framework.
The NIST Privacy Framework considers the privacy values of the organization, its customers, the public, and the greater data ecosystem that each company exists within.
This powerful new tool aligns companies with consumer values and provides a clear roadmap for how to do that effectively.
It’s not enough to tell your clients that you take privacy seriously.
Thanks in large part to the General Data Protection Regulation (GDPR) and to growing public awareness around privacy issues, consumers have much more power when it comes to identifying issues with privacy.
Tech giants like Facebook and Google have come under increasing scrutiny in recent months over how they leverage customer data and manipulate users. “The Social Dilemma” — a Netflix produced docudrama that addressed tech companies’ manipulation of user data — garnered 38 million views in its first month.
If Facebook had used this framework, for example, they would not have disclosed all the information they did to Cambridge Analytica which allowed them to create psychological profiles about people that were used to manipulate users and influence election outcomes.
Companies looking to adopt the NIST Privacy framework can look to Gazelle Consulting to develop a compliance program.
Gazelle Consulting’s background in IT management and data security prepares us to assist any organization in developing compliant information management programs.
This would typically involve starting with the key task of inventorying and mapping data to understand what’s going on in their information systems and identify vulnerabilities (such as the risk of a data breach or accidental exposure of data).
While it remains to be seen whether industries will begin requiring the NIST Framework, companies can take steps today to demonstrate that they want to align themselves with their customers’ values around privacy.