From JDSupra, David Farber and Colleen Yushchak discuss using the National Institute of Standards and Technology (NIST) Privacy framework to track and manage compliance across various data protection laws. David and Colleen write:
Since the General Data Protection Regulation (GDPR) went into effect in 2018, over half a dozen countries have passed similar privacy regulations and another few dozen have updated or proposed new privacy regulations. In the U.S., a similar wave of privacy regulations continues to sweep the nation, starting with the state of California and resulting in over 60% of states with active or proposed privacy regulations to date. During that time, over a dozen different federal privacy laws have been considered but none have passed. This has placed organizations in a quandary while they struggle to manage compliance with the varying state and international privacy obligations.
How Organizations Can Stay Ahead of Changing Privacy Laws
The good news is that at a high-level, there is a lot of overlap between the international, state, and federal regulations. To date, the GDPR is the most rigorous of the regulations internationally and the California Consumer Privacy Act (CCPA) is the most impactful regulation within the U.S. As you can see from the chart below, other states such as Washington, Illinois and Virginia have active and proposed regulations that are a hybrid of the GDPR and CCPA. On the other hand, Colorado, Maryland, Massachusetts, Mississippi, New Hampshire, and New York have active or proposed regulations that more closely align with CCPA.
To identify and assess the impact of the applicable regulations, organizations need a framework, such as the National Institute of Standards and Technology (NIST) Privacy framework.
What is the NIST Privacy Framework?
Initially the NIST was created as a policy framework focused on cybersecurity. It provided guidance to private sector organizations in the U.S. on how to assess and improve their ability to prevent, detect and respond to cyber-attacks. The NIST Privacy framework was published in January of 2020 and consisted of 100 controls in 5 categories:
The final version took over a year to develop and involved a variety of stakeholders, from privacy and security professionals to software developers to lawyers and business managers. The framework is designed to support communication across an organization and provide a collaborative approach to address privacy risk.
Why use the NIST Privacy Framework?
In October 2019, the FTC commended the NIST for publishing its draft Privacy Framework and reiterated the importance of conducting a comprehensive risk assessment as a necessary first step before making decisions about which privacy controls should be implemented. The FTC is an important agency to look to with regards to privacy enforcement. The FTC fined Facebook 9 percent of their prior year’s revenue relating to the Cambridge Analytica scandal. That is more than double the top fine that can be levied under the GDPR.
In addition, the International Association of Privacy Professional (IAPP) supports the NIST privacy framework. They recently mapped the NIST’s privacy framework to their requirements for their certification to become a Certified Information Privacy Manager. Other privacy frameworks, such as the Nymity framework (now owned by TrustArc) also mapped their framework to NIST.
Lastly, Ankura mapped the requirements of various privacy laws, including the GDPR, Brazil’s LGPD, Cybersecurity law in China (CSL), Gramm–Leach–Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), CCPA and 8 other pending state privacy laws to the NIST Privacy framework and found that the framework could be used to track and manage compliance across all these laws.
Utilizing the NIST Privacy Framework
Organizations should begin by conducting a privacy risk assessment using a privacy framework such as the NIST. They can use the results of the privacy risk assessment to:
- Identify applicable regulatory requirements based on territorial and operational scope,
- Document current privacy readiness state,
- Ascertain gaps and areas of risk,
- Assign risk ratings to gaps, and
- Develop a go forward project plan.
Organizations should document reasons for excluding any controls and develop a plan to reassess yearly to continue to close gaps.
While data risk assessments are not currently required in the U.S., upcoming privacy laws have introduced obligations for incorporating data risk assessments into an organization’s procedures. In some cases, organizations will have to be prepared to share the results of privacy risk assessments for review by state regulators. This is a new concept for those not familiar with the requirements of the GDPR and even further underscores the need to perform a privacy risk assessment.
Organizations will not be able to avoid the swiftly emerging privacy requirements sweeping the globe, but they can use tools such as the NIST Privacy framework to assess risks and develop a long-term project plan. As we look forward to a more secure, data-driven industry, NIST leads as a prominent role model by showcasing a framework driven by today’s evolving privacy standards.