Stop Running from Privacy! Use the NIST Privacy Framework

Jerry Hughes
Feb 19, 2020 1:00:00 PM

Take a look at your recent SOC 2 Type ll Service Organization Audit, where there are five Trust Service Criteria (Security, Confidentiality, Processing Integrity, Availability, and Privacy). How about your last Health Insurance Portability and Accountability Act (HIPPA) Audit, where there is a Security Rule and Privacy Rule? Was privacy included in the scope of either audit? Chances are it was not. As an experienced IT audit and security firm, Compass IT Compliance’s IT Auditors review and perform these independent audits all the time, and rarely do we see privacy included in scope - even in the healthcare industry! So why do companies, including audit firms, avoid privacy?

Laws like HIPAA, the General Data Protection Regulation (GDPR), and the California Consumer Protection Act (CCPA), to name a few, require that companies begin taking privacy seriously.

Here is what we are seeing and hearing:

  • Privacy is challenging because not only is it an all-encompassing concept that helps to safeguard important values such as human autonomy and dignity, but also the means for achieving it can vary
     
  • Privacy can be achieved through seclusion, limiting observation, or individuals’ control of facets of their identities (e.g., body, data, reputation)
     
  • Human autonomy and dignity are not fixed; there are cultural and individual differences. This broad and changing aspect of privacy makes it challenging to communicate privacy risks

We live in an ever-changing, data-driven society that struggles to balance creating and using innovative products and services that use personal data while still protecting people’s privacy. As a result, individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.

What has been missing is a common language and practical tool that is flexible enough to address different privacy needs. That is where the National Institute of Standards and Technology (NIST) comes to the rescue. NIST created a new tool for managing these privacy risks.

NIST developed this privacy framework with input from private and public sources. It’s a tool for improving privacy through enterprise risk management, currently titled “NIST Privacy Framework”. It enables better privacy engineering practices that support privacy by design concepts, and it will help organizations protect individuals’ privacy.

The NIST Privacy Framework supports organizations in:

  • Building customers’ trust by encouraging ethical decision-making during the design and deployment of product and services
     
  • Meeting compliance obligations now and in the future, as it relates to products and services, in a changing technological and policy environment
     
  • Facilitating communication regarding privacy with individuals, business partners, assessors, and regulators

When used as a risk management tool, the NIST Privacy Framework can assist an organization in optimizing beneficial uses of data and the development of systems, products, and services while minimizing negative consequences for individuals. It also helps organizations answer the fundamental question, “How are we considering the impact to individuals as we develop our systems, products, and services?”

The NIST Privacy Framework is flexible, so it can assist in addressing the unique needs of an organization, although it is designed to complement existing business and system development operations. Please reach out to your trusted partner, Compass IT Compliance to see how we can help you get started today!

You May Also Like

These Stories on NIST

Subscribe by Email

No Comments Yet

Let us know what you think