The National Institute of Standards and Technology (NIST) is requesting public comments related to the development of a privacy risk management framework, according to a prepared statement. NIST last month held its first workshop in Austin, Texas to launch the privacy risk management framework development process.
NIST outlined three goals in its privacy risk management framework request for public comments:
- To understand common privacy challenges in the design, operation and use of products and services that could be addressed via the framework.
- To find out which organizations are identifying and communicating privacy risk or have incorporated privacy risk management standards, guidelines and best practices into their policies and procedures.
- To identify high-priority gaps that privacy guidelines, best practices and new or revised standards could address.
In addition, the privacy risk management framework could help organizations develop and deploy best practices to safely collect, store, use and share information, NIST indicated. The framework also could align policy, business, technological and legal approaches to improve organizations' management of processes for incorporating privacy protections into their products and services.
What Will the NIST Privacy Risk Management Framework Include?
The goal of the privacy risk management framework is to help organizations identify, assess, manage and communicate privacy risks, NIST indicated. As such, the framework will focus on the following areas:
- Adaptability: The framework should be adaptable among all organizations, of all sizes and across all industries.
- Compatibility: The framework should help organizations leverage existing privacy standards, methodologies and guidance and operate under applicable domestic and international legal or regulatory requirements.
- Common and Accessible Language: The framework should use a common language that promotes collaboration and communication among all stakeholders.
- Regular Updates: The framework should be updated regularly to ensure that organizations can keep pace with new technologies and privacy risks.
- Risk-Based and Non-Prescriptive: The framework should provide various privacy outcomes and approaches rather than one-size-fits-all requirements.
- Transparency: The framework should be developed and updated via an open, consensus-driven and transparent process.
- Usability: The framework should help organizations reinforce their day-to-day risk management activities.
NIST is accepting public comments on its privacy risk management framework until the end of the year. It also plans to host workshops and offer other opportunities that enable organizations to provide framework input.