On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).
Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.
NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.
Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.
NIST has established many of the same goals for the Privacy Framework. These goals include:
- Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
- Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
- Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
- Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
- Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
- Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
- Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations
During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.
It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?
We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.