NIST Offers A Structure For Easing Privacy Compliance Burdens

Integrating privacy policies requirements with privacy compliance mandates can be challenging at a structural database level, which is why NIST (The National Institute of Standards and Technology, within the U.S. Department of Commerce) on Jan. 16 offered enterprises suggestions on ways to categorize and organize privacy data.

NIST’s organizational structural suggestions centers around its view of Core, Profiles and Implementation tiers. 


The core of the report is a NIST privacy framework, which has the three elements shown in the image above]. In essence, the Core is everything enterprises want to be doing privacy-protection-wise, Profile is everything the enterprise is currently doing privacy-protection-wise and Implementation is identifying the enterprise’s current perceived privacy risk. In theory, Core and Profile should address the needs identified in Implementation.

The framework details the many ways that data at issue with privacy compliance can sneak into databases.

“In an increasingly connected world, some problems can arise simply from individuals’ interactions with systems, products, and services, even when the data being processed is not directly linked to identifiable individuals. For example, smart cities technologies could be used to alter or influence people’s behavior such as where or how they move through the city,” the report noted. “Problems also can arise where there is a loss of confidentiality, integrity, or availability at some point in the data processing, such as data theft by external attackers or the unauthorized access or use of data by employees.”

Another area explored were the implications of integrating privacy sensitivities into purchase typical IT software.

“Since either a Current or Target Profile can be used to generate a prioritized list of privacy requirements, these Profiles can also be used to inform decisions about buying products and services. By first selecting outcomes that are relevant to its privacy goals, an organization then can evaluate partners’ systems, products, or services against this outcome. For example, if a device is being purchased for environmental monitoring of a forest, manageability may be important to support capabilities for minimizing the processing of data about people using the forest and should drive a manufacturer evaluation against applicable Subcategories in the Core (e.g., CT.DP-P4: system or device configurations permit selective collection or disclosure of data elements),” NIST penned. “In circumstances where it may not be possible to impose a set of privacy requirements on the supplier, the objective should be to make the best buying decision among multiple suppliers, given a carefully determined list of privacy requirements. Often, this means some degree of trade-off, comparing multiple products or services with known gaps to the Profile. If the system, product, or service purchased did not meet all of the objectives described in the Profile, an organization could address the residual risk through mitigation measures or other management actions.”

The essence of the report suggests a privacy framework structure with three areas: “The Core enables a dialogue—from the executive level to the implementation/operations level—about important privacy protection activities and desired outcomes. Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks. Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk.”

NIST is a highly respected organization within enterprise compliance circles. An earlier NIST framework on cybersecurity, for example, was deployed by JP Morgan Chase, Microsoft, Boeing, Intel, Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board, according to NIST.

“We know that a lot of current clients, as well as other enterprises we talk with, struggle with fully integrating the latest privacy compliance requirements into their existing compliance programs. Especially for U.S. enterprises–enterprise privacy perspectives are very different in parts of Europe and Canada, for example–a serious approach to privacy forces CISOs and other executives to fully change their thinking about data,” said Jerald Carter, an Edgile Director. “As the NIST report notes, privacy can sneak into data in some very insidious ways. The obvious places where privacy implications lurk, such as payment card histories, a dating site profile or biometric authentication logs, are easy to deal with, but it’s the unexpected places where privacy data can be found is where things get tricky.”

Although this federal document won’t minimize most privacy compliance burdens, it might help a little by at least suggesting some potentially more efficient ways to structure the data.