The National Institute of Standards and Technology (NIST) has published the definitive version of its privacy risk management framework, after seeking comment on a draft version of the framework last year.
Version 1.0 of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management,” provides a “useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data,” NIST said.
“The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework,” the agency explained. The two frameworks are designed to be complementary, and also updated over time, NIST said.
NIST emphasized that the privacy framework is not a law or a regulation, but a “voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them” including the California Consumer Privacy Act and the European Union’s General Data Protection Regulation.
“It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so,” NIST said.