The National Institute of Standards and Technology (NIST) Privacy Framework is a free online tool for organizations that can be used to measure privacy risk while protecting individuals’ privacy. The framework was created in 2020 in collaboration with both private and public sector stakeholders to be agnostic to any technology, sector, law, or jurisdiction. It divides requirements into five functions identify, govern, control, communicate, and protect.
While this framework is becoming more popular with businesses and consultants to assess the effectiveness of the privacy program, US state comprehensive privacy laws have continued to evolve since 2020. Twenty US states have now passed privacy laws. How does the framework hold up against the newest state laws?
Shared requirements
Compliance with either the NIST Privacy Framework or US state comprehensive privacy laws will accomplish the following.
Risk management
Most of the US state comprehensive laws require organizations to conduct privacy impact assessments, which must weigh the potential benefits of processing personal information against the potential risks to the rights of the consumer and provide mitigations for identified risks.
The NIST framework has requirements related to the identification and management of privacy risk in the Identify, Govern, and Control functions. These are for things like identifying potential problematic data actions, implementing risk responses, and tracking determined risk.
Individual participation
US state privacy laws provide these rights to data subjects regarding processing of their personal information—to confirm the processing of, access to, correction of, deletion of; also the right to obtain a copy of, object to certain processing of, and obtain a list of third parties receiving their personal information. Data subjects must also be able to consent to the processing of their personal information before it begins and withdraw their consent at any time.
In less specific terms, compliance with the NIST framework ensures that data elements can be accessed for review, disclosure, alteration, and deletion. As long as these are possible, data subject requests can be fulfilled as received by the organization. The framework also requires that mechanisms be in place for enabling individuals’ data processing preferences and requests, which could represent their consent for processing and their requests for things like access and correction of their personal information.
Privacy notice
US state laws establish information that must be given to data subjects via a public privacy notice, including things such as the categories of information to be collected or processed, the purposes of processing, the data subject’s rights, and the categories of third parties with whom the data may be shared or sold.
NIST requires that the organization have in place procedures for communicating data processing purposes, practices, and associated privacy risks, which a public-facing privacy notice would meet. There are also requirements that may help an organization to provide the information necessary to be included in the privacy notice. A data inventory would keep track of the types of data processed, the systems that process data, types of data subjects, purposes of processing, and the third parties with whom the data is shared.
Data destruction
The state laws of Minnesota and Florida establish the need to retain personal information only as long as it is reasonably necessary for processing purposes, and once the processing is complete, destroy or otherwise delete the personal information. The NIST framework contains a requirement that data be destroyed according to policy.
Training
California’s Privacy Rights Act specifies that the organization must train all employees who handle consumer inquiries regarding personal information and privacy. The framework checks whether the workforce, senior executives, and privacy personnel are informed and trained on their roles and responsibilities to perform privacy-related duties.
Incident response
Several US state laws require that the organization provide notification to affected individuals of security breaches. The NIST framework includes requirements for incident response policies and recovery procedures to be in place, impacted individuals to be notified of privacy breaches or events, and lessons learned to be incorporated following problematic data actions.
Main differences
As the design of the NIST framework is not to follow any law or jurisdiction and the state laws are written by legal professionals, there are plenty of areas where NIST and the US state laws don’t overlap. For example, US state laws require specific language in contracts between data controllers and data processors. The NIST framework also requires specific security elements be in place including access controls, tokenization, selecting collection or disclosure of personal information, encryption, and maintenance of assets, none of which are named in any US state privacy law but may be in state data security laws.
Privacy Ref can help your organization assess compliance with both or either of these frameworks depending on your needs. Reach out to info@privacyref.com with requests.