July 8, 2020

Volume X, Number 190

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Final Draft of NIST Privacy Framework Released

NIST recently released a final version of its Privacy Framework to incorporate public feedback in response to the draft it issued late last year. For organizations familiar with the NIST Cybersecurity Framework first released in 2014, the privacy framework follows a similar structure and it is intended to be used together.

The document details a voluntary approach to assist organizations managing privacy risks. Like the NIST Cybersecurity Framework, the Privacy Framework calls for a risk-based approach to protecting privacy information. The Privacy Framework includes three sections – the Core, Profiles, and Implementation Tiers. The Core is a set of privacy protection activities and outcomes divided into key categories and subcategories with discrete outcomes. A Profile represents an organization’s current privacy activities or desired outcomes. Implementation Tiers provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed.

Putting it into practice: The NIST framework may help companies as they benchmark and work to identify potential gaps in compliance with privacy laws. It should not be viewed as a one-size fits all approach – particularly for companies in regulated industries or subject to numerous privacy laws. Although the framework doesn’t necessarily introduce significantly new concepts, we anticipate that companies could begin to see some business partners asking whether they adhere to or are familiar with this framework.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 56


About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...