“Organizations choose the NIST Privacy Framework because it complements their existing cyber security framework and provides a privacy maturity scale and crosswalk to other privacy laws and regulations.”
NIST Privacy Framework
Released in January 2020, the structure of the NIST Privacy Framework version 1.0 is modeled upon the NIST Cybersecurity Framework, and it serves as a means for improving privacy through enterprise risk management.
It especially helps organizations navigate through a complex privacy environment while staying focused on maintaining the trust of their consumers. “Organizations choose the NIST Privacy Framework because it complements their existing cybersecurity framework and provides a privacy maturity scale and crosswalk to other privacy laws and regulations,” said Grant Thornton Privacy and Data Protection Senior Associate Gabrielle Eberhardt.
The NIST Privacy Framework does not target specific privacy laws or regulations, but it establishes a baseline to help organizations achieve their privacy goals. It provides high-level guidelines for various privacy domains, including inventory and mapping, processing of personal data, data subject rights, controllers and processors, data protection officers, employee data privacy, independent supervisory authority, breach notifications, and training and awareness. Organizations can use this framework, along with the privacy maturity model, to manage privacy risk and assist with the process of complying with various privacy laws.
ISO/IEC 27701 and 27018
The first edition of ISO/IEC 27701, published in August 2019, was the first privacy management certification standard to achieve mainstream adoption. This standard provides guidance for protecting personal data on an ongoing and evolving basis, establishing accountability and guidance for both processors and controllers to manage privacy programs in any environment.
While any type of organization can use ISO/IEC 27701, the standard was developed with the European Union’s 2018 General Data Protection Regulation (GDPR) in mind. The standard includes detailed privacy operational guidance and mapping to GDPR.