Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

ANALYSIS: Privacy Frameworks Must Adapt in Times of Turmoil

May 11, 2020, 9:13 AM

Privacy frameworks must be flexible and adaptable to address whatever is disrupting operations, including global pandemics. Take, for example, the latest framework proposed by the National Institute of Standards and Technology (NIST). Even though “pandemic preparedness” is not specifically mentioned in NIST’s Privacy Framework Version 1.0, the plan offers enough versatility to allow companies to refactor Covid-19 into their risk assessments and identify gaps that ought to be filled.

Released in January, the NIST Privacy Framework is the newest framework available to privacy professionals. Inasmuch as its debut coincided with the spread of the novel coronavirus, the unanticipated impact of the virus makes a good test case for the utility of the tool.

To its credit, the NIST Privacy Framework is agnostic to legal regimes. It can be used to assess the impact of the GDPR, the CCPA, the LGPD, or any number of laws. More importantly, however, it can also be used to gauge the impact of external events—like the new coronavirus—on privacy compliance measures.

The Privacy Framework is an offshoot of NIST’s popular Cybersecurity Framework, first issued in 2014. While cybersecurity is certainly an important part of privacy risk management, privacy risks can arise from events (like Covid-19) unrelated to cybersecurity incidents. Hence the need for a privacy-specific framework.

Who could have foreseen a pandemic as a privacy risk? Who would have predicted the impact of international travel? Who should have anticipated an entirely remote workforce?

Rather than perseverating on “coulda, woulda, shoulda,” organizations that have a flexible framework in place can use that flexibility to assess newly identified risk factors.

Privacy Risk Management

Like the Cybersecurity Framework, NIST’s Privacy Framework comprises three parts—Core, Profiles, and Implementation Tiers—each of which strives to reinforce risk management. The Privacy Framework’s Core provides a granular set of activities and outcomes to enable a discussion about privacy-related issues. The Profiles represent an organization’s current practices or desired outcomes. And the Tiers assess the level of sophistication associated with the processes and resources in place to manage risks.

At the heart of the Core are five foundational “Functions”: Identification, Governance, Control, Communications, and Protection. The Governance function in particular focuses on establishing enterprise-level privacy values and policies.

The establishment of privacy values is a crucial first step, for without them, an organization cannot assess the privacy impact of potential changes to business practices. If an organization, for example, has already accounted for employee data in its privacy mission statement, it already recognizes the value of protecting the privacy of its workforce and has implemented internal measures in recognition of that principle.

If, however, that company’s measures address only the collection of HR-related data and not potential actions that would pertain to a pandemic—such as the collection of body-temperature readings or personal travel histories—a good framework will nevertheless permit a reassessment and identify any gaps.

Under NIST’s Privacy Framework, risks associated with unanticipated, newly identified data sets can be factored into the NIST protocol, which provides a means for reevaluating polices in light of changing circumstances. The Privacy Framework expects an ongoing review of the organization’s privacy posture, so a proposal to take employees’ temperatures, for example, would go through a predetermined process to make an informed risk assessment.

The Privacy Framework prompts questions such as:

—Does the current policy address the proposed action?

—What legal obligations arise in this context?

—Could the proposed action cause an adverse effect for individuals’ privacy?

—Are there procedures in place for responding to complaints and concerns?

Of course, NIST’s Privacy Framework is also designed for organizations that don’t yet have a formal privacy program in place. Indeed, in NIST’s words, the Framework is “intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.”

So whether your organization already has a program in place or is just starting out, NIST’s Privacy Framework may be worth a closer look as you navigate compliance thorough the current pandemic toward the next unknown.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.