NIST's popular Cybersecurity Framework has a new companion.

The National Institute of Standards and Technology (NIST) - an arm of the U.S. Department of Commerce - last week issued new Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy (.PDF) through Enterprise Risk Management, new guidance designed to help organizations better manage privacy risk.

The document is designed to complement NIST's Cybersecurity Framework by offering tips for using and protecting personal data.

The 43-page document was borne from a draft privacy framework NIST circulated last September. It sought public comments on the document until October 24; Version 1.0 was actually expected before the end of 2019 but apparently needed a few extra weeks to finalize.

The Framework takes into account the relationship that exists between privacy risk and organizational risk and outlines five functions for organizations to manage privacy risks around data processing: Identify, govern, control, communicate, and protect.

• Identify-P - Develop the organizational understanding to manage privacy risk for individuals
• Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
• Control-P - Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
• Communicate-P - Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
• Protect- Develop and implement appropriate data processing safeguards

NIST released its landmark Cybersecurity Framework, a set of best practices, standards, and recommendations to help organizations across all infrastructure sectors, like government, healthcare, and financial services, improve their cybersecurity measures, in 2014. The Framework, which is periodically updated, is a collaborative effort, involving input from government, industry, and academic experts.

With the recent passage of domestic legislation like the California Consumer Privacy Act and the New York SHIELD Act, which amended the state's data breach notification law and data protection requirements last summer, the still relevant General Data Protection Regulation (GDPR) in the EU, the guidance should be welcomed by privacy stakeholders looking to achieve compliance.

It will be interesting to see if the Privacy Framework becomes as widely embraced as the Cybersecurity Framework over time. While the latter was developed for voluntary use in the private sector, it eventually became mandatory for U.S. federal agencies after a 2017 Presidential Executive Order directed agency heads to immediately follow NIST’s guidance.