To protect privacy, you must act securely. Here at RSA, lots of companies are thinking of better ways to do both. But with the explosion of General Data Protection Regulation (GDPR) and related initiatives like the California Consumer Privacy Act (CCPA) and the new National Institute of Standards and Technology (NIST) privacy framework, many companies aren’t even sure exactly what they need to protect, and in which context.
For example, not all information is personal and not all personal information is private. So what is considered private information? There’s no consensus across all standards. Still, here’s an overview from fellow researchers to help you navigate the waters.
GDPR has driven growth in privacy legislation, as explained by our own Stephen Cobb: “GDPR established uniform rules and standards for the protection of personal data pertaining to all residents of the EU, but it is also shaping data privacy policy beyond Europe; in other words, whatever your business, and regardless of where your customers live, it will increasingly be true that failure to make a good faith effort to protect personal information on your systems will expose your organization to regulatory risk and potential legal complications.”
Sweeping privacy legislation is not just a European thing anymore. California seems to be taking the lead in the US, with CCPA. How will it work within the larger federal law framework here in the US? Our own Lysa Myers has some thoughts: “Right now it remains to be seen if this will be the beginning of a patchwork of state laws similar to what came about regarding breach notification, or if it will inspire a cohesive federal standard. Critics discussing proposed legislation in other states are already citing the need and desire for a nationwide standard. Everyone participating in these debates seems to understand the importance of strenuously maintaining privacy, but we’ve learned a lot from the lessons of previous state-by-state protection efforts.”
In short, CCPA means that if your business is collecting and/or processing personal information about Californians, you will need to accommodate their rights to: know what personal information you have collected, acquired, or derived about them; access, transfer, or delete personal information that you have about them; be notified if their personal information is sold or disclosed by your business; forbid the sale of their personal information by your business; and receive equal service and price from you, even if they exercise their privacy rights. . . Even if your business isn't in California.
But wait, there is more. I attended the session at RSA 2019 about the NIST privacy framework – imagined as a risk management approach, really, not prescriptive. This is now being ramped up and is in draft form as of this writing. I’m encouraged by the widespread distribution and adoption of the NIST cybersecurity framework, which is a voluntary set of standard practices in the form of a tool available to small businesses who have very limited budgets, if any at all, to address security. And while security and privacy are different, this NIST privacy framework is aspirationally aligned with the cybersecurity framework (which still isn’t really a prerequisite), using similar language and loose structure. Hopefully this new framework will help with some of the heavy lifting for companies that are struggling with data privacy, potentially serving as a template.
But making a privacy framework compatible with a patchwork of local and national laws is huge issue. Additionally, it will need to be interoperable with global privacy laws and regulations, so there is a lot of work to do. Navigating the different roles of personal versus organizational approaches to privacy by itself is a nuanced conversation, tricky to accommodate within a framework.
NIST hopes to create an agile framework with attributes like: common and accessible language, so your grandparents could understand it; adaptability to organizations of all sizes, which can work within the context of existing and future laws; and changing over time to adapt to the needs of different organizations. In the end they’re trying to develop a risk management framework that’s simple, but effective. No pressure.
In a somewhat parallel effort, NTIA – the National Telecommunications and Information Administration – is taking a look at global privacy initiatives, and attempting to stand up policy nationally, so we haven’t seen the end of the privacy topic: this is only just the beginning.
Want to chime in? NIST has a workshop coming up at Georgia Tech, or you can keep up with them @NISTcyber #PrivacyFramework.