NIST Privacy Framework: The Implementation Challenges

Although the National Institute of Standards and Technology’s new privacy framework, which was released Jan. 16, is agnostic toward any particular privacy law, “it gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction that they’re subject to,” says Naomi Lefkovitz, a senior privacy policy adviser and program manager for privacy engineering at NIST.

“For example, you might have an obligation under GDPR [EU’s General Data Protection Regulation] to accept data deletion requests from individuals. The framework is not a prescriptive requirement-based approach, but rather you have to think through the kind of policies and technical capabilities that you might need,” Lefkovitz explains in an interview with Information Security Media Group.

“One of the activities or outcomes that we have is data can be accessed for deletion because if you don’t have the capability to actually go in, find and extract data in your systems, then meeting a legal obligation is just going to be aspirational,” she says.


Continue reading at | #nist

Next Article