On September 4, 2018, the National Institute for Standards and Technology (NIST) announced that it would begin a collaborative process to develop a new Privacy Framework. Modeled on the agency’s Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) and its development process, NIST intends to create a voluntary Privacy Framework that other organizations can adopt to help manage privacy risk.

NIST is a non-regulatory agency that is part of the U.S. Department of Commerce and is responsible for researching and setting scientific and technological standards and measures. In keeping with its non-regulatory mission, the Privacy Framework will be a completely voluntary standard. The goal of the Framework is to provide an “enterprise risk management tool” for organizations to manage privacy risk.

According to NIST’s Senior Privacy Policy Advisor, Naomi Lefkovitz, “NIST’s goal is to develop a framework that will bridge the gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation.” The Privacy Framework will comprise a catalog of privacy outcomes—instead of one set of prescriptive requirements—to be adaptable to all types of different organizations, technologies, and uses. NIST intends the Framework to be scalable to organizations of all sizes, in any industry, and to be platform- and technology-agnostic.

In 2014, at the order of then-President Obama, NIST developed a Cybersecurity Framework, a set of optional standards, guidelines, and best practices for managing cybersecurity at the organizational level. NIST developed this Cybersecurity Framework with collaboration from the private sector and federal agencies. In announcing the Privacy Framework, NIST noted that “[g]ood cybersecurity practices are central to managing privacy risk but are not sufficient,” and it expects the Privacy Framework to complement the Cybersecurity Framework. The Privacy Framework will follow a similar collaborative development process as the Cybersecurity Framework. This process includes convenings over the coming year with industry and civil society groups; academia; federal, state, and local agencies; foreign governments and agencies; and standards organizations.

As part of the September 4 announcement, NIST also announced that the first in a series of public workshops will be held on Tuesday, October 16, 2018, as part of the International Association of Privacy Professionals’ Privacy, Security, Risk 2018 conference. The goal of this half-day workshop will be to begin collecting input from stakeholders and start creating an annotated outline of the Privacy Framework. NIST will publish pre-read materials prior to this first workshop. NIST also plans to hold a live Q&A webinar in November 2018. No other meetings or dates have been announced.

The current development schedule for the Privacy Framework is available here, and a detailed fact sheet from NIST is available here.