The National Institute of Standards and Technology hosted the Ready, Set, Update! Privacy Framework 1.1 + Data Governance and Management Profile Workshop. This two-day event brought together over 1,800 private and public sector participants both in person and virtually to solicit feedback on updates to the Privacy Framework version 1.1 and the creation of a robust Data Governance and Management (DGM) Profile. Before the workshop, NIST distributed concept papers on each of the topics, which are open for comment until July 31. 

The Privacy Framework - now four years old - has been an invaluable tool that organizations have used in a variety of ways, including as an assessment tool to establish or improve a privacy program, as a communications tool for privacy needs across an organization, even as a policy blueprint to facilitate updates. As a Team Lead for the Privacy Workforce Public Working Group (PWWG), I was excited to support NIST’s efforts, while connecting with people I have known for years, as well as making new connections and hearing about their experiences with the Privacy Framework and data governance.

Setting the Stage

Kevin Stine, Director of the Information Technology Laboratory at NIST, kicked off the workshop with opening remarks, followed by a fireside chat with Naomi Lefkovitz, Senior Privacy Policy Advisor, Manager for NIST’s Cybersecurity and Privacy Applications Group, and Cameron Kerry, Distinguished Visiting Fellow for Governance Studies at the Center for Technology Innovation at the Brookings Institution. Their discussion on the intersection of privacy, governance, and emerging technologies provided a strong foundation for the event.

The event featured two expert panels to explore key topics related to the Privacy Framework and the DGM Profile. Following these discussions, participants engaged in interactive, hybrid workshops that focused on refining the Privacy Framework 1.1 updates and shaping the DGM Profile. These sessions leveraged the newly released concept papers as guides, encouraging detailed discussions on implementation strategies and practical applications.

Privacy Framework 1.1 Updates

The first panel, Pardon Our Dust: NIST Privacy Framework 1.1 Update, moderated by Dylan Gilbert, Privacy Policy Advisor for NIST’s Privacy Engineering Program, explored the evolution of the Privacy Framework since its inception. Central to discussions was the proposed alignment with updates to the Cybersecurity Framework (CSF) 2.0, particularly alignment with the Protect Function.

Panelists included:

• Jamie Danker, Senior Director of Cybersecurity and Privacy Services, Venable, LLP
• Inah Enolva, Data Protection Officer, AlterDomus
• Nandita Narla, Head of Technical Privacy & Governance, DoorDash

The interactive workshop sessions on the Privacy Framework 1.1 included key topics such as:

1. Cybersecurity Framework revisions that do not map to analogous PF 1.0 content.
2. CSF revisions that map to analogous PF 1.0 content.
3. Other potential updates to increase usability and address current privacy risk management needs.

During the workshop, the flexibility of the Privacy Framework was highlighted, including steps taken by different organizations to recategorize categories and subcategories or renaming functions and categories to align with policies and better meet their organization’s unique needs.

One topic highlighted in the Privacy Framework concept paper weighed whether the "Awareness and Training" category belongs under the "Protect" or "Govern" function. This was particularly interesting for me, as I was a Team Lead for the Privacy Workforce Working Group team that worked on articulating the tasks, knowledge, and skills required to achieve the outcomes for this part of the framework. In my opinion, the Function best supported by this category will likely be determined by the specific awareness and training activities an organization implements.

Another significant discussion point was the potential impact of removing the Protect Function from the Privacy Framework entirely. While some argued that this could reduce administrative burdens, others felt it might undermine the framework’s standalone usability. Given that not every organization uses both frameworks, maintaining a unique privacy perspective within the Protect Function could be beneficial.

Data Governance and Management (DGM) Profile

The second panel, NISTifying Data Governance: Developing a Joint NIST Frameworks Data Governance and Management Profile, moderated by Naomi Lefkovitz, addressed the complexities of creating a unified DGM Profile.

Panelists included:

• Dana Garbo, Chief Privacy Officer, Medline
• Ellie Graeden, PhD, Research Professor, Georgetown University
• John Verdi, Senior Vice President for Policy, Future of Privacy Forum (FPF)

The interactive workshop sessions for the DGM Profile aimed to refine NIST’s proposed approach, identify key data governance objectives, and key data governance and management activities. Participants generally appreciated the proposed structure, which aligns key activities with data governance objectives such as data quality, data ethics, accountability, and data value. However, some found the structure confusing, feeling it was overly broad and resembled a crosswalk to a new set of principles.

NIST also set the goal of gathering insights on challenges faced and tools needed in implementing robust data governance frameworks for the workshop. As a privacy professional, I believe that the DGM Profile will be helpful across organizations. The panel highlighted the need to break out of traditional organizational structures and silos to work together more effectively. The DGM Profile will not only benefit privacy and cybersecurity teams but the enterprise as a whole, supporting compliance efforts while potentially unlocking new opportunities for innovation.

Looking Ahead

The Center for Cybersecurity Policy and Law will be monitoring the development of the Privacy Framework 1.1 and the Data Governance and Management Profile. I encourage Center members to reach out directly to me via email by Friday, July 19 to discuss inputs on the future direction of Privacy Framework 1.1, especially regarding alignment with the CSF, or the Data Governance and Management (DGM) profile.

For more information and to access the concept papers, visit the NIST website. You can also engage directly with NIST by signing up for the NIST Privacy Framework Mailing List for updates on all privacy workstreams: PrivacyFramework+subscribe@list.nist.gov.

‍