Navigating the complexities of the digital trends requires a delicate equilibrium between leveraging the potential of personal data and ensuring individual privacy protections. Acknowledging this critical juncture, the National Institute of Standards and Technology (NIST) has introduced a draft revision to the NIST Privacy Framework 1.0. This collaborative and voluntary resource aims to empower organizations in effectively managing privacy risks and upholding individual privacy rights. The updated version, known as privacy framework 1.1 is designed to help organization manage privacy risks while supporting innovation and protecting personal information. One of the major enhancements in this draft is its closer alignment with the recently updated cybersecurity framework 2.0 (CSF). This alignment allows organizations that are already using CSF to more seamlessly integrate privacy risk management into their existing practices.
Like the Cybersecurity Framework, the Privacy Framework is composed of three components: Core, Organizational Profiles, and Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
The core provides an increasingly granular set of activities and outcomes that enables a dialogue about managing privacy risk, the five functions, Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. These Functions help organizations structure their privacy programs and prioritize their efforts. Organizational Profiles allow businesses to assess their current privacy posture and set target goals for improvement, based on their unique mission and risk environment. The Tiers, on the other hand, provide a way for organizations to describe the maturity and sophistication of their privacy risk management processes, from Partial to Adaptive. Altogether, the framework promotes building privacy into products and services from the outset (“privacy by design”), encourages greater transparency about privacy practices, and fosters stronger collaboration across departments like legal, IT, and executive leadership. It offers a flexible, common language that any organization, regardless of size or sector, can use to manage privacy risks thoughtfully and responsibly.
NIST Privacy Framework 1.1 is a voluntary tool, intended to be widely usable by organizations of all sizes, and agnostic to any specific technology, sector, law, or jurisdiction. Using a common approach—adaptable to any organization’s role(s) in the data processing ecosystem—the Privacy Framework’s purpose is to help organizations manage privacy risks by:
- Taking privacy into account as they design and deploy systems, products, and services that affect individuals;
- Facilitating Communication about their privacy practices; and
- Encouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)—through the development of Profiles, selection of Tiers, and achievement of outcomes.
What’s new in the 2025 update?
- Targeted revisions and restructuring of the Core: Targeted changes have been made to realign the core section with structure of CSF, making the framework simpler and more intuitive, particularly in areas related to govern and protect functions
- AI and privacy risk management: a new section (1.2.2) has been added to address the emerging privacy risks associated with artificial intelligence technologies, an area of growing concern given the rapid adoption of AI tool like chatbots and generative models.
- Streamlined Guidance: Guidelines that were previously embedded in the main document have been moved to an interactive FAQ section on NIST Privacy Frameworks website. This change not only declutters the core document but also allows NIST to provide more timely updates and real-world examples as the landscape evolves
NIST is currently inviting public feedback via privacyframework@nist.gov until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.
If your organization needs support to ensure a balance of data use and privacy, do visit www.tsaaro.com
News of the week
1. Legends International Reports Major Data Breach
Legends International, a global provider of services to sports and entertainment venues, confirmed a significant data breach following a cyberattack identified in November 2024. Unauthorized access led to the exfiltration of sensitive company files, potentially including personal details of former employees and venue visitors. The company is offering 24 months of complimentary identity theft protection through Experian to those affected and advises monitoring of credit reports and financial accounts.
2. DPC Launches Inquiry into X Internet Unlimited Company
The Data Protection Commission has launched an inquiry into X Internet Unlimited Company. The investigation will examine how X used posts from people in Europe when training its artificial intelligence (AI) systems. The DPC will focus on whether personal data was processed legally and transparently under GDPR rules. It will also examine if users were properly informed about how their information would be used
3. Shopify Faces Data Privacy Lawsuit in U.S.
The U.S. Court of Appeals has revived a privacy lawsuit against Shopify, allowing the claims to proceed in California. The case centers on accusations that Shopify failed to obtain adequate consent from users before gathering their data and improperly used tracking cookies. While Shopify contended that its nationwide operations meant it wasn’t specifically targeting California residents, the court found sufficient connections to the state for the lawsuit to advance.
