Does Your Small Business Need Privacy Guidance? A New 2-Pager From NIST Can Help

One of the biggest emerging challenges for businesses involves implementing data privacy practices that meet both compliance demands and consumer expectations. This can be especially true for small businesses that lack the resources of enterprise-level organizations.

During the past few years, the Security Industry Association’s (SIA’s) Data Privacy Advisory Board has sought to assist members of the security industry with this issue, in part by partnering with the privacy team at the National Institute of Standards and Technology (NIST).

A little more than a year ago, NIST released its Privacy Framework, which it describes as “a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.”

While insightful and useful, the 43-page document can also be daunting, particularly for small and medium-sized businesses, given their much smaller workforces and the likely absence of privacy expertise on staff. On Jan. 14, Naomi Lefkowitz, senior privacy policy advisor at NIST, wrote on the institute’s website that she and her colleagues “heard consistently that small and medium businesses would benefit from dedicated resources aimed at simplifying the framework.”

In response, NIST recently published a follow-up document called Getting Started With the NIST Privacy Framework: A Guide for Small and Medium Businesses that distills the essentials from the framework down to two pages. The guide includes three steps, each of which has several short, bulleted recommendations or questions. Some recommendations require a bit of time and research – for example, “Identify the data you are processing” and “Conduct a privacy risk assessment” – while others can be implemented with relatively minimal effort – e.g., “Use security software to protect data” and “Conduct regular backups of data.” Taken together, they provide a checklist for covering the data privacy basics, thus positioning a business to be more likely in compliance with current and future regulations and mitigating the risk of liability and reputational harm that can result from privacy breaches or missteps.

The SIA Data Privacy Advisory Board had the opportunity to work directly with NIST to provide feedback on the quick start guide, sharing suggestions for how it would be most beneficial for smaller firms, whether in security or other sectors. The Data Privacy Advisory Board and NIST have teamed up for several other projects in recent months as well, including a June 2020 FindBiometrics.com podcast interview on privacy issues that featured Naomi Lefkowitz and Board Chair Kathleen Carroll and November’s online “Risk and Exposure” event, during which NIST Privacy Policy Advisor Dylan Gilbert spoke on a panel.

Finally, if you want an even briefer introduction to the NIST Privacy Framework than the two-pager provides, check out this four-minute animated video. And if you would like to help the security technology industry better manage privacy issues, consider joining the SIA Data Privacy Advisory Board.