As data privacy regulations spread internationally and nationally, companies can't hide from privacy risk management. If a company didn't fall under the General Data Protection Regulation's scope, it may still likely be regulated by the California Consumer Privacy Act or other potential copycat data privacy laws brewing in state legislatures. 

In an effort to encourage privacy awareness, last week the National Institute of Standards and Technology (NIST) released a privacy framework toolkit for holistically addressing their privacy needs, concerns and goals.

But if you're looking for novel privacy ideas or a framework that will help all companies meet their privacy requirements, lawyers say this document is not it. Instead, NIST joins a chorus of advocates calling for companies to thoroughly understand its collection and storage of personal information.

To be sure, privacy frameworks aren't new, especially given the prevalence of enterprise risk management (ERM) prior to the implementation of the GDPR or CCPA. But NIST's latest privacy framework is another approach to develop or fine-tune a company's privacy policy.

The framework's privacy lead Naomi Lefkovitz described it as "building blocks" to develop privacy, consumer trust and demonstrate how a company is meeting compliance regulations.

Lefkovitz said this framework was needed to encourage a holistic, ongoing approach to privacy, instead of a rigid, linear process that may not fully address all privacy concerns.

"I think we've seen with some of the approaches to privacy is the checklist approach with transparency principles where I put out a privacy notice that it turns out no one reads but I check the box on transparency," she said. "If no one is reading it, what privacy are they gaining? Are they effective solutions?"

To be sure, while the suggested framework isn't necessarily game-changing, it is a welcomed assistance to help companies better understand and mitigate their risk.

"Nothing jumped out to me, what's in there makes sense," said Squire Patton Boggs of counsel and data privacy and cybersecurity practice group member Glenn Brown. He noted the framework's greatest impact will come from how companies leverage the document's suggested approaches. 

"It's more about how you use it as a practical tool to drive forward the company's goal. If you're a privacy professional or frankly a lawyer whose first job isn't privacy but you've been tasked with [handling privacy] and figuring out how can I get to point A to point B, which is full compliance with these laws, responsible use of personal information that helps our brand and that helps us avoid complaints, this tool is a way to help with that."

The 45-page document details a voluntary approach to assist organizations managing privacy risks by taking privacy into account as organizations are designing and deploying products and services; discussing their privacy practices; and encouraging cross-organizational workforce collaboration.

Lawyers noted the framework is useful to encourage companies to ask tough, ongoing questions of the personal information they collect.

The framework's main core functions are identifying, governing, controlling, communicating and protecting privacy risk. Those key functions are broken down into two categories, which are further broken down into four subcategories, which NIST described as discrete outcomes for each function.

While an organization can add or delete functions, categories or subcategories as needed to fit its business needs and risk appetite, Fenwick & West privacy and cybersecurity practice co-chair and partner Jim Koenig said the categories are too vast for most companies or their vendors to keep pace with.

"There's a hundred subcategories across 18 categories across five functions, it's too much for smaller and even maturer companies to follow," he said. Koenig also noted the framework is too vague for companies operating in highly regulated industries.

He pointed to the ID.RA-P2 subcategory for data analytic inputs and outputs being identified and evaluated for bias. Other financial regulations offer specific definitions of what is considered bias, he said. As such, a financial institution's general counsel wouldn't likely feel comfortable adhering solely to NIST's privacy framework to meet compliance regulations. There were other regulatory shortcomings Koenig spotted, too.

"It doesn't fully align with the HIPAA controls and basically if you want to comply, this framework isn't a one size-fits-all, it's a starting place," Koenig said. "[Companies] will have to supplement and add to make sure they are compliant."

Regulatory and legal shortcomings aside, Koenig said the privacy framework is useful.

"I don't think the NIST framework will be used as a universal, all-purpose framework. What it will do is create a framework for privacy and audit programs to know that many of the key practices and requirements are included in a company's privacy program, training and occasional testing."