Scheller College of Business Professor Peter Swire and School of Interactive Computing Professor Annie Antón recently hosted the National Institute of Standards and Technology’s (NIST) second public workshop on its development of the NIST Privacy Framework: An Enterprise Risk Management Tool.
In his keynote address, Professor Swire explained that the proposed NIST Privacy Framework builds on the success of the NIST Cybersecurity Framework, and suggested that the new Privacy Framework will need to engage and speak to both lawyers and engineers in order to be effective. Professor Swire also expanded on his recent article in the Communications of the ACM about how to categorize cybersecurity and privacy tasks, and explained how the proposed NIST approach fits within that broader framework.
The two-day workshop took place in Tech Square at the historic Biltmore, Scheller College of Business, and Tech Square Research Building. Over 200 signed up for the workshop to provide feedback on the draft Framework’s text and references.
The Workshop opened with a half-day plenary session, with a keynote and panels to establish a foundation for breakout groups who could work on improving the current draft. The first panel featured a discussion of NIST’s process and approach in creating its first discussion draft, including NIST’s Chief Cybersecurity Advisor Donna Dodson and Chief of the Applied Cybersecurity Division Kevin Stine. Professor Antón participated in a panel of expert practitioners who discussed the Framework draft, how it can better communicate privacy risks to the stakeholders involved, its scalability, and how it can work in connection with existing organization risk management practices. A separate panel then discussed how the draft Framework fits in the current global privacy landscape, and how it will function in connection with international standards and regimes like the Privacy Shield, the European General Data Protection Regulation, and the Asia-Pacific Economic Cooperation Cross-border Privacy Rules.
Attendees then spent the rest of the conference in breakout sessions where they raised issues about the current draft. NIST officials solicited feedback on the “informative references” to be included in the Framework, and how best those reference can meet the needs of engineers as well as the business and legal communities. The session also featured specific discussions on privacy risk management considerations and practices, workforce needs; communications needs. making the Framework scalable for small- and medium-sized business, and a use-case exercise.
At the conclusion of the conference, NIST indicated they will be making major revisions to the draft of the Framework with a new version to be released in July or August of this year. NIST’s third Privacy Framework Workshop was also announced and will take place at Boise State University in Idaho, July 8-9, 2019.
Georgia Tech Scheller College of Business’s Law and Ethics Program, the Cecil B. Day Program for Business Ethics, and the law firm of Alston & Bird sponsored the accommodations and refreshments for this two-day event.