Nowadays, every country that already has a data protection law has its own regulatory authorities and bodies that help society apply privacy in practice. In the United States, there is the National Institute of Standards and Technology, also called NIST, which is a non-regulatory government agency of the technology administration, under the Department of Commerce.
The agency promotes standards and technologies to make people's lives easier through the use of devices and software, without causing harm to society. When it comes to data protection and privacy, NIST has been very active.
Assistance in minimizing risks.
In May of this year, the agency developed a privacy framework aimed at helping organizations identify and manage risks. Like the ISO 29100 privacy framework that came before it, the NIST privacy framework was designed to provide common terminology for communicating privacy-related activities.
Also like ISO 29100, the framework was designed to be compatible with domestic and international legal and regulatory regimes, such as the GDPR and the CCPA, but it does not include all the requirements of those regimes.
The agency's privacy framework refers to the term "core" to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory.
The concept that a data subject should have the right to access their personal information is found in NIST under the Core Control Function, which describes the activities intended to implement appropriate actions to enable companies or individuals to manage privacy risks. The “Central Function” is the broadest category level and consists of five recommended functions: Identify, Govern, Control, Communicate, and Protect.
Many guidelines are still not being followed.
Also in May 2021, NIST claimed it would take stock of the work it had already done and might not even develop new standards, according to an executive order in response to a series of major violations in critical and federal infrastructure networks.
“Our preliminary analysis of compliance with the requirements within the executive order will be to identify existing guidance or even specifications within existing guidance that we can call upon and consolidate for use by agencies,” Matthew Scholl, head of the Computer Security Division at NIST’s Information Technology Laboratory, told the Next Gov website. “We want to identify and cite existing work, rather than create new work.”
NIST's entire cybersecurity and privacy portfolio was funded with just $78 million in 2020. One existing challenge for them is that federal agencies are not adopting the guidance already on the books for dealing with software supply chain threats. "We must ensure that agencies prioritize implementing the guidance that already exists and provide the appropriate resources for them to do so," said Scholl.
How it works in Brazil
In Brazil, guidelines regarding data protection, which are valid for both the public and private sectors, are the responsibility of... ANPDThe National Data Protection Authority (ANVISA) is the body that guides society on compliance with the LGPD (Brazilian General Data Protection Law) and receives complaints from individuals about the misuse of their personal data.
