“For example, you might have an obligation under GDPR [EU’s General Data Protection Regulation] to accept data deletion requests from individuals. The framework is not a prescriptive requirement-based approach, but rather you have to think through the kind of policies and technical capabilities that you might need,” Lefkovitz explains in an interview with Information Security Media Group.
“One of the activities or outcomes that we have is data can be accessed for deletion because if you don’t have the capability to actually go in, find and extract data in your systems, then meeting a legal obligation is just going to be aspirational,” she says.
In this interview (see audio link below image), Lefkovitz also discusses:
- Challenges firms are facing in adopting the framework;
- Why NIST is considering additional guidance for small business;
- Whether the NIST framework represents an industry standard;
- Whether the framework addresses privacy issues with regards to biometrics;