Confirmation Bias in the Privacy Profession: Common Misreading of the NIST Privacy Framework

Confirmation bias is a cognitive bias whereby people consume information in a way that reinforces their previously held beliefs. Many users and implementers of the NIST Privacy Framework do just that, diverting their attention away from many of the important and central concepts in the framework. Similar to the Cybersecurity Framework, the Privacy Framework embodies a risk based approach, but many privacy professionals are more familiar with principle based privacy with a primary goal of legal and regulatory compliance. Focusing on these mental models can lead to challenges and conflicting interpretations of NIST Privacy Framework concepts and terminology, much of which is unique to the framework and not found elsewhere in the professional literature. This presentation will highlight some of the common misconceptions and antipatterns related to the usage of NIST privacy framework drawn from real life case studies and implementation experience across industries.