The National Institute of Standards and Technology (NIST) Privacy Framework was developed through a collaborative process involving privacy professionals, industry stakeholders, the public, and the US government. It’s technically rigorous, applies to a wide range of industries and organisations, and is one of the most widely recognised and adopted privacy frameworks that exist today. In this post, we’ll first outline some of the key elements of the NIST Privacy Framework and then detail some tips for implementation in your organisation.
“The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.”
NIST is a non-regulatory agency of the US Department of Commerce. It first published the Cybersecurity Framework (CSF) to help organisations improve their cybersecurity posture. Following the relatively successful launch of the CSF, NIST released the Privacy Framework to help organisations manage privacy risks.
In brief, the Privacy Framework aims to help organizations answer the question “How are we considering the privacy impacts to individuals as we develop our systems, products, and services?”.
The main concepts in the NIST Privacy Framework are Core, Profiles, and Implementation Tiers.
The Core concept outlines five privacy protection functions to help align the executive level and implementation/operational levels. The five functions are:
Each of these functions is divided into categories and subcategories, which are beyond the scope of this article. You can find them here.
Profiles are the current privacy activities or desired outcomes at an organisation.
Implementation Tiers provide a point of reference or benchmark for organisations looking to gauge their privacy program effectiveness.
You need to have a complete picture of where your current privacy program is to determine where you want to be. To align with the NIST Privacy Framework, your assessment should focus on inventory and mapping, the business environment, risk assessment, and data processing ecosystem risk management.
To make this assessment, you should ask and answer (amongst other things):
You can find a more complete list of questions to ask at this stage in the NIST’s Getting Started resource.
The Implementation Tiers in Appendix E of the Privacy Framework provide a helpful outline of what privacy maturity looks like from first adoption through to the implementation of a robust program. We find that it’s a useful resource for organisations to use to realistically assess where they’re currently at and what priorities could help move them forward.
The economic reality is that most organisations don’t have the resources needed to eliminate every privacy risk. So, when you’ve completed your assessment of your current reality and determined where you’d like to be in the future, it’s helpful to set priorities for your target outcomes and create an action plan.
Creating priorities helps to strategically use existing (and typically limited) resources to focus on the largest or most significant risk areas and/or your organisation’s biggest opportunities for improvement (making space for you to use privacy as a competitive advantage).
The NIST Privacy Framework is designed to weave privacy considerations into an organisation’s existing practices, processes, and tools. It is industry and size-agnostic on purpose – and it is intended to be extremely flexible.
So, when you’re implementing the NIST Privacy Framework, you should be looking for opportunities to integrate it into your existing operations. It shouldn’t require you to reinvent the wheel at every stage.
You will also need to ensure your team has either the right capabilities or adequate resources to outsource elements of the NIST Privacy Framework implementation. Again, an action plan for implementation is helpful in managing your resources because you won’t need all the privacy capabilities all the time.
For organisations looking to source someone to implement the NIST Framework, consider a privacy professional with a CIPM certification. The IAPP has laid out how the skills from this privacy certification align with the NIST Privacy Framework. Helpfully, it has also shown gaps where you may need more resources.
The NIST recently released a public draft of the NIST CSF 2.0. It had an interesting section about the interplay and overlap between cybersecurity and privacy functions within an organisation.
Briefly, it highlighted:
Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf
To further your understanding of the NIST Privacy Framework, we recommend these resources:
Roadmap for Advancing the NIST Privacy Framework
A Hypothetical Use Case for the NIST Privacy Framework
Our privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability.
We developed a series of questionnaires and templates to help organisations in building privacy programs. These resources incorporate guidance on privacy management and privacy program from a range of different sources including:
Our team uses these resources to review your current privacy program, determine maturity levels, find gaps and develop a practical roadmap for improving the maturity of your privacy program.
For more information:
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
