NIST Privacy Framework – 5 Tips for Implementation

Published at 09:36 on 15 Sep 2023

The National Institute of Standards and Technology (NIST) Privacy Framework was developed through a collaborative process involving privacy professionals, industry stakeholders, the public, and the US government. It’s technically rigorous, applies to a wide range of industries and organisations, and is one of the most widely recognised and adopted privacy frameworks that exist today. In this post, we’ll first outline some of the key elements of the NIST Privacy Framework and then detail some tips for implementation in your organisation. 

What is the NIST Privacy Framework?  

The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.” 

NIST is a non-regulatory agency of the US Department of Commerce. It first published the Cybersecurity Framework (CSF) to help organisations improve their cybersecurity posture. Following the relatively successful launch of the CSF, NIST released the Privacy Framework to help organisations manage privacy risks.  

In brief, the Privacy Framework aims to help organizations answer the question “How are we considering the privacy impacts to individuals as we develop our systems, products, and services?”.  

NIST Privacy Framework: Core Concepts 

The main concepts in the NIST Privacy Framework are Core, Profiles, and Implementation Tiers.  

Core 

The Core concept outlines five privacy protection functions to help align the executive level and implementation/operational levels. The five functions are: 

  1. Identify  
  2. Govern  
  3. Control
  4. Communicate 
  5. Protect. 

Each of these functions is divided into categories and subcategories, which are beyond the scope of this article. You can find them here.  

Profiles 

Profiles are the current privacy activities or desired outcomes at an organisation.  

Implementation Tiers 

Implementation Tiers provide a point of reference or benchmark for organisations looking to gauge their privacy program effectiveness.  

5 Tips to Implement the NIST Privacy Framework 

Start With an Assessment of Your Current Privacy Program 

You need to have a complete picture of where your current privacy program is to determine where you want to be. To align with the NIST Privacy Framework, your assessment should focus on inventory and mapping, the business environment, risk assessment, and data processing ecosystem risk management.  

To make this assessment, you should ask and answer (amongst other things):  

  • Do you have an inventory of the data collection points and data collected and stored?  
  • Have you mapped your data flows? 
  • Have you previously conducted privacy impact assessments? If so, are you now completing them at appropriate intervals? 
  • Do you have a documented third-party risk assessment process? If so, what is your process for evaluating the risk of new vendors and how regularly do you reassess existing vendors?  

You can find a more complete list of questions to ask at this stage in the NIST’s Getting Started resource. 

Use the Implementation Tiers to Guide Your Priorities 

The Implementation Tiers in Appendix E of the Privacy Framework provide a helpful outline of what privacy maturity looks like from first adoption through to the implementation of a robust program. We find that it’s a useful resource for organisations to use to realistically assess where they’re currently at and what priorities could help move them forward.  

Prioritize Your Target Outcomes and Create an Action Plan 

The economic reality is that most organisations don’t have the resources needed to eliminate every privacy risk. So, when you’ve completed your assessment of your current reality and determined where you’d like to be in the future, it’s helpful to set priorities for your target outcomes and create an action plan.  

Creating priorities helps to strategically use existing (and typically limited) resources to focus on the largest or most significant risk areas and/or your organisation’s biggest opportunities for improvement (making space for you to use privacy as a competitive advantage).  

Analyse Where the NIST Privacy Framework Fits into Your Existing Infrastructure and Operations 

The NIST Privacy Framework is designed to weave privacy considerations into an organisation’s existing practices, processes, and tools. It is industry and size-agnostic on purpose – and it is intended to be extremely flexible.  

So, when you’re implementing the NIST Privacy Framework, you should be looking for opportunities to integrate it into your existing operations. It shouldn’t require you to reinvent the wheel at every stage.  

Ensure Your Team Has The Right Capabilities 

You will also need to ensure your team has either the right capabilities or adequate resources to outsource elements of the NIST Privacy Framework implementation. Again, an action plan for implementation is helpful in managing your resources because you won’t need all the privacy capabilities all the time.  

For organisations looking to source someone to implement the NIST Framework, consider a privacy professional with a CIPM certification. The IAPP has laid out how the skills from this privacy certification align with the NIST Privacy Framework. Helpfully, it has also shown gaps where you may need more resources.  

A Note About NIST Cybersecurity Framework 2.0 

The NIST recently released a public draft of the NIST CSF 2.0. It had an interesting section about the interplay and overlap between cybersecurity and privacy functions within an organisation.  

Briefly, it highlighted:  

Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf  

Further Resources 

To further your understanding of the NIST Privacy Framework, we recommend these resources:  

Roadmap for Advancing the NIST Privacy Framework 

A Hypothetical Use Case for the NIST Privacy Framework 

Managing Your Privacy Risk with Privacy 108 

Our privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability. 

We developed a series of questionnaires and templates to help organisations in building privacy programs. These resources incorporate guidance on privacy management and privacy program from a range of different sources including: 

Our team uses these resources to review your current privacy program, determine maturity levels, find gaps and develop a practical roadmap for improving the maturity of your privacy program. 

For more information: 

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.