NIST Privacy Framework – 5 Tips for Implementation
The National Institute of Standards and Technology (NIST) Privacy Framework was developed through a collaborative process involving privacy professionals, industry stakeholders, the public, and the US government. It’s technically rigorous, applies to a wide range of industries and organisations, and is one of the most widely recognised and adopted privacy frameworks that exist today. In this post, we’ll first outline some of the key elements of the NIST Privacy Framework and then detail some tips for implementation in your organisation.
What is the NIST Privacy Framework?
“The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.”
NIST is a non-regulatory agency of the US Department of Commerce. It first published the Cybersecurity Framework (CSF) to help organisations improve their cybersecurity posture. Following the relatively successful launch of the CSF, NIST released the Privacy Framework to help organisations manage privacy risks.
In brief, the Privacy Framework aims to help organizations answer the question “How are we considering the privacy impacts to individuals as we develop our systems, products, and services?”.
NIST Privacy Framework: Core Concepts
The main concepts in the NIST Privacy Framework are Core, Profiles, and Implementation Tiers.
Core
The Core concept outlines five privacy protection functions to help align the executive level and implementation/operational levels. The five functions are:
- Identify
- Govern
- Control
- Communicate
- Protect.
Each of these functions is divided into categories and subcategories, which are beyond the scope of this article. You can find them here.
Profiles
Profiles are the current privacy activities or desired outcomes at an organisation.
Implementation Tiers
Implementation Tiers provide a point of reference or benchmark for organisations looking to gauge their privacy program effectiveness.
5 Tips to Implement the NIST Privacy Framework
Start With an Assessment of Your Current Privacy Program
You need to have a complete picture of where your current privacy program is to determine where you want to be. To align with the NIST Privacy Framework, your assessment should focus on inventory and mapping, the business environment, risk assessment, and data processing ecosystem risk management.
To make this assessment, you should ask and answer (amongst other things):
- Do you have an inventory of the data collection points and data collected and stored?
- Have you mapped your data flows?
- Have you previously conducted privacy impact assessments? If so, are you now completing them at appropriate intervals?
- Do you have a documented third-party risk assessment process? If so, what is your process for evaluating the risk of new vendors and how regularly do you reassess existing vendors?
You can find a more complete list of questions to ask at this stage in the NIST’s Getting Started resource.
Use the Implementation Tiers to Guide Your Priorities
The Implementation Tiers in Appendix E of the Privacy Framework provide a helpful outline of what privacy maturity looks like from first adoption through to the implementation of a robust program. We find that it’s a useful resource for organisations to use to realistically assess where they’re currently at and what priorities could help move them forward.
Prioritize Your Target Outcomes and Create an Action Plan
The economic reality is that most organisations don’t have the resources needed to eliminate every privacy risk. So, when you’ve completed your assessment of your current reality and determined where you’d like to be in the future, it’s helpful to set priorities for your target outcomes and create an action plan.
Creating priorities helps to strategically use existing (and typically limited) resources to focus on the largest or most significant risk areas and/or your organisation’s biggest opportunities for improvement (making space for you to use privacy as a competitive advantage).
Analyse Where the NIST Privacy Framework Fits into Your Existing Infrastructure and Operations
The NIST Privacy Framework is designed to weave privacy considerations into an organisation’s existing practices, processes, and tools. It is industry and size-agnostic on purpose – and it is intended to be extremely flexible.
So, when you’re implementing the NIST Privacy Framework, you should be looking for opportunities to integrate it into your existing operations. It shouldn’t require you to reinvent the wheel at every stage.
Ensure Your Team Has The Right Capabilities
You will also need to ensure your team has either the right capabilities or adequate resources to outsource elements of the NIST Privacy Framework implementation. Again, an action plan for implementation is helpful in managing your resources because you won’t need all the privacy capabilities all the time.
For organisations looking to source someone to implement the NIST Framework, consider a privacy professional with a CIPM certification. The IAPP has laid out how the skills from this privacy certification align with the NIST Privacy Framework. Helpfully, it has also shown gaps where you may need more resources.
A Note About NIST Cybersecurity Framework 2.0
The NIST recently released a public draft of the NIST CSF 2.0. It had an interesting section about the interplay and overlap between cybersecurity and privacy functions within an organisation.
Briefly, it highlighted:
Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf
Further Resources
To further your understanding of the NIST Privacy Framework, we recommend these resources:
Roadmap for Advancing the NIST Privacy Framework
A Hypothetical Use Case for the NIST Privacy Framework
Managing Your Privacy Risk with Privacy 108
Our privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability.
We developed a series of questionnaires and templates to help organisations in building privacy programs. These resources incorporate guidance on privacy management and privacy program from a range of different sources including:
- ISO 27701 requirements for a Personal Information Management System
- NIST Privacy Framework
- OAIC guidance on privacy management framework
- UK ICO guidance on privacy governance and accountability
Our team uses these resources to review your current privacy program, determine maturity levels, find gaps and develop a practical roadmap for improving the maturity of your privacy program.
For more information: