The NIST Privacy Framework is a voluntary tool created by the National Institute of Standards and Technology, which lays out strategies for private sector organizations to improve their data risk management practices.
The framework's purpose is to help organizations keep their data handling practices secure, private and legally compliant across all organizational levels and was intended for C-level decision-makers without technical backgrounds.
The NIST Privacy Framework, released in January 2020, follows the same structure as the NIST 2014 Cybersecurity Framework to encourage organizations to use them together. Like the Cybersecurity Framework, the Privacy Framework is made up of three main sections: Core, Profiles and Implementation Tiers.
- The Core is the body of specific privacy protection activities recommended by NIST.
- Profiles assess existing practices and resources, and compare them with the organization's data privacy
- Implementation Tiers are a scale to measure the extent to which an organization exhibits characteristics of the framework.
The Privacy Framework is not a one-size-fits-all solution to privacy management. As it is a voluntary tool and not a regulation or law, organizations can choose to adopt or ignore any of its contents. Using the framework to some degree is recommended for all organizations that collect and process customer data -- especially those collecting sensitive data.
The collection and use of customer data are a key part of many beneficial consumer technologies. However, the collection and storage of personal data, especially sensitive data, can have serious risks to both customers and organizations if not properly secured. Therefore, NIST drafted the Privacy Framework to help organizations protect both them and the consumer from the consequences of data mishandling, without discouraging innovation.
The structure of the NIST Privacy Framework can be broken down as follows.
Core. The body of individual privacy protection activities and outcomes. The Core is divided into three elements: functions, categories and subcategories. Functions are the largest unit and are broken down further into categories and subcategories.
- Functions organize groups of privacy activities by broad purpose. The -P shows that these are functions in the Privacy Framework Core, not to be confused with those of the Cybersecurity Framework Core.
- Identify-P. Develops the organization's understanding of potential privacy risks in their operations. Includes risk assessments and understanding the customers.
- Govern-P. Develops an ongoing understanding of an organization's privacy risk priorities. Focuses on privacy policies, legal and regulatory considerations, and risk tolerance.
- Control-P. Focuses on development and implementation of activities for the management of privacy risks, from the standpoints of both the organization and the individual.
- Communicate-P. Focuses on continuous education within the organization about proper customer data processing practices and risks.
- Protect-P. Develops and implements data processing protection measures.
- Categories are subdivisions of a function into related groups.
- Subcategories are further subdivisions of categories into specific outcomes of privacy management activities.
Profiles. Prioritized selection of privacy risk management activities. Profiles use a custom selection of prioritized functions, categories and subcategories from the Core to define a current profile of privacy management activities and a Target Profile of privacy management preparedness. To identify gaps in their privacy management approach, develop a concrete plan to bridge them, and identify resources needed.
Implementation Tiers. A scale used to assess the extent to which an organization exhibits the Privacy Framework's characteristics. Implementation tiers can be used as benchmarks for progress and to understand the scale of resources and processes. Implementation tiers include four types:
- Partial (Tier 1)
- Risk management measures are nonformalized and only when needed.
- Limited awareness of privacy risk.
- Limited understanding of an organization's role in privacy risks.
- Lacking specific privacy risk management responsibilities in personnel.
- Risk Informed (Tier 2)
- Risk management practices approved by management but not unequivocally accepted on an organizationwide level.
- Organizational-level awareness of privacy risk but no formal approach in effect.
- Understanding of an organization's risks in regard to its own products and services offered and used but no consistent action taken.
- Limited understanding of an organization's role in the data processing ecosystem.
- Personnel with some privacy responsibilities, regular privacy training in place -- however, no consistent processes to monitor for best practices.
- Repeatable (Tier 3)
- Privacy risk management practices implemented as formal policy.
- Organizationwide privacy risk management practices in place.
- Organization understands its role in the data processing ecosystem and may contribute to larger understanding of risks in the community.
- Organization is aware of risks resulting from its own products and services offered and used and takes formal action to minimize them.
- Dedicated privacy management personnel on staff.
- Adaptive (Tier 4)
- Organization adapts its policies and practices to new and existing privacy risks.
- Approach to managing privacy risk is comprehensive and organizationwide.
- Consistently acts upon privacy risks it's associated with.
- Contributes to community understanding of privacy risks.
NIST Privacy Framework vs. NIST Cybersecurity Framework
The NIST Privacy Framework follows the same structure as the 2014 Cybersecurity Framework (Core, Profiles, Tiers) to encourage use of the two frameworks in tandem.
Though the management of cybersecurity risks contributes to managing the overall information privacy risk of an organization, the NIST Cybersecurity Framework, by itself, is not enough to effectively manage it. This is because there are privacy risks unrelated to cybersecurity. NIST defines cybersecurity risks as associated with cybersecurity incidents arising from loss of confidentiality, integrity or availability. Privacy risks are defined as potential problems individuals could experience arising from system, product or service operations with data.
Cybersecurity-related privacy risks are an area of overlap between these two frameworks, however, and include events such as data breaches. According to NIST's website, Protect-P from the Privacy Framework, along with the Cybersecurity Framework's Detect, Respond and Recover, functions for the management of cybersecurity-related privacy risks.
The NIST Privacy Framework is meant to open up dialogue about data security across all organizational levels and was drafted particularly with C-level decision-makers without technical backgrounds in mind.
The framework can help organizations:
- optimize technological innovation and use of data, while minimizing associated risks for organizations;
- support ethical decision-making in operations that affect privacy management;
- stay in compliance with certain laws, such as the California Consumer Privacy Act (CCPA) and European Union's (EU) General Data Protection Regulation (GDPR);
- plan, design and implement products and services that prioritize data privacy;
- inform buying decisions about products and services related to data privacy; and
- establish or improve an organization's privacy policies or program.