NIST Privacy 101: An Intro to the NIST Privacy Framework

This is the first in a series of blog posts we will publish surrounding the NIST Privacy Framework. Stay tuned for future updates.

The proliferation of privacy legislation being proposed and passed around the globe makes it difficult for organizations to keep track of what must be done to comply with these regulations and demonstrate their due diligence in the handling of personal information. In our experience, organizations are looking for a framework or certification that will assist in demonstrating their ability to comply with data privacy regulations. From an implementation standpoint, however, organizations are unsure of where to begin and how they can comply with various privacy regulations under one privacy program.

The National Institute of Standards and Technology (NIST) recognized an opportunity to develop a framework to standardize best practices for a privacy program by introducing the NIST Privacy Framework. NIST has developed several frameworks that are based on industry best practices across multiple industries and that thousands of organizations rely on to comply with various requirements. The NIST Privacy Framework was developed through working sessions as well as by seeking commentary from privacy and security practitioners, of which CompliancePoint attended and provided input.

NIST Privacy Framework

The NIST Privacy Framework can and should be used to measure and improve an organization’s privacy program. It is a set of controls that can help an organization identify privacy risks within their processing environment and help prioritize/allocate resources to mitigate those risks. Privacy regulations also include technical and security components, and the NIST Privacy Framework borrows controls from the NIST CSF where applicable. This is useful for companies that already align themselves with the NIST CSF to adopt the NIST Privacy Framework controls easily. 

At the core of the framework are Functions, Categories, and Subcategories. Not only can the framework assist with building out a flexible privacy program, but it can also assist an organization with demonstrating that they operate from an industry-accepted privacy framework that can serve as a competitive differentiator to their clients and consumers alike.

The framework can be crosswalked against other regulations and standards, and any crosswalks that exist are listed on the NIST website, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), Brazil’s LGPD, ISO-27701, NIST-CSF, and NIST 800-53. However, it should be noted that the NIST-P Framework is regulation and technology agnostic, and alignment with the framework does not warrant that a company is compliant with any of these regulations, frameworks, or standards.

The framework is broken into five Functions:

1. IDENTIFY-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
2. GOVERN-P:  Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
3. CONTROL-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
4. COMMUNICATE-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
5. PROTECT-P: Develop and implement appropriate data processing safeguards.

The first four Function areas are related directly to privacy and the risks associated with the processing of personal information. The Protect-P Function area is focused on the security of handling and protecting personal data. Although sometimes written in technical jargon, many will be familiar with the terms used throughout the function areas if they have privacy experience. Data inventory, processing environment, notice/disclosure, and access request are present, to name a few.

Beneath the five Function areas, there are 29 Categories that provide more detail surrounding the Function, and then the Subcategories or what we would call “controls”, of which there are approximately 100. The Functions, Categories, and Subcategories are the “Core”.

The framework is comprised of:

• The Core
• Profiles
• Implementation Tiers

Profiles assist an organization with managing risk, and there is a concept of a current profile as well as a future profile. Implementation Tiers assist organizations with managing how mature their controls are, and very similar to profiles, organizations will have a current Implementation Tier and a future Implementation Tier. 

In our next blog post in this series, we will dive further into Profiles and Implementation Tiers, including the steps to take to create the organization Profile, determine what Implementation Tier your organization is in today, and a how-to roadmap to achieve your organization’s future Implementation Tier goal.

In the meantime, if you have any questions about the NIST Privacy Framework, please reach out to connect@compliancepoint.com