NIST Privacy Framework a Flexible Tool for Managing Privacy Risks

NIST Privacy Framework a Flexible Tool for Managing Privacy Risks

The new NIST Privacy Framework should be popular due to the simplicity of integration into existing security and risk management frameworks.


Privacy isn’t new concept, but organizations of all sizes continue to struggle with it as the digital age generates new data-driven products and services at a dizzying pace.


In November 2019 I addressed some of the struggles that even organizations with mature data protection capabilities are facing as a result of new data regulations requirements – issues like subject access requests, the right to erasure and data portability, for instance. In an effort to help organizations address these challenges, enable better privacy practices and provide a common language to communicate privacy requirements the National Institute of Standards and Technology (NIST) has published the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (NIST PF). This document leaves no doubt that the focus on consumer privacy will continue to sharpen.


The good news is that the NIST PF doesn’t establish a lot of new expectations. In a very real sense, it simply formalizes what we, as security risk and privacy professionals, already know should be done.


The Privacy Framework is deliberately organized similarly to the NIST Cyber Security Framework (CSF) to facilitate the parallel use of both tools. The PF is composed of three parts: Core, Profiles and Implementation Tiers.


  • Core contains the control objectives for privacy protection activities and desired outcomes
  • Profiles enable an organization to identify and prioritize the activities key to their specific requirements
  • Implementation Tiers help organizations evaluate the program’s maturity and privacy risk management capability


The framework’s Core consists of five functions:


IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing.

GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.

CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.

PROTECT-P (PR-P): Develop and implement appropriate data processing safeguards.


The integration with the NIST CSF is highlighted in the Core by a key labeling or subcategories which are identical to the CSF (or if they align with the CSF but the descriptions has been adapted). This approach reinforces the idea that an effective privacy program requires the integration with our information security and risk management programs. Of the 100 Subcategory items in the Privacy Framework, 53 are carried over from the NIST CSF, meaning the Privacy Framework suggests 47 new activities (predominantly in the Control-P and Communicate-P functions).


Here is a summary of the and subcategories that are pulled from the CSF into the Privacy Framework:


Of the 18 :


  • One (Risk Management Strategy) is imported directly from the CSF
  • 10 are imported from the CSF but the descriptions have been adapted for the Privacy Framework
    • Identify Function (3)
    • Governance Function (2)
    • Protect Function (5)


Of the 100 subcategories:


  • 27 subcategories are pulled directly into the NIST PF from the CSF
    • 22 of those are in the Protect Function
  • 26 subcategories are from the CSF but the descriptions have been adapted
    • Identify Function (7)
    • Governance Function (9)
    • Protect Function (8)


The 47 subcategories that do not have a direct link to the CSF focus on capabilities such as inventorying processing activities, privacy by design, privacy impact assessments and handling subject access requests; activities that security and privacy professionals will be familiar with. In their simplest form we could summarize these as:


  • Maintain an inventory of processing activities and data flows
  • Maintain procedures to respond for requests for information
  • Maintain procedures to respond for requests to correct/modify information
  • Maintain procedures to respond to requests to be forgotten or for erasure of data
  • Maintain procedures to respond to requests to opt-out of, restrict or object to processing
  • Maintain policies and procedures for obtaining valid consent
  • Integrate Privacy by Design into system and product development
  • Conduct Privacy Impact Assessments for new programs, systems and processes


Given the explosion of privacy-related legislation both in the US and globally (CCPA and Nevada SB220 recently, as well as GDPR, PIPEDA, Brazil’s GDPL and several other state-level laws currently being considered in the United States), the NIST PF should be added to the toolbox of all privacy and risk management stakeholders. In doing so, they will be positioned with a framework that, if used correctly, will demonstrate reasonable efforts to protect consumer information.


It’s also important to note that the FTC provided public comments to the preliminary draft of the Privacy Framework. This is an important consideration given the commission’s focus on consumer protections in the United States as well as past statements it has made indicating the CSF approach to integrating cybersecurity into overall risk management is consistent with its approach to enforcement.


I expect the NIST Privacy Framework will become as popular as the CSF because of the simplicity of integration into existing security and risk management frameworks. By complementing and extending these frameworks that organizations already employ, we help ourselves build scalable, flexible programs that can adapt to evolving requirements (such as emerging privacy regulations) with minimal effort.

John Clark
Executive Director, Office of the CISO
John Clark is an information security professional with over 20 years of experience in various industry sectors including legal firms, financial services, utility companies, and technology service providers. As executive director, executive solutions in the Office of the CISO at Optiv, Clark leverages his experience and passion to help organizations build and improve business-focused security strategies and programs.