February 9, 2021

NIST Privacy 101: An Intro to the NIST Privacy Framework

Matt Dumiak
CompliancePoint
+ Follow Contact

This is the first in a series of blog posts we will publish surrounding the NIST
Privacy Framework. Stay tuned for future updates.

The proliferation of privacy legislation being proposed and passed around the globe makes it
difficult for organizations to keep track of what must be done to comply with these regulations
and demonstrate their due diligence in the handling of personal information. In our
experience, organizations are looking for a framework or certification that will assist in
demonstrating their ability to comply with data privacy regulations. From an implementation
standpoint, however, organizations are unsure of where to begin and how they can comply
with various privacy regulations under one privacy program.

The National Institute of Standards and Technology (NIST) recognized an opportunity to

develop a framework to standardize best practices for a privacy program by introducing the
NIST Privacy Framework. NIST has developed several frameworks that are based on industry
best practices across multiple industries and that thousands of organizations rely on to comply
with various requirements. The NIST Privacy Framework was developed through working
sessions as well as by seeking commentary from privacy and security practitioners, of which
CompliancePoint attended and provided input.

NIST Privacy Framework This website uses cookies to improve

user experience, track anonymous site
The NIST Privacy Framework can and should be used tousage, storeand
measure authorization
improve tokens
an and
permit sharing on social media
organization’s privacy program. It is a set of controls that can help an organization identify
networks. By continuing to browse this
privacy risks within their processing environment and helpwebsite you accept the useresources
prioritize/allocate of cookies.to
Click here to read more about
mitigate those risks. Privacy regulations also include technical and security components, how we and
use cookies.
the NIST Privacy Framework borrows controls from the NIST CSF where applicable. This is
useful for companies that already align themselves with the NIST CSF to adopt the NIST
Continue
Privacy Framework controls easily.
At the core of the framework are Functions, Categories, and Subcategories. Not only can the
framework assist with building out a flexible privacy program, but it can also assist an
organization with demonstrating that they operate from an industry-accepted privacy
framework that can serve as a competitive differentiator to their clients and consumers alike.

The framework can be crosswalked against other regulations and standards, and any
crosswalks that exist are listed on the NIST website, including the California Consumer
Privacy Act (CCPA), the General Data Protection Regulation (GDPR), Brazil’s LGPD, ISO-
27701, NIST-CSF, and NIST 800-53. However, it should be noted that the NIST-P Framework
is regulation and technology agnostic, and alignment with the framework does not warrant
that a company is compliant with any of these regulations, frameworks, or standards.

The framework is broken into five Functions:

1. IDENTIFY-P: Develop the organizational understanding to manage privacy risk for

individuals arising from data processing.

2. GOVERN-P: Develop and implement the organizational governance structure to

enable an ongoing understanding of the organization’s risk management priorities that
are informed by privacy risk.

3. CONTROL-P: Develop and implement appropriate activities to enable organizations or

individuals to manage data with sufficient granularity to manage privacy risks.

4. COMMUNICATE-P: Develop and implement appropriate activities to enable

organizations and individuals to have a reliable understanding and engage in a dialogue
about how data are processed and associated privacy risks.

5. PROTECT-P: Develop and implement appropriate data processing safeguards.

This website uses cookies to improve

user experience, track anonymous site
usage, store authorization tokens and
permit sharing on social media
networks. By continuing to browse this
website you accept the use of cookies.
Click here to read more about how we
use cookies.
Continue
The first four Function areas are related directly to privacy and the risks associated with the
processing of personal information. The Protect-P Function area is focused on the security of
handling and protecting personal data. Although sometimes written in technical jargon, many
will be familiar with the terms used throughout the function areas if they have privacy
experience. Data inventory, processing environment, notice/disclosure, and access request are
present, to name a few.
This website uses cookies to improve
user experience, track anonymous site
Beneath the five Function areas, there are 29 Categoriesusage,
that provide more detail
store authorization surrounding
tokens and
permitcall
the Function, and then the Subcategories or what we would sharing on socialofmedia
“controls”, which there are
networks. By continuing to browse this
approximately 100. The Functions, Categories, and Subcategories
website you are thethe
accept “Core”.
use of cookies.
Click here to read more about how we
The framework is comprised of: use cookies.
Continue
The Core

Profiles
 Implementation Tiers

Profiles assist an organization with managing risk, and there is a concept of a current profile
as well as a future profile. Implementation Tiers assist organizations with managing how
mature their controls are, and very similar to profiles, organizations will have a current
Implementation Tier and a future Implementation Tier.

In our next blog post in this series, we will dive further into Profiles and Implementation
Tiers, including the steps to take to create the organization Profile, determine what
Implementation Tier your organization is in today, and a how-to roadmap to achieve your
organization’s future Implementation Tier goal.

 Send  Print  Report

LATEST POSTS
Could New FCC Initiatives Be Responsible for Unsuccessful SMS Campaigns?

Telemarketing Registration 101 Supreme Court Rules on Facebook TCPA ATDS Case

New CCPA Regulations Look to Simplify Requirements for Businesses

Record FCC Fine & the Future of Robocalls

See more »
WRITTEN BY:
CompliancePoint This website uses cookies to improve
user experience, track anonymous site
Contact + Follow usage, store authorization tokens and
permit sharing on social media
networks. By continuing to browse this
Matt Dumiak website you accept the use of cookies.
+ Follow
Click here to read more about how we
use cookies.

PUBLISHED IN: Continue

Compliance + Follow
Cybersecurity Framework + Follow

Data Privacy + Follow

Data Processors + Follow

Data Protection + Follow

NIST + Follow

Personal Information + Follow

Privacy Framework + Follow

Risk-Based Approaches + Follow

Business Organization + Follow

Science, Computers & Technology + Follow

Privacy + Follow
more 

COMPLIANCEPOINT ON:

This website uses cookies to improve

user experience, track anonymous site
usage, store authorization tokens and
permit sharing on social media
networks. By continuing to browse this
website you accept the use of cookies.
Click here to read more about how we
use cookies.
Continue