The NIST Privacy Framework: Defined and Outlined

In January of 2020 the National Institute of Standard and Technology (NIST) released the Privacy Framework tool to the public. The framework was released with the goal of “helping your organization define privacy goals, identify privacy risks, and optimize the use of personal information while limiting privacy violations.” However, this framework by NIST isn’t a new law of standard we all must follow. Rather, it is a free tool that organizations may choose to use and abide by, akin to NIST’s previously released Cybersecurity Framework.

Like previously in our article on the MITRE ATT&CK® framework, we will be defining and outlining the basics of the framework. This will provide you with a great jumping off point for the framework. While covering the entirety of the framework is near impossible in one post, this article should provide a “Privacy Framework 101” for those new to it. However, if you’d like to read the entirety of the framework it can be found here.

What is the NIST Privacy Framework?

Advancements in the Internet and associated information technologies have driven unprecedented innovation across the globe. However, that innovation and excitement that came with these developments also came with a heightened threat for our privacy. This threat affects both individuals and companies alike. The truth is that people’s data is more accessible by dangerous adversaries than ever before. This fact is what drove NIST to develop the Privacy Framework for widespread usage.

Like previously stated, the NIST Privacy Framework is a tool for organizations to use. This tool aims to “improve privacy through enterprise risk management.” Simply put, Enterprise Risk Management is defined as “the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of those objectives.”

As stated in the official NIST Privacy Framework, the framework supports organizations in:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole.
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet those obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

The 3 Parts of the Privacy Framework

Like the Cybersecurity Framework, the Privacy Framework is composed of three core parts: Core, Profiles, and Implementation Tiers. Each of these components “reinforce how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities, and privacy protection activities.” Explanations of the three parts can be found below:


The Core is the set of privacy protection activities and outcomes that allows for communicating prioritized privacy protection and activities and outcomes across the organization, from the executive level to the operations level. The Core comprises of five functions that organize foundational privacy activities at their highest level. Each of these five functions help an organization express how they currently manage privacy risk. Each of these five functions are detailed below:

  • Identify-P: Developing the organizational understanding to manage privacy risk for individuals arising from data processing.
  • Govern-P: Developing and implementing organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities. These priorities are informed directly by privacy risk.
  • Control-P: Developing and implementing appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate-P: Developing and implementing appropriate activities to enable organizations and individuals to have a reliable understanding, and thus, engage in a dialogue about how data is processed and the privacy risks associated with that process.
  • Protect-P: Developing and implementing appropriate data processing safeguards.

Overall, the Core provides a very granular set of activities and outcomes that enable al dialogue about the overall management of privacy risk by the organization and its employees.


The Profile of an organization represents their current privacy activities, and the desired outcomes of these. To develop a Profile an organization needs to review all of the activities and outcomes in their Core to determine which are the most crucial focus based on business and mission drivers, data processing ecosystem roles, types of data processing, and the privacy needs of individuals. An organization can then create or add Functions, Categories, and Subcategories to these Core activities and outcomes as needed.

This Profile is used to identify opportunities for improving current security posture by comparing the “current” Profile to the organization’s “target” Profile. Overall, Profiles are used both to conduct self-assessments and to communicate within an organization about how privacy risks are currently being managed.

Implementation Tiers

The Tier part of the framework serves as a point of reference for how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. These Tiers represent a shift from the informal, reactive responses to a more agile and risk informed one. Tiers support decision making about how to efficiently manage privacy risks, and allow organizations to communicate internally about the allocation of resources necessary to progress to the next tier. These four tiers are listed below:

  • Partial (Tier 1)
  • Risk Informed (Tier 2)
  • Repeatable (Tier 3)
  • Adaptive (Tier 4)

When using Tiers, an organization should consider its Target Profile(s) and how achievement may be hampered by its current risk management practices, the degree of integration of privacy risk, its data processing ecosystem, and workforce composition and training program .

Cybersecurity vs. Privacy Risk Management

When NIST created the Cybersecurity Framework they made efforts to make the process open and collaborative. NIST had this same mindset in with the Privacy Framework. However, there are key differences between the two frameworks, as seen below:

Since 2014 the Cybersecurity Framework has helped users communicate and manage cybersecurity risk. However, the framework simply wasn’t enough to account for all privacy issues. Many privacy issues don’t relate directly to cybersecurity. This created the Venn diagram-type framework model you see above. 

Countering cybersecurity-specific risks, NIST considers risks under the privacy-specific event umbrella as potential problems rising from system, product, or service operations in data. These data operations are referred to in singular as data action and collectively as data processing. Problems stemming from data processing risks vary widely, ranging from dignity-type effects like stigma and embarrassment to more tangible harm like discrimination, economic loss, or physical harm.

Key definitions to know:

Data action: A data lifecycle operation, including but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.

Data processing: The collective set of data actions.

The Privacy Risk Assessment

Also included in NIST’s Privacy Framework is a privacy risk assessment framework. This risk assessment is a cross-organizational set of processes that helps organizations understand how their different systems, products, and services may cause problems for the individuals using them. This risk assessment also helps organizations develop effective solutions to manage these risks. Basically, this privacy risk assessment is a sub-process for identifying and evaluating individual privacy risks.

Different organizations will want to prioritize and respond to their risks in different ways. This all depends on the potential impact these individuals and the resulting impact to organizations. These risk assessments are carried out to establish objectives and an overall call to action based on the organization’s current capacity and mindset. The different ways an organizations prioritize risks are as follows:

  1. Mitigating the overall risk (organizations can apply technical or policy measures to systems/products to minimize risk)
  2. Transferring or sharing the risk (contracts, privacy notices, consent mechanisms established to make users aware of potential risk)
  3. Avoiding the risk (it may be determined that the risks outweigh the benefits of the operation and forego or terminate the data processing)
  4. Accepting the risk (it may be determined that the benefits of the operation largely outweigh the risks and it’s not necessary to invest in mitigation)

Overall, risk assessments are incredibly important to the Privacy Framework and your organization as a whole. These assessments provide methods for safeguarding your data and allow organizations to remove priority tension from the workplace. A risk assessment allows your organization to clearly label, and thus, prioritize your assets. Additionally, risk assessments help distinguish between privacy and compliance risk. Being able to identify when data processing may cause problems for an individual, even if the process is compliant with organizational security, can help guide ethical decision-making for your organization.

Summing Up the Privacy Framework

Overall, the Privacy Framework provides many useful tools and guiding points for many organizations and their data. Privacy, largely coinciding with increased number of data-based attack vectors, has never been more important to maintain than it is in the present. This fact is why NIST developed the Privacy Framework, and why your organization should consider using the framework in your workplace.

If you’d like to read the entirety of the Privacy Framework you may do so here. We simply cannot cover all of the content includedin the framework in one post, so we strongly recommend giving it a read. Additionally, NIST recorded an information webinar titled “Ready, Set, Adopt” explaining all parts of the framework, which can be viewed here.

Check Out Our Latest Posts