Introduction to NIST Privacy Framework

NIST Privacy Framework


The internet is a complex ecosystem that uses both personal and business data
to deliver a wide variety of benefits. While we all enjoy these benefits, many of them
come at a hidden cost: personal privacy is slowly slipping away. Over time, people
have slowly and mostly unwittingly allowed large organizations to gather and to
exploit this data and organizations have been happy to accumulate as much of
it as possible, often without fully understanding the consequence of doing so.

This has resulted in a privacy crisis. People are beginning to worry about what is
being done with their personal data and companies are starting to worry about how
privacy problems could affect their brands, their profits, and their future prosperity.
They’re also starting to think about how they’re going to continue delivering their
products and services while at the same time respecting the personal privacy of
millions of people. At the same time, regulators and governments worldwide
are starting to pay attention and growing increasingly concerned.


The purpose of NIST’s Framework is to show organizations how to manage their
privacy risks. If your organization processes personal data, this Framework is for
you. Use it  to establish a comprehensive data privacy program and then use this
program to solve your data privacy problems and to manage your data privacy
risks. Use it to:

•    Reduce your legal and financial exposure.
•    Establish privacy risk management controls.
•    Meet the expectations of interested parties.
•    Facilitate conversations about privacy practices.
•    Earn the trust and confidence of your stakeholders.
•    Protect your reputation and enhance your credibility.
•    Encourage personnel to identify and treat privacy risks.
•    Improve your ability to identify privacy issues and concerns.
•    Make personnel aware of privacy concerns and considerations.
•    Comply with current and emerging privacy rules and regulations.
•    Increase your ability to identify data processing privacy problems.
•    Help personnel to develop privacy procedures and set privacy goals.

•    Provide a common language that personnel can use to manage privacy.
•    Promote the design of products, services, and systems that respect privacy.
•    Support the development of ethical privacy policies, processes, and procedures.


The “Core” of NIST's Framework consists of the following five functions which
operate concurrently and continuously: Identify, Govern, Control, Communicate,
and Protect. Each function is further broken down into activities, which, in turn,
are broken down into tasks. When these activities and tasks are actually being
performed they are referred to as outcomes.

However, if you study the original Privacy Framework, you’ll notice that NIST
instead uses the terms functions, categories, and subcategories. We, instead,
prefer to use the terms functions, activities, and tasks because these concepts
are more intuitive and easier to understand and because that’s what the NIST
Framework actually talks about.

The Core of NIST's Framework is used to develop an organization’s Current and
Target Profiles. Profiles are created by studying NIST’s Framework Core and then
selecting activities and tasks. Current Profiles are developed by selecting activities
and tasks that describe the organization’s current privacy status: its “as is” state.
Target Profiles are developed by selecting activities and tasks that describe the
organization’s preferred status: its “to be” state. By comparing Current
and Target Profiles, an organization can identify privacy gaps.


NIST has also defined four Framework Implementation Tiers. These Tiers classify organizations according to how well privacy risk management practices have been implemented. They range from Tier 1 to Tier 4.

Tier 1 organizations use relatively primitive methods to manage risk while Tier 4
organizations use more advanced methods to manage risk. Tier 1 organizations
have ineffective methods, Tier 2 have informal methods, Tier 3 have structured
methods, and Tier 4 have adaptive methods.

This Tier information is used to define an organization’s Current Tier and its Target
Tier. Current Tiers are defined by selecting privacy risk management practices that
describe the organization’s current status: its “as is” state. Target Tiers are defined
by selecting privacy risk management practices that describe the organization’s
preferred status: its “to be” state. These Tier definitions are then used to
identify privacy risk management implementation gaps.

For more information, see our Detailed Implementation Tiers.

Also check out our discussion of the NIST Cybersecurity Framework


Overview of NIST Privacy Framework

Structure of NIST Privacy Framework

Privacy Framework in Plain English

How to Create a Privacy Program

Privacy Implementation Tiers

Privacy Conformance Audit

Privacy Performance Audit

Detailed Privacy Audit

Home Page

Our Library

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited          780-461-4514

Updated on March 19, 2021. First published on March 19, 2021.

Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2021 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited