Privacy
          Program Development Plan

How to Use NIST's Privacy Framework to Develop a Privacy Program

The following steps describe an iterative process that you can use to develop a privacy
program for your organization. All or parts of this process can and should be repeated
whenever necessary or appropriate. It should also be repeated whenever you change
the scope of your program, whenever your privacy environment changes or your
risks change, and whenever your Target Profile or Target Tier changes.

NOTE 1: Current Profiles are created by using NIST's Privacy Framework to select activities and tasks that describe an organization’s current privacy status: its “as is” state. Target Profiles are created by selecting activities and tasks that describe its preferred status: its “to be” state.

NOTE 2: NIST's Privacy Implementation Tier Definitions classify organizations according to how
well privacy risk management practices have been implemented. They range from Tier 1 to Tier 4.
Tier 1 organizations use relatively primitive methods to manage risk while Tier 4 organizations use
relatively advanced methods to manage risk. Tier 1 organizations have ineffective risk management
methods, Tier 2 have informal risk management methods, Tier 3 have structured risk management
methods, and Tier 4 have adaptive risk management methods. This Tier information is used to
define an organization’s Current Tier and its Target Tier.

Step 1. Consider your Privacy Environment

• Consider your corporate mission, objectives, and priorities.

• Consider stakeholders’ personal privacy issues and expectations.

• Consider your business circumstances and your legal circumstances.

• Consider your organization’s role in the data processing ecosystem.

• Consider your approach to risk and your tolerance for privacy risk.

Step 2. Identify the Scope of your Privacy Program

• Select systems, products, and services with possible privacy problems.

• Select the data processing systems that may have privacy problems.

• Select the data processing products that may have privacy problems.

• Select the data processing services that may have privacy problems.

Step 3. Assign Privacy Roles and Responsibilities

• Establish a team to manage your organization’s privacy program.

• Select people with a broad range of perspectives and experience.

• Assign privacy management roles and responsibilities to members.

• Assign privacy risk management roles and responsibilities to members.

Step 4. Define Current Profile and Current Tier

• Use the Core of the Framework to define your organization’s Current Privacy Profile.

• Use Implementation Tier Definitions to define your organization's Current Privacy Tier.

Step 5. Assess both Actual and Potential Risks

• Identify privacy risks created by the way your systems process data.

• Identify the actual privacy problems that data processing systems have.

• Prioritize the actual privacy problems that data processing systems have.

• Identify the potential privacy problems that data processing systems have.

• Prioritize the potential privacy problems that data processing systems have.

• Identify privacy risks created by the way your products process data.

• Identify the actual privacy problems that data processing products have.

• Prioritize the actual privacy problems that data processing products have.

• Identify the potential privacy problems that data processing systems have.

• Prioritize the potential privacy problems that data processing products have.

• Identify privacy risks created by the way your services process data.

• Identify the actual privacy problems that data processing services have.

• Prioritize the actual privacy problems that data processing services have.

• Identify the potential privacy problems that data processing services have.

• Prioritize the potential privacy problems that data processing services have.

Step 6. Establish your Target Profile and Target Tier

• Use the Core of the Framework to develop your Target Privacy Profile.

• Consider privacy principles and values when you establish your Target Profile.

• Consider privacy policies and preferences when you establish your Target Profile.

• Consider privacy risk assessment results when you establish your Target Profile.

• Consider external privacy expectations when you establish your Target Profile.

• Use Implementation Tier Definitions to develop your Target Privacy Tier.

• Consider privacy principles and values when you establish your Target Tier.

• Consider privacy policies and preferences when you establish your Target Tier.

• Consider privacy risk assessment results when you establish your Target Tier.

• Consider external privacy expectations when you establish your Target Tier.

Step 7. Identify Gaps in your Privacy Practices

• Identify privacy framework gaps by comparing Current and Target Profiles.

• Prioritize privacy framework gaps by considering risks, costs, and benefits.

• Identify privacy implementation gaps by comparing Current and Target Tiers.

• Prioritize privacy implementation gaps by considering risks, costs, and benefits.

Step 8. Execute Plan to Establish Privacy Program

• Consider your organization’s high priority privacy gaps.

• Consider your organization’s high priority framework gaps.

• Consider your organization’s high priority implementation gaps.

• Create an action plan to address high priority privacy gaps.

• Consider mission, objectives, risks, costs, and benefits.

• Define steps to address your high priority privacy gaps.

• Define steps to address high priority framework gaps.

• Define steps to address high priority implementation gaps.

• Execute your action plan to address high priority privacy gaps.

• Take steps to establish your organization’s privacy program.

• Take steps to address your high priority framework gaps.

• Take steps to achieve a higher privacy implementation tier.

• Take steps to address your high priority implementation gaps.

The following flow diagram summarizes the above eight step
process and highlights the iterative aspects of this process.

Privacy Program
        Development Plan

Also checkout our Cybersecurity Program Development Plan

MORE PRIVACY PAGES

Introduction to Privacy Framework

Overview of NIST Privacy Framework

Structure of NIST Privacy Framework

Privacy Framework in Plain English

Privacy Implementation Tiers

Privacy Conformance Audit

Privacy Performance Audit

Detailed Privacy Audit Tool


Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited       help@praxiom.com       780-461-4514

 Updated on March 22, 2021. First published on March 19, 2021.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2021 by Praxiom Research Group Limited. All Rights Reserved.

First Edmonton Place, 14th Floor, 10665 Jasper Avenue,
        Edmonton, Alberta, T5J 3S9, Canada