How to leverage the NIST Privacy Framework for enterprise data initiatives

Enterprises are collecting a vast amount of data about their customers to be able to provide and improve their service, all the data stored electronically, and generally expected by the customers to be processed, transferred, and stored securely. Over the past decades, the concerns related to data privacy increased pushing the lawmakers and regulators to create different privacy laws and regulations from GDPR, to CCPA, to the Australian Data Privacy Law, and the newest LGPD (Brazilian privacy laws). Enterprises by nature not limited to one specific area can find challenging to create a global privacy management framework to be able to comply with the different laws and regulations.

NIST Privacy Framework

The National Institute of Science and Technology (U.S.) started developing the Privacy Framework in 2018 based on the request from the IT industry stakeholders such as IBM and US Government entities. The goal was to create a risk-based privacy management framework that is flexible and focuses on the outcome, providing a toolset to allow an organization to focus their effort on the organizational goals and achievements while helping to build a security and privacy culture within the organization. The framework's key principle is accountability which is one of the most common privacy principles.

During the development of the framework, the NIST approach was to align the Privacy Framework with the NIST Cybersecurity Framework in terms of structure, and vocabulary allowing the cybersecurity and privacy professional to work together. 

 The structure of the Privacy Framework

The framework consists of three major parts, Core, Profile, Implementation Tiers. The Core is a set of privacy protection activities and outcomes that allows for communicating prioritized privacy protection activities and outcomes across an organization from the executive level to the implementation/operations level. The Core is further divided into key Categories and Subcategories—which are discrete outcomes—for each Function.

A Profile represents an organization’s current privacy activities or desired outcomes. To develop a Profile, an organization can review all the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs. An organization can create or add Functions, Categories, and Subcategories as needed. Profiles can be used to identify opportunities for improving privacy posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). Profiles can be used to conduct self-assessments and to communicate within an organization or between organizations about how privacy risks are being managed.

Implementation Tiers (“Tiers”) provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. When selecting Tiers, an organization should consider its Target Profile(s) and how achievement may be supported or hampered by its current risk management practices, the degree of integration of privacy risk into its enterprise risk management portfolio, its data processing ecosystem relationships, and its workforce composition and training program.

 The Core

The Core consists of five functions like the CSF Core, that an organization could use in the privacy management process.

Identify-P – Develop the organizational understanding to manage privacy risk for individuals arising from data processing.

Govern-P – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities informed by privacy risk.

Control-P – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

Communicate-P – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.

Protect-P – Develop and implement appropriate data processing safeguards.

Profiles

Profiles are selections from the functions, categories, and subcategories to build a set of privacy requirements or defined the current and further (goal) state of privacy controls. 

 Privacy Risk Management

The framework is defining the requirements for privacy risk management and created guidelines on how to establish a risk management framework and created a risk model to support the risk assessment process. The privacy risk model is using the term “problematic data action”, defining it as any action a system takes to process data that could result in a problem for individuals. The likelihood and impact also addressing the experience of an individual related to privacy.

 Using NIST Privacy Framework at Enterprise-level data initiatives

Typically, enterprises have implemented a clear governance structure, where each company function is responsible for a specific area (IT, Legal, Marketing, Production, etc) the challenge related to privacy is impacting several areas at once and cannot be managed as only a legal matter or in a silo.

The framework describes a simple implementation methodology, called “Ready, Set, Go”, this methodology can be used to manage data initiatives at Enterprises, to create a Privacy Management Program.

Ready phase

The organization can start reviewing the requirements in the Identify-P and Govern-P functions and build an “as is” profile. The requirements are aiming to identify the business objectives, the organization's legal environment, risk tolerance level, and privacy concerns inherited from the procedures, products, or services. To be able to do a privacy risk assessment the company must understand what data collected, stored, and processed. The legal team can collect the regulatory requirements, while the product team can create data flow and mapping. 

 Set phase

NIST has created a toolset called Privacy Risk Assessment Methodology (PRAM), which provides several sheets to help the organization to identify the privacy risk elements. During the set phase, the outcome of the set phases is analyzed and discussed between internal stakeholders to identify the data privacy risks. During the set phase, the organization will create its target profile, where they want to get from the current profile.

A comparison between the current profile and the target profile will outline a clear list of actions the company needs to execute to achieve the target profile. Prioritization of the action is the responsibility of the management, to align the actions with the business goals. Using the cybersecurity framework and integrated action plan can be created. 

Go phase

When the action plan is approved and the appropriate resources are allocated the organization executes the plan, this is the implementation phase. During the implementation, the company can return to the ready phase to continuously monitor and analyze its progress and status.

Summary

The NIST Privacy framework provides a comprehensive, but flexible framework for enterprises to create a common approach towards privacy within the organization. It enables a company to manage privacy using a standardized methodology regardless of the entity's geographical location, the legal environment, or regulatory requirements. Using a standardized vocabulary and common approach the framework can help enterprises to establish and manage a global privacy management program. This could enable an enterprise to better serve its customers, avoid compliance issues, and gain the trust of the public.