Examining the How of NIST Privacy

Last time I discussed why you should consider using the NIST Privacy framework as both a foundation and methodology for managing data protection and privacy risk management

In this article, I’d like to explain how it works in practice.

Here we bring together facts and information from disparate and sometimes rather technical documents. When I began my research into the NIST Privacy framework, I saw it described as both “easily digestible” and containing “business-friendly language”. I was therefore somewhat worried that the last few months of mostly indoor living had turned my brain to mush. 

This is not how I would describe this framework document. 

I even copied and pasted just the Executive Summary into a rather fun website called Readable to check its ‘Flesch Reading Ease’. Higher scores indicate better readability, and one should aim in one’s writing for a score above 60, which is classed as ‘Good’.

The score for the Executive Summary of the NIST Privacy Framework:


And you know what? I feel better now.

So, after much more research, here’s (what I hope is) a readable explanation:

In a similar way to their Cybersecurity Framework, the NIST Privacy Framework is made up of three foundational components:

  • CORE


Core is very much an information gathering stage.

It asks that you consider data processing and privacy from the minutiae of technical data flow all the way up to the business strategy and values. It includes:

  • Finding out what data you gather and process; why and how you do it.
  • What the risks are to the individual data subjects and the organization.
  • How you are protecting it and what you do if something goes wrong.
  • What legal and compliance obligations there are.
  • How you make sure everyone is aware of their responsibilities.
  • How you monitor and audit everything you’ve considered.
  • …and much, much more.

Core consists of 5 ‘functions’ which are broad topics. Each contains categories and subcategories which are increasingly granular points consideration. They are not technical in themselves and are not supposed to be ‘tasks’ as such. The consideration of them may have a technical solution, or the creation of documentation or processes. You may create your own sub-subcategories and tasks, or you may decide that they are not relevant to your situation.

The functions (which end in ‘-P’ to signify Privacy, obviously) are:

  • Identify-P Inventorying data, mapping data flow and considering risk to individuals privacy; also considering the responsibilities of 3rd party processing.
  • Govern-P Considering risk and regulatory requirements, privacy values and policies on an organizational level. Defining how privacy fits into the business and risk management strategies.
  • Control-P Defining the activities of the organization and individuals to manage data and privacy risks in line with the governance structure.
  • Communicate-P Enabling the organization and individuals to understand their roles and responsibilities in data processing and privacy risk management.
  • Protect-P Implementing data processing safeguards. This has crossover with the Cybersecurity framework and deals with preventing and reacting to privacy related cybersecurity incidents.

Within those 5 functions there are 13 categories and 99 subcategories. Let’s look at a couple of the less wordy examples as it will make things much clearer: 

Protect-P(PR-P): Develop and implement appropriate data processing safeguards.

  • Maintenance (PR.MA_P): System maintenance and repairs are performed consistent with policies, processes and procedures.
  • PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.
  • PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
  • IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing.

Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk.

  • ID.IM-P1: Systems/products/services that process data are inventoried.
  • ID.IM-P2: Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried.

You can see that it does get granular to a point, then hands it to you to interpret for your own situation.


On completing the Core section, you move onto Profiles.

With the information you have from the Core exercise, you can see your organizations current privacy stance, or profile. You can use the same Core framework to define a future, desired profile based on a set of defined outcomes.

You can prioritize the work required by using a privacy risk management approach which is also discussed briefly in Appendix D of the framework document.

You can also create profiles that you would expect 3rd party providers to adhere to. Why not insist that they take privacy as seriously as you?


Finally we have the Implementation Tiers

These define the degree to which your organization prioritizes both now and in the future the outcomes defined in the Profiles.

They go from Partial (Tier 1) to Adaptive (Tier 4).

Partial means there is limited understanding of risk and risk management, which is managed in an ad hoc manner.

Adaptive means there is cross organizational approach and understanding of risk, with continuous improvement built in.

The other two are steps in between.

The idea is that if you’re on Tier 1, you’ll probably want to move to Tier 2 – Risk informed. However your risk management, budget and willingness to progress will dictate how or if you move through the other tiers. It might even be that for different parts of your desired Profile you are at different tiers and that’s fine as a way of prioritizing your progression.


With all three elements in place you know where you are, where you want to be and how you are going to prioritize getting there. The very nature of this framework demands top-down organizational buy-in from the start, because the approach must align with and even redefine the business strategy and values. 

That’s sometimes the hard sell to those at C-Level. Being able to hang future compliance off it makes it very inviting; so does being able to boast about it to clients and customers who trust you with their data.

Get moving quickly with NIST Privacy by calling the experts at TBG security. They can help with all aspects of implementing the framework, and with their CISO on demand service, getting the voice at strategy level need not be the problem.

Previous ArticleNIST Privacy Framework – Your Foundation for Future Privacy Compliance Next ArticleHow the pandemic changed everything and nothing