The NIST Privacy Framework 1.0 is a voluntary tool to help organizations manage privacy risks. It organizes privacy practices into Functions, Categories, and Subcategories for a structured approach.
- Functions: High-level activities to manage privacy risks.
- Identify: Develop an understanding of privacy risks in data processing.
- Govern: Establish governance for privacy policies and accountability.
- Control: Implement controls to manage data and privacy risks.
- Communicate: Foster clear communication about privacy practices.
- Protect: Safeguard personal data through technical and procedural measures.
- Categories: Specific objectives within each Function to guide privacy efforts.
- Identify:
- Inventory and Mapping (ID.IM): Identify systems, assets, and data processing activities.
- Business Environment (ID.BE): Align privacy with organizational mission and stakeholder needs.
- Risk Assessment (ID.RA): Assess privacy risks to individuals from data processing.
- Data Processing Ecosystem Risk Management (ID.DE): Manage risks in data sharing with third parties.
- Govern-P:
- Governance Policies, Processes, and Procedures (GV.PO): Develop privacy policies and assign roles.
- Awareness and Training (GV.AT): Train workforce on privacy practices and responsibilities.
- Monitoring and Review (GV.MT): Monitor compliance with privacy regulations and policies.
- Control-P:
- Data Processing Policies, Processes, and Procedures (CT.PO): Establish processes to manage data processing risks.
- Data Processing Management (CT.DM): Implement data minimization and purpose limitation.
- Communicate-P:
- Communication Policies, Processes, and Procedures (CM.PO): Develop processes for privacy communications.
- Data Processing Awareness (CM.AW): Inform individuals about data use and rights.
- Protect-P:
- Data Protection Policies, Processes, and Procedures (PR.PO): Establish policies for data protection.
- Identity Management, Authentication, and Access Control (PR.AC): Limit data access to authorized users.
- Data Security (PR.DS): Protect data with encryption and other safeguards.
- Maintenance (PR.MA): Maintain systems handling personal data securely.
- Identify:
- Subcategories: Specific, actionable outcomes within Categories, such as “Develop an inventory of personal data processing systems” (ID.IM) or “Use encryption to protect data confidentiality” (PR.DS). These guide detailed privacy practices.
Data Summary
- 5 Functions
- 18 Categories
- 100 Subcategories
Use Cases:
- Visualize quantitative composition of the Privacy Framework.
- Provide estimated level of effort insight for each Function.
- Drill down from Function to Category to Subcategory.