Skip to content
Home » Demystifying NIST Privacy Framework: Building Innovative Privacy Solutions

Demystifying NIST Privacy Framework: Building Innovative Privacy Solutions

Recap on NIST

The National Institute of Standards and Technology (NIST) promotes the innovation and industrial competitiveness in the United States. It advances measurement science, standards, and technologies to enhance economic security. NIST has provided several cybersecurity frameworks for businesses to use and improve their network security. They have recently released their privacy framework to help businesses and organizations create and/or improve their privacy programs.

What is the NIST Privacy Framework?

The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders to help organizations identify and manage privacy risks. By identifying and managing these risks, organizations can create and/or improve their privacy programs. As a result, companies will build innovative products and services while ensuring an individual’s privacy.

This will help build trust in your products and services, inform clients about your privacy practices, all while meeting your cybersecurity compliance responsibilities. Having a good cybersecurity is enough to keep your organization secure. However, just meeting cybersecurity laws, your business will not address all privacy risks.

“The Privacy Framework can be a market differentiator for the organization to be able to grow their business.”

Mary N. Chaney | Director of Information Security and Privacy at Esperion Therapeutics, Inc.

Privacy is a growing concern among businesses and their consumers, so having a privacy program will give you an advantage over your competitors – especially in the long run. You can get started on the NIST Privacy Framework by following the simple model provided by NIST. This model has three phases – “Ready, Set, and Go” – that will guide your business in the five main privacy risk management areas: Identify, Govern, Control, Communicate, and Protect.

Ready: Prepare Your Privacy Framework

For an effective privacy framework, your organization will need to have a strong foundation which will allow you to identify and manage privacy risks.


First, you must identify the data your organization is collecting, using, and storing. Map out the data’s full data lifecycle – from collection to disposal – to find where it is going through your systems. Having a general idea of where your data goes throughout your system will help you understand your privacy risks.

You will also need to identify and assess how your data processing activities might cause problems for individuals. To find how this could happen, conduct a privacy risk assessment with your data map. Then assess the impact these problems will have on your organization – such as decreased consumer trust or decrease in reputation.

Finally, identify the options in your products and services’ contracts to determine if it reflects your privacy priorities. Ensure all the data and contracts in your organization matches the privacy goals.


Next, you will want to ensure your company culture reflects the privacy values you want to focus on. Do you want your privacy to prioritize autonomy? Anonymity? Dignity? Data control? To gain trust in your products and services, connect your privacy values and policies with your privacy risk assessment.

Furthermore, to build products and services that meet compliance, you must know the privacy-related laws and regulations. Ensure you and your employees are well-educated, so that the people in your organization will make better decisions on incorporating privacy features into the product and services’ design.

Lastly, ensure your organization will regularly reassess your organization’s privacy risks. This is to check if the privacy risks have changed so that you can update the privacy features in your products and services. This will also help find if you will need to change your data processing or if you need to update your privacy practices due to new legal obligations.

Set: Focus on Privacy Policies and Technicalities

After getting ready with a strong foundation, your organization should focus on creating and implementing the privacy policies to your systems, products, and services.


Determine if you are collecting, sharing, or keeping data that is not needed. How will your privacy policies maintain control over the data? You need to know how it will affect your partners and clients.

While building the functionality of your product or service, you must effectively incorporate your privacy features and consider legal obligations. The best design to use would be a flexible design which will allow you to cost-effectively shift your customer privacy preferences. This will also create a more dynamic legal environment to navigate in.

Finally, you can control you the data you collect is associated with individuals. By disassociating the data, you will have greater privacy gains. Find how you can measure the data you collect while disassociating the data with de-identification or decentralized data processing.


Communicating your privacy results is necessary to show what your organization is doing to protect its data. However, to communicate effectively, you must create policies and rules on communicating about data processing activities. Additionally, these rules can (and should) be different for internal and external communication. Provide clear and accessible notices about privacy to ensure transparency and customer understanding. As a result, these notices will help inform individuals about your business’ data processing activities and choices.

If you conduct surveys or focus groups, ask about your customer’s privacy preference. This will also increase transparency and ensure your consumer is fully aware of their privacy rights. Communication is critical – both with your partners and customers – so make sure you ask and clarify their privacy preferences.

Finally, prepare an action plan in case of a data breach. How will you respond? How will you provide notifications to the affected individuals? Do you have a plan to mitigate the damages caused by the data breach? Consider all the potential effects and create a plan to combat those risks.


The last area to address is protecting your data and information. Like most security controls, this includes controlling who can access your network and devices. Therefore, you must continue safe and secure cybersecurity practices to protect, encrypt, and backup the data. Update your security software regularly to ensure your security controls are always at its highest potentials.

Go: Where You Want Your Privacy At

And now your privacy framework is ready to improve your current privacy program. Find and prioritize your privacy program’s target outcomes. You can now create an action plan and implement your privacy program. Get started with your privacy roadmap to grow your privacy program and execute your plan.

“If you need to establish a privacy program, the NIST Privacy Framework
is a perfect place to start.”

Jeewon Serrato | Partner at BakerHostetler

You are already on your way to growing your organization’s privacy network. Clients and consumers will soon have more trust in your product or service. You can now communicate more effectively regarding privacy with your partners and clients. And finally, you will still meet all your compliance requirements, keeping your organization safe and secure!


Building the trust with your clients and consumers is crucial to building out your business. Using the Privacy by Design framework, organizations must embed privacy into the design and operation of IT systems, networked infrastructure, and business practices. Compliance with data protection and privacy regulations is a challenging task for companies with complex IT landscapes. It requires considerable manual effort to keep permissions and retention of data in line with data protection and privacy requirements. Cyberator’s Privacy Modeling tool can be used to:

  • Design privacy into products and services
  • Find laws applicable to using personal information and data
  • Guide users through complex privacy laws

If you found this blog useful, please share with others: