5 minute read 1 Jun 2020
Snow covered Alpine peak with avalanche controls

How the NIST Privacy Framework can help you better manage risk

By Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader; EY EMEIA Financial Services ServiceNow Alliance Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.

5 minute read 1 Jun 2020

This important guidance supports enterprises to embed privacy management in every aspect of their operations, including cybersecurity.

Privacy is a critically important consideration for organizations today. They are processing huge volumes of personal data while complying with a complex patchwork of regulations and responding to customers’ changing attitudes around how information is used. The scale of the privacy challenge they face has been brought into even sharper focus by the COVID-19 pandemic, which has made enterprises across the globe even more vulnerable to cyberattacks.

The best way that organizations can navigate this demanding environment is to take a robust, holistic and risk-based approach to the management of privacy risk. This involves the adoption of concrete steps to effectively operationalize privacy management within the organization – something that is easier said than done.

Fortunately, a couple of leading standard setters have identified the need for frameworks that help organizations to manage privacy risk as part of their overall enterprise risk management. The International Organization for Standardization (ISO) has developed ISO 27701 – guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System. Another framework has been devised by the US-based National Institute of Standards and Technology (NIST). It is known as the NIST Privacy Framework.

Introducing the NIST Privacy Framework

The NIST Privacy Framework provides a common language for understanding, managing and communicating privacy risk through business and mission drivers, organizational roles and responsibilities, and privacy protection activities. Organizations can use it to identify and prioritize actions, while aligning policy, business and technological approaches to managing privacy risk across the data lifecycle. 

Given the central role played by data and systems within organizational life, it is impossible for privacy risk to be addressed in isolation. It has to be considered within the context of an organization’s broader risk management and cybersecurity strategies. In recognition of this, the NIST Privacy Framework is aligned to the NIST Cybersecurity Framework, and can be used in tandem with it. Effective risk mitigation requires an organization to embed privacy management in every aspect of its operations, including its engineering processes. New apps, systems, products and services must be designed from the outset to build in trust and protect the privacy of individuals.

Tailored approach

Every organization is currently at a different point on the privacy management journey and every organization has a different ambition for where it wants to end up. So, the Privacy Framework recognizes that there is no such thing as a one-size-fits-all approach to privacy management. Instead, its risk and outcome-based approach means that it can be tailored to fit the specific context of individual organizations.

The Privacy Framework is composed of three elements:

  • The Core provides a granular set of activities and outcomes that enable organizational dialogue about the management of privacy risk. These activities are divided into five functions: Identify; Govern; Control; Communicate; and Protect.
  • Profiles are a set of specific functions, categories and subcategories from the Core that the organization can prioritize to manage privacy risk. They may represent an organization’s current privacy activities, or desired outcomes, and can be used to improve privacy posture, conduct self-assessments and communicate around how risks are being managed.
  • Implementation Tiers help the organization to decide and communicate around the sufficiency of its processes and resources for managing privacy risk so that it can achieve its desired target state – known as its Profile. The target state is where an organization wants to be once it has effectively upgraded its privacy risk management.

To make effective use of the framework, an organization needs to assess both its current state and the Profile it wants to achieve. Then it can define which measures – such as technological solutions or tighter controls – will enable it to better manage privacy in line with its risk appetite. For example, financial services companies, which hold a lot of sensitive customer information and operate in a highly regulated environment, are likely to have much lower appetites for privacy risk than enterprises in less regulated sectors. Another important consideration is whether the organization can effectively use the Privacy Framework as a basis for strengthening its competitive position. So, a consumer goods company might use a focus on privacy as a key distinguisher in its brand marketing.

Technological trends

The NIST Privacy Framework is not a rigid checklist of actions for organizations to tick off. It has been designed to evolve alongside organizations and to keep up with important technological trends, such as artificial intelligence and the Internet of Things. As such, it can help organizations to balance making optimal use of their data with safeguarding the privacy of their customers and partners. The framework recognizes and embraces technological change and considers the privacy implications of further advances. It is this in-built flexibility that makes the framework future-proof.

We live in an era of widespread uncertainty and sweeping technological advances, where it is already impossible to overstate the importance of privacy. We can also be sure that privacy will only become even more important in future. Organizations that are already using the NIST Cybersecurity Framework will find that the Privacy Framework provides them with a good opportunity to improve privacy as part of their cybersecurity practice. Nevertheless, all organizations should be thinking about how they can take advantage of the NIST Privacy Framework to improve their privacy management. The way the world is going, doing nothing is not an option. 


The complex challenges we face today make privacy more important than ever. The NIST Privacy Framework is a set of flexible, practical guidelines for organizations looking to better manage privacy risk across operations and the data lifecycle. This article explains the key elements of the framework, how organizations can tailor it to their unique circumstances and the impact of future technological trends. It also highlights that privacy risk should not be addressed in isolation, but as part of an organization’s broader risk management and cybersecurity strategies.

About this article

By Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader; EY EMEIA Financial Services ServiceNow Alliance Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.