NIST Releases A Blueprint For Achieving Compliance With Data Privacy Laws

NIST Releases a Blueprint for Achieving Compliance With Data Privacy Laws

The California Consumer Privacy Act (CCPA) has been in effect for just over a month, and with updates already in the works, it is already facing pushback. Many companies are finding it difficult to craft a universally-compliant data privacy policy, especially because there are very few examples of data privacy policies that are flexible enough for 2020’s complex legal landscape.

The National Institute of Standards and Technology (NIST), a branch of the US Department of Commerce, has taken steps to address that paradox. Version 1.0 of the NIST Privacy Framework, which was released on January 16, offers new strategies for compliance with data protection laws, including the New York SHIELD act, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

The privacy framework is broken down into three sections: Core, Profiles, and Implementation Tiers. Following is a brief overview:


The purpose of the Core is to form clear priorities for data privacy which can be easily conveyed between all levels of a business, “from the executive level to the operations level.” The Core is further divided into Functions, Categories, and Subcategories.

  • Functions: These are high-level labels used to classify privacy-related activities. The foundation of data privacy law mandates that an organization know what personally identifiable information (PII) it has and what it does with that data. Functions are designed to be dynamic labels without a prescribed goal. Each function is divided into categories and then further divided into subcategories. Categories describe privacy outcomes, while Subcategories describe the specific desired outcomes of technical and management activities as they relate to their parent Categories. There are five types of functions:
  • Identify: This function helps an organization understand how data is processed by inventorying data processing, identifying privacy stakeholders, and forming risk assessments.
  • Govern: This is a directive for organizations to establish organizational privacy values and policies, assess legal requirements in relation to data privacy, and prioritize compliance goals.
  • Control: This function mandates that individual owners of PII and organizations have granular control over data processing.
  • Communicate: Good cybersecurity and data privacy hygiene means that everyone in an organization is trained and involved. This function emphasizes that ideal. All employees and owners of PII should know the mission outlined in the Core.
  • Protect: This is a directive to create and implement safeguards against risks to data privacy, such as cybersecurity-related breaches.


Profiles are composed of Functions and their related Categories and Subcategories. Profiles either describe the current state of a privacy-related activity – a Current Profile – or the desired state of a privacy-related activity – a Target Profile.

For example, a company attempting to implement CCPA would describe its lack of a central consumer database as a Current Profile. All five functions would likely be included in that Profile. Such a company would need to “Identify” what information it collects, use the “Govern” function to assess compliance obligations, and so on.

The related Target Profile would also include all five functions but would reflect the desired state. The “Control” function, for example, would outline the specific details of an organization’s desired data privacy management practices. Profiles should all be aligned with the mission outlined in the Core.

Implementation Tiers

Implementation Tiers allow organizations to decide which privacy risks make sense to address and to track progress. Summarizing the tiers here would be irresponsible, given their breadth and depth, so interested parties should read the framework to explore further. However, as a brief introduction, there are four distinct Tiers:

  • Partial (Tier 1)
  • Risk-Informed (Tier 2)
  • Repeatable (Tier 3)
  • Adaptive (Tier 4)

Different organizations have different levels of risk and resources, so progression through the tiers does not necessarily make sense for all organizations. According to the framework:

Progression to higher Tiers is appropriate when an organization’s processes or resources at its current Tier may be insufficient to help it manage its privacy risks. Successful implementation of the Privacy Framework is based upon achieving the outcomes described in an organization’s Target Profile(s) and not upon Tier determination.

A Strategy, Not a Checklist

The privacy framework is modeled after the NIST’s Cybersecurity Framework, a guide that the NIST released in 2014 to help companies navigate cyber risk. As with the Cybersecurity Framework, the Privacy Framework was designed with input from key stakeholders, including companies and individuals in the public and private sectors. The Privacy Framework is meant to be used in tandem with the Cybersecurity Framework to maximize defense.

Working within the voluntary framework will allow companies to fulfill current privacy risk management obligations and plan for future expectations. It’s adaptable and flexible and provides an organizational method for meeting the standards set by current and future data privacy laws, but the Privacy Framework is not a checklist designed to help companies build a perfect data privacy policy. For more information, visit the National Institute of Standards and Technology to view the Privacy Framework.



Leave a Reply

Back To Top