NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

To help organizations balance building innovative products and services that use personal data while still protecting people’s privacy, NIST is offering a new tool for managing privacy risk. Developed in collaboration with a range of stakeholders, the framework provides a set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework. The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them.

The Privacy Framework centers on three sections: the Core, which offers a set of privacy protection activities; the Profiles, which help determine which of the activities in the Core an organization should pursue to reach its goals most effectively, and the Implementation Tiers, which help optimize the resources dedicated to managing privacy risk.