NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (Preliminary Draft)

The National Institute of Standards and Technology (NIST), working in collaboration with private and public stakeholders, has developed this voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework). The Privacy Framework can drive better privacy engineering and help organizations protect individuals’ privacy by: building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole; fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and facilitating communication about privacy practices with customers, assessors, and regulators.

The Privacy Framework follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) to facilitate the use of both frameworks together. Like the Cybersecurity Framework, the Privacy Framework is composed of three parts: the Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers and privacy protection activities.