Getting ready for the NIST Privacy Framework: 5 top tips

Earlier this year, NIST released the Privacy Framework, the latest in a series of guidelines that are designed to help organizations better protect their sensitive information.

The Privacy Framework is structured similarly to the NIST CSF (Cybersecurity Framework), but it focuses on the identification and management of privacy risks.

Organizations that have already implemented the CSF will therefore have a head-start when it comes to the Privacy Framework – particularly as the former touches on data privacy.

However, the new guideline is much more in-depth, and worth following if you’re serious about securing your organization, keeping stakeholders satisfied, and meeting cybersecurity laws such as the CCPA (California Consumer Privacy Act) and EU GDPR (General Data Protection Regulation).

Here are five tips to help you get started with the NIST Privacy Framework.

1. Get buy-in from management

Effective information security begins at the top and filters down through your organization, so you should seek management approval before you begin.

You might be wary of doing this for fear that your plan will be shot down by a budget-conscious board, but you could be surprised. Senior staff are more aware than ever of the importance of data protection and privacy, so they may well be willing to listen to your suggestions.

This will be particularly true if you can highlight the business reasons for adopting the Privacy Framework. For example, better data privacy means it’s more likely that customers will trust you and continue to work with you.

Likewise, adopting the framework’s practices will help you prevent security incidents, mitigating the risk of fines, lawsuits, and reputational damage.

2. Set objectives

Your first task after receiving the go-ahead for your implementation project is to work out what you want to achieve.

The business benefits you gave to your board are a good starting point, but now is the time to focus on specific, achievable goals. These might include raising awareness of data privacy among staff by getting them to take a training course.

You should also ask the board what their biggest data privacy concerns are and set objectives around those.

3. Communicate throughout the process

The key to a successful implementation project is to make sure everyone in the organization knows what’s going on.

Effective communication achieves two things. First, it helps those involved in the project know how work is progressing. Everyone in the team must be accountable for their actions, and the only way to do that is to understand what they’re doing at any one time.

Second, communication helps you explain to the rest of your staff what you’re trying to achieve. It can be unsettling to receive vague or unsatisfactory answers when you query what’s going on.

This isn’t the time to be evasive. Staff are less likely to co-operate if they don’t understand why they’re being asked to do certain things.

That’s why one of the most important things you can do when implementing the Privacy Framework is to tell staff that you’re adopting its guidance and explain the kinds of activities you’ll be performing.

4. Identify quick wins

The NIST Privacy Framework can take a few months to implement, during which time it can be hard to see how much progress you’re making.

As such, it’s a good idea to set yourself a few simple tasks that can be completed quickly. This might include steps such as reviewing your privacy policy and identifying areas for improvement, or identifying the locations where you store sensitive personal data.

5. Think long term

A short-term strategy is great for boosting morale and starting the project on the right foot, but you can’t implement the framework thinking one task at a time.

Your quick goals need to come together as part of a long-term plan, because many of the practices outlined in the Privacy Framework are complex, entwined processes that require planning.

How to get started

Organizations that are trying to get to grips with the NIST Privacy Framework will benefit from using the Cybersecurity Framework as a basis.

Privacy and cybersecurity naturally go hand in hand, and it’s hard to establish effective data privacy without first protecting your assets. You can see that with ISO 27701, the new data privacy standard that builds upon ISO 27001.

As with those standards, we suggest approaching the Privacy Framework as an extension of the Cybersecurity Framework.

You can find out how to get started with our free green paper: NIST Cybersecurity Framework and ISO 27001.

This guide explains:

  • How the NIST Cybersecurity Framework and ISO 27001 can work in conjunction with each other
  • How the frameworks can help your organization
  • How ISO 27001 can deliver the most effective ISMS (information security management system) and can help you comply with the NIST Cybersecurity Framework