skip to Main Content

NIST’s Privacy Framework: Step-by-Step Instructions for Building a Privacy Program


About the NIST Privacy Risk Management Framework.  NIST released the Privacy Risk Management Framework: an Enterprise Tool, v.1 on January 16, 2020.  Aperture Law Group’s Founder Jill DeGraff participated in early NIST workshops and began using preliminary drafts of the Framework with clients in May 2019.

The Framework establishes a step-wise sequence of activities that is oriented around five core functions:  Identify, Govern, Control, Communicate and Protect.  Within each of these core functions, the Framework describes specific tasks and workstreams (activities and sub-activities, respectively).   For example, an activity for the “Identify” function is to perform an inventory and mapping of all systems, products and services involved in data processing.  Sub-activities include: producing an inventory of all systems/products and services that process data; and producing an inventory of all owner/operators of these systems, products and systems, and their respective roles in data processing.

An organization that documents the activities described in the Framework can produce a deliverable Privacy Risk Management Plan.  The Plan accomplishes three important steps of any company that wants to be “privacy forward”.  First, it documents factual predicates for establishing an organization’s unique system of privacy controls.  Second, it includes a narrative description of these privacy controls.  Third, it describes how the risks and vulnerabilities presented by your data processing activities  are being managed by the privacy controls.

The Plan may be a snapshot in time, but it becomes an invaluable tool for organizations to preserving privacy as your business grows and as the legal and operating environment evolves.   Team members may come and go, and your vendors may change, but your Plan will remain a compass that orients you back to why you need the organizational policies, processes and standard operating procedures that give effect to the Plan.  It also provides an internal check on the commitments an organization makes in its published privacy notices and business contracts.  With NIST’s Privacy Framework, health tech innovators have a more reliable and achievable path for developing their own “Privacy Style Guide”, to help them effectively communicate and enforce their privacy commitments, internally and externally.

If you decide to implement the Privacy Risk Management Framework, consider preparing a comparable Security Risk Management Plan too, modeled after the NIST common security framework and NIST SP 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations.  Aperture has experience implementing a combined Privacy and Security Risk Management Plan for health sector companies.  Combined, a Privacy and Security Risk Management Plan becomes the organization’s Trust Framework.  Maintaining an internal Trust Framework is increasingly important as companies across the healthcare ecosystem as the sector advances towards system interoperability and data liquidity.

About Aperture Law Group.  Founded in 2018, Aperture Law Group advises health care companies (seed- and growth-stage, middle market and Fortune 100) on contract development, risk management programs, independent assessment and legal compliance in the areas of privacy, cybersecurity, TCPA and technology contracting.  Aperture works with clients to develop pragmatic and programmatic-minded solutions, informed by the applicable requirements of HIPAA, ACA, HITECH, Cures Act, Privacy Act, FISMA, 42 CFR Part 2, CCPA, GDPR, TCPA and industry-recognized security and privacy frameworks (e.g. NIST, HITRUST, SOC 2).

Back To Top