The privacy regulatory landscape now includes GDPR, CCPA/CPRA, the proposed federal US legislation, sector-specific regimes like HIPAA, and a growing list of state laws in the US and equivalent regulations elsewhere. Organisations that build their privacy programme regulation by regulation end up with a patchwork that resets every time a new law lands. The NIST Privacy Framework was designed for exactly this problem — a voluntary, risk-based, framework-agnostic structure for building privacy capability that absorbs specific regulations rather than being defined by them.
What the Framework Actually Provides
The NIST Privacy Framework is structured similarly to the NIST Cybersecurity Framework. It has Core Functions (Identify-P, Govern-P, Control-P, Communicate-P, Protect-P) — each broken into Categories and Subcategories that describe specific privacy outcomes. It includes Profiles (current state and target state) for assessing maturity and planning, and Implementation Tiers that describe how mature an organisation's privacy risk management is.
How It Differs From the Cybersecurity Framework
Cybersecurity risk and privacy risk overlap but are not the same. The CSF focuses on protecting systems and data from unauthorised disclosure, modification, and destruction. The Privacy Framework adds focus on the privacy implications of authorised processing — even when no breach occurs, there are privacy risks that arise from how data is collected, used, retained, and shared. The framework explicitly addresses these "problematic data action" risks alongside the security-focused ones.
The Five Core Functions
- Identify-P — develop the organisational understanding of privacy risk arising from data processing
- Govern-P — develop and implement the governance structure that manages privacy risk
- Control-P — develop and implement appropriate activities to enable individuals to manage data
- Communicate-P — develop and implement appropriate activities to enable reliable understanding of how data is processed
- Protect-P — develop and implement safeguards to enable secure processing
A useful mental model: the Privacy Framework Core Functions cover both the privacy management discipline (Identify-P, Govern-P) and the privacy controls themselves (Control-P, Communicate-P, Protect-P). The first two answer "how do we run a privacy programme?" The last three answer "what do we actually do to address privacy risk?" Both halves matter; programmes that focus only on controls without governance produce uncoordinated work.
Profiles: Current and Target State
A Profile is a customised view of the framework reflecting the privacy outcomes an organisation has selected based on its specific business needs, applicable laws, and risk tolerance. The Current Profile describes where the organisation is today; the Target Profile describes where it needs to be. The gap between them is the privacy roadmap. This structure is genuinely useful for executive communication — boards understand "we are at Tier 2 across most categories, targeting Tier 3 over 24 months for these specific high-risk areas" much better than they understand individual control deficiencies.
How It Maps to Specific Regulations
NIST publishes crosswalks between the Privacy Framework and specific regulations and standards — GDPR, CCPA, ISO 27701, the FTC Act, HIPAA, and others. Implementing the framework typically addresses a substantial proportion of any given regulation's requirements. The remaining regulation-specific work (specific disclosure language, specific timelines, regulator-specific reporting) is much smaller when the underlying framework is in place. This is the structural backbone that makes incremental regulatory addition manageable.
When the Framework Is the Right Choice
For organisations subject to multiple privacy regimes, building a privacy programme on the NIST Privacy Framework reduces the per-regulation overhead substantially. For US organisations expecting more state and possibly federal privacy legislation, it provides a structure that absorbs new law rather than requiring rebuild. For organisations whose security programme is already aligned with the NIST CSF, the privacy framework integrates naturally. The framework is voluntary — but voluntary adoption pays back in proportion to how many regulations the organisation has to satisfy.