NIST Privacy Framework Implementation Tiers

A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0

TierPrivacy Risk Management ProcessIntegrated Privacy Risk Management ProgramData Processing Ecosystem RelationshipsWorkforce
Tier 1: PartialOrganisational privacy risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of privacy activities may not be directly informed by organisational risk management priorities, privacy risk assessments, or mission or business objectives.There is limited awareness of privacy risk at the organisational level. The organisation implements privacy risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable the sharing of information about data processing and resulting privacy risks within the organisation.There is limited understanding of an organisation’s role(s) in the larger ecosystem with respect to other entities (e.g., buyers, suppliers, service providers, business associates, partners). The organisation does not have processes for identifying how privacy risks may proliferate throughout the ecosystem or for communicating privacy risks or requirements to other entities in the ecosystem.Some personnel may have a limited understanding of privacy risks or privacy risk management processes, but have no specific privacy responsibilities. If available, privacy training is ad hoc and the content is not kept current with best practices.
Tier 2: Risk InformedRisk management practices are approved by management but may not be established as organisation-wide policy. Prioritisation of privacy activities is directly informed by organisational risk management priorities, privacy risk assessments, or mission or business objectives.There is an awareness of privacy risk at the organisational level, but an organisation-wide approach to managing privacy risk has not been established. Information about data processing and resulting privacy risks is shared within the organisation on an informal basis. Consideration of privacy in organisational objectives and programs may occur at some but not all levels of the organisation. Privacy risk assessment occurs, but is not typically repeatable or reoccurring.There is some understanding of an organisation’s role(s) in the larger ecosystem with respect to other entities (e.g., buyers, suppliers, service providers, business associates, partners). The organisation is aware of the privacy ecosystem risks associated with the products and services it provides and uses, but does not act consistently or formally upon those risks.There are personnel with specific privacy responsibilities, but they may have non-privacy responsibilities as well. Privacy training is conducted regularly for privacy personnel, although there is no consistent process for updates on best practices.
Tier 3: RepeatableThe organisation’s risk management practices are formally approved and expressed as policy. Organisational privacy practices are regularly updated based on the application of risk management processes to changes in mission or business objectives and a changing risk, policy, and technology landscape.There is an organisation-wide approach to manage privacy risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. The organisation consistently and accurately monitors privacy risk. Senior privacy and non-privacy executives communicate regularly regarding privacy risk. Senior executives ensure consideration of privacy through all lines of operation in the organisation.The organisation understands its role(s), dependencies, and dependents in the larger ecosystem and may contribute to the community’s broader understanding of risks. The organisation is aware of the privacy ecosystem risks associated with the products and services it provides and it uses. Additionally, it usually acts formally upon those risks, including mechanisms such as written agreements to communicate privacy requirements, governance structures, and policy implementation and monitoring.Dedicated privacy personnel possess the knowledge and skills to perform their appointed roles and responsibilities. There is regular, up-to-date privacy training for all personnel.
Tier 4: AdaptiveThe organisation adapts its privacy practices based on lessons learned from privacy events, and identification of new privacy risks. Through a process of continuous improvement incorporating advanced privacy technologies and practices, the organisation actively adapts to a changing policy and technology landscape and responds in a timely and effective manner to evolving privacy risks.There is an organisation-wide approach to managing privacy risk that uses risk-informed policies, processes, and procedures to address problematic data actions. The relationship between privacy risk and organisational objectives is clearly understood and considered when making decisions. Senior executives monitor privacy risk in the same context as cybersecurity risk, financial risk, and other organisational risks. The organisational budget is based on an understanding of the current and predicted risk environment and risk tolerance. Business units implement executive vision and analyse system-level risks in the context of the organisational risk tolerances. Privacy risk management is part of the organisational culture and evolves from lessons learned and continuous awareness of data processing and resulting privacy risks. The organisation can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated.The organisation understands its role(s), dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks. The organisation uses real-time or near-real-time information to understand and consistently act upon privacy ecosystem risks associated with the products and services it provides and it uses. Additionally, it communicates proactively, using formal (e.g., agreements) and informal mechanisms to develop and maintain strong ecosystem relationships.The organisation has specialised privacy skillsets throughout the organisational structure; personnel with diverse perspectives contribute to the management of privacy risks. There is regular, up-to-date, specialised privacy training for all personnel. Personnel at all levels understand the organisational privacy values and their role in maintaining them.