The Framework, created in collaboration with a variety of public and private stakeholders, is designed to help any organization, regardless of size or industry, identify privacy risks, and create and maintain practices that manage those privacy risks. Specifically, the Framework should help organizations manage privacy risk by: 1) making privacy part of the design process for new systems and services; 2) integrating business processes and privacy practices to reduce friction between competing needs; and 3) communicating about these practices both within and outside the organization.
The Framework, following the same structure as NIST’s “Framework for Improving Critical Infrastructure Cybersecurity,” is broken into three parts:
- The Core: This is comprised of progressively specific privacy protection activities and outcomes that facilitate “an organizational dialogue about managing privacy risk.”
- Profiles: These are a collection of privacy “Functions,” “Categories,” and “Sub-Categories” from which an organization can choose to represent either its current privacy activities, or desired privacy outcomes.
- Implementation Tiers: These provide a common point of reference by which an organization can communicate how it views particular privacy risks and the degree to which it has processes or resources in place to manage those risks.
These three parts employ a common language and standardized concepts so that varied teams and departments can work collaboratively to meet their organization’s privacy goals.