Business Case for the NIST Privacy Framework

June 28, 2023

Priv: Business Case for the NIST Privacy Framework

The privacy landscape is changing fast, and business leaders are trying to keep up.

In this episode of Priv, hosts Dona Fraser and Jason Cronk discuss one of the resources available to help. Guest Dylan Gilbert, Privacy Policy Advisor, National Institute of Standards and Technology (NIST) discusses how the NIST Privacy Framework, a voluntary technology-neutral tool, can help organizations better manage their privacy risks, as guest Nandita Rao Narla, Head of Technical Privacy and Governance for DoorDash explains real-world applications for this Framework and some of NIST’s most helpful resources for businesses.



Related Resources

NIST's Learning Center

Reflections on A New Consumer Privacy Health Standard in Washington

Fifty Shades of Consumer Health Data: How a Risk-Based Approach Provides More Clarity



In this episode of Privacy Abbreviated, hosts Dona Fraser, the SVP of Privacy Initiatives for BBB National Programs, and Jason Cronk, the President of the Institute of Operational Privacy Design, are joined by two guests to discuss the NIST Privacy Framework, developed by the National Institute of Standards and Technology (NIST). Listeners are invited to welcome Dylan Gilbert, a Privacy Policy Advisor with the Privacy Engineering Program at NIST, and Nandita Narla, the Head of Technical Privacy & Governance at Doordash.

The NIST Privacy Framework offers organizations a voluntary and adaptable set of guidelines and best practices for effectively managing privacy risks. Its flexible approach enables customization to suit an organization's specific needs, helping to identify and manage privacy risks while fostering innovation and safeguarding individuals' privacy.

11:35 - During the discussion, Nandita highlights the significance of the framework's crosswalks, which startups often use to meet compliance requirements. Dylan later explains that crosswalks are mappings between various laws or regulations and the NIST Privacy Framework, aiding organizations in implementing the framework effectively.

Crosswalks offer a consolidated view of regulatory requirements, which can be beneficial for organizations operating in diverse jurisdictions or industries with varying compliance obligations. By aligning multiple regulations with a unified framework, organizations can identify areas of compliance overlap, gaps, or inconsistencies, guiding their compliance strategies and promoting integrated and efficient programs.

22:17 - Throughout the episode, Dylan emphasizes the many resources provided by NIST, such as the research repository and the appendices. He encourages listeners to utilize these free tools in conjunction with the core privacy framework by highlighting their guidance, best practices, and support during implementation.

The repository is a collection of crosswalks, common profiles, and guidelines designed to provide organizations with the knowledge needed to customize their approach to data privacy. Common profiles are sets of specific privacy controls or requirements tailored to address the needs and characteristics of different types of organizations or sectors. This type of tool supports organizations in taking control of privacy customization, efficiency, and risk management by providing examples of frameworks specific to a particular industry, sector, or organizational context.

Appendix D, which Dylan mentioned specifically, offers guidance around privacy risk management practices. Topics include organizing preparatory resources, assigning risk management roles, and identifying key stakeholders. It also guides decision-makers in determining the capabilities of an organization’s potential privacy structure.

Though the privacy framework and the additional tools NIST offers can serve as a guide to help organizations meet compliance guidelines, both the hosts and the guests repeatedly encourage listeners to think of it as more than a checklist. It’s an opportunity to challenge existing views on privacy and integrate security into every aspect of an organization. 

In fact, Jason and Dona wrap up the episode by urging organizations to step away from siloed approaches to privacy and open their eyes to its pervasive influence across all activities and engagements. A comprehensive commitment to privacy requires the involvement of every individual within the organization

Latest Podcasts


Breaking Down AdTech: Cookies and Pixels and SDKs, Oh My!

This episode of Priv breaks down the most talked about issues in the adtech space, including the impact of the death of the cookie, the focus of regulators on the newest kid on the block - the pixel, lessons learned from recent SDK legal cases, what all of this looks like for children and teens, and what the legislative and regulatory road ahead looks like.

Listen to the Podcast

Ad Watchers: The best subject in advertising law: Is it puffery?

For this episode of Ad Watchers, join us for Eric’s favorite ad law topic: puffery, an exaggerated, blustering, or boastful statement or general claim that could only be understood to be an expression of opinion, not a statement of fact. But where is the line between puffery and a claim that needs a reasonable basis?

Listen to the Podcast

Cross Border Privacy Rules Goes Global: A Deep Dive on CBPRs

Privacy professionals are faced with what seems like a never-ending, sometimes overwhelming stream of new privacy laws and regulations, both here in the U.S. and abroad. In this episode of Priv, host Dona Fraser is joined by Victoria Akosile, Deputy Director of BBB National Programs Privacy Initiatives to take you from APEC to global CBPRs, explaining all of the acronyms in...

Listen to the Podcast

The Evolution of Advertising in the Children’s Space

In 1974 the Children’s Advertising Review Unit (CARU) was established to protect children under age 13 from deceptive or inappropriate advertising. Over the years, CARU expanded to address new media platforms, new advertising techniques, and to ensure that children’s data is collected and handled responsibly online. Join us to discuss how advertising has changed, identify CARU’s...

Listen to the Podcast