nist-privacy-identify

Implementing NIST Privacy Framework IDENTIFY Function

Overview

The NIST Privacy Framework Version 1.0 (January 2020) provides a voluntary enterprise risk management tool structured around five core functions: IDENTIFY, GOVERN, CONTROL, COMMUNICATE, and PROTECT. The IDENTIFY function develops the organisational understanding to manage privacy risk arising from data processing. This skill covers the four IDENTIFY subcategories: Inventory and Mapping (ID.IM), Business Environment (ID.BE), Risk Assessment (ID.RA), and Data Processing Ecosystem Risk Management (ID.DE).

IDENTIFY Function Structure

ID.IM — Inventory and Mapping

Data processing inventory and mapping activities are understood by the organisation.

Subcategory	Description	Implementation
ID.IM-P1	Systems/products/services that process data are inventoried	Maintain a comprehensive register of all systems processing personal data, including SaaS tools, internal databases, and third-party integrations
ID.IM-P2	Owners of systems/products/services are identified	Assign a data processing owner to each system with documented responsibility for privacy compliance
ID.IM-P3	Categories of individuals whose data are processed are inventoried	Map all data subject categories (employees, customers, patients, vendors, website visitors)
ID.IM-P4	Data actions of the systems/products/services are inventoried	Document data lifecycle actions: collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, disposal
ID.IM-P5	Purposes for data actions are inventoried	Document specific purposes for each data action, aligned with GDPR Art. 5(1)(b) purpose limitation
ID.IM-P6	Data elements within the data actions are inventoried	Catalogue all personal data elements processed per system and per purpose
ID.IM-P7	Environmental factors affecting the data processing ecosystem are understood	Assess external factors: legal/regulatory requirements, industry standards, market expectations, organisational risk tolerance
ID.IM-P8	Data processing is mapped	Create and maintain data flow maps showing how personal data moves through the organisation

ID.BE — Business Environment

The organisation's mission, objectives, stakeholders, and activities are understood and prioritised.

Subcategory	Description	Implementation
ID.BE-P1	The organisation's role in the data processing ecosystem is identified and communicated	Determine controller/processor/joint controller status for each processing activity
ID.BE-P2	Priorities for organisational mission, objectives, and activities are established and communicated	Align privacy programme with business objectives; ensure privacy is a design requirement
ID.BE-P3	Systems/products/services that support organisational priorities are identified and key requirements communicated	Identify which processing activities are critical to business operations and prioritise privacy investment accordingly

ID.RA — Risk Assessment

The organisation understands the privacy risks to individuals and how such processing creates privacy risks to the organisation.

Subcategory	Description	Implementation
ID.RA-P1	Contextual factors related to the systems/products/services and data actions are identified	Assess context: relationship with data subjects, data subject expectations, sensitivity, volume, collection method
ID.RA-P2	Data analytic inputs and outputs are identified and evaluated	For data analytics and AI, identify inputs (training data, inference data) and outputs (predictions, scores, decisions)
ID.RA-P3	Potential problems for individuals that arise from data processing are identified	Identify privacy harms: loss of autonomy, discrimination, economic loss, physical harm, reputational damage, loss of trust
ID.RA-P4	Problematic data actions, the likelihood that they occur, and the resulting problems for individuals are identified and assessed	Assess likelihood and severity of each problematic data action — aligned with GDPR DPIA risk assessment
ID.RA-P5	Risk responses are identified and prioritised	For each identified risk, determine response: mitigate, transfer, avoid, accept

ID.DE — Data Processing Ecosystem Risk Management

The organisation identifies, assesses, and manages privacy risks associated with data processing by third parties.

Subcategory	Description	Implementation
ID.DE-P1	Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, and managed	Vendor privacy management programme with due diligence, contractual requirements, and ongoing monitoring
ID.DE-P2	Data processing ecosystem parties are identified, prioritised, and assessed	Map all processors, sub-processors, and third-party recipients with risk rating
ID.DE-P3	Contracts with data processing ecosystem parties are established, maintained, and managed	Art. 28 DPAs with all processors; joint controller arrangements per Art. 26
ID.DE-P4	Interoperability frameworks or mechanisms are established for data processing ecosystem parties	Standard data formats, APIs, and privacy-preserving data exchange protocols
ID.DE-P5	Data processing ecosystem parties are managed consistent with the organisation's risk strategy	Ongoing processor performance monitoring, audit rights exercise, sub-processor change management

NIST PF to GDPR Mapping

NIST PF Subcategory	GDPR Equivalent	Implementation Overlap
ID.IM-P1 through P8	Art. 30 Records of Processing Activities	RoPA fulfils the core inventory and mapping requirements
ID.BE-P1	Art. 26 Joint Controllers, Art. 28 Processors	Role determination aligns directly
ID.RA-P1 through P5	Art. 35 DPIA	DPIA risk assessment methodology maps to NIST risk assessment
ID.DE-P1 through P5	Art. 28 Processor Requirements	Processor governance maps to ecosystem risk management

Implementation Methodology

Phase 1: Establish Inventory and Mapping (Months 1-3)

1. Deploy a data discovery tool to identify personal data across all systems.
2. Conduct departmental interviews to identify informal data processing.
3. Create the system-level processing inventory (ID.IM-P1, P2).
4. Map data subject categories (ID.IM-P3) and data elements (ID.IM-P6).
5. Document data actions per system (ID.IM-P4) and purposes (ID.IM-P5).
6. Create data flow maps (ID.IM-P8).
7. Cross-reference with existing Art. 30 RoPA.

Phase 2: Business Environment Analysis (Month 2-3)

1. Determine controller/processor/joint controller roles (ID.BE-P1).
2. Align privacy programme priorities with business strategy (ID.BE-P2).
3. Identify critical processing activities (ID.BE-P3).

Phase 3: Risk Assessment (Months 3-5)

1. For each processing activity, assess contextual factors (ID.RA-P1).
2. Identify problematic data actions using the NIST problematic data action taxonomy:
   • Appropriation: use of data in ways beyond data subject expectations
   • Distortion: use of inaccurate data or misleading inferences
   • Induced disclosure: pressure to reveal more data than intended
   • Insecurity: inadequate protection of data
   • Re-identification: linking anonymised data back to individuals
   • Stigmatisation: association with disfavoured groups
   • Surveillance: excessive monitoring
   • Unanticipated revelation: discovery of information beyond original data
   • Unwarranted restriction: limiting access to services based on data
3. Assess likelihood and severity for each problematic data action (ID.RA-P4).
4. Determine risk responses (ID.RA-P5).

Phase 4: Ecosystem Risk Management (Months 4-6)

1. Inventory all third-party data processors and recipients (ID.DE-P2).
2. Conduct vendor privacy due diligence assessments.
3. Verify DPA compliance for all processors (ID.DE-P3).
4. Establish ongoing monitoring programme (ID.DE-P5).

Enforcement Context

While the NIST Privacy Framework is voluntary and not directly enforceable, organisations demonstrating NIST PF implementation show a mature privacy programme that can support GDPR accountability under Art. 5(2) and Art. 24. US state privacy laws (California CPRA, Virginia VCDPA, Colorado CPA) increasingly reference the NIST PF as a compliance resource.