Guides NIST Privacy Framework IDENTIFY function implementation covering ID.BE, ID.DA, ID.IM, ID.RA subcategories with GDPR mappings for privacy compliance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The NIST Privacy Framework Version 1.0 (January 2020) provides a voluntary enterprise risk management tool structured around five core functions: IDENTIFY, GOVERN, CONTROL, COMMUNICATE, and PROTECT. The IDENTIFY function develops the organisational understanding to manage privacy risk arising from data processing. This skill covers the four IDENTIFY subcategories: Inventory and Mapping (ID.IM),...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The NIST Privacy Framework Version 1.0 (January 2020) provides a voluntary enterprise risk management tool structured around five core functions: IDENTIFY, GOVERN, CONTROL, COMMUNICATE, and PROTECT. The IDENTIFY function develops the organisational understanding to manage privacy risk arising from data processing. This skill covers the four IDENTIFY subcategories: Inventory and Mapping (ID.IM), Business Environment (ID.BE), Risk Assessment (ID.RA), and Data Processing Ecosystem Risk Management (ID.DE).
Data processing inventory and mapping activities are understood by the organisation.
| Subcategory | Description | Implementation |
|---|---|---|
| ID.IM-P1 | Systems/products/services that process data are inventoried | Maintain a comprehensive register of all systems processing personal data, including SaaS tools, internal databases, and third-party integrations |
| ID.IM-P2 | Owners of systems/products/services are identified | Assign a data processing owner to each system with documented responsibility for privacy compliance |
| ID.IM-P3 | Categories of individuals whose data are processed are inventoried | Map all data subject categories (employees, customers, patients, vendors, website visitors) |
| ID.IM-P4 | Data actions of the systems/products/services are inventoried | Document data lifecycle actions: collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, disposal |
| ID.IM-P5 | Purposes for data actions are inventoried | Document specific purposes for each data action, aligned with GDPR Art. 5(1)(b) purpose limitation |
| ID.IM-P6 | Data elements within the data actions are inventoried | Catalogue all personal data elements processed per system and per purpose |
| ID.IM-P7 | Environmental factors affecting the data processing ecosystem are understood | Assess external factors: legal/regulatory requirements, industry standards, market expectations, organisational risk tolerance |
| ID.IM-P8 | Data processing is mapped | Create and maintain data flow maps showing how personal data moves through the organisation |
The organisation's mission, objectives, stakeholders, and activities are understood and prioritised.
| Subcategory | Description | Implementation |
|---|---|---|
| ID.BE-P1 | The organisation's role in the data processing ecosystem is identified and communicated | Determine controller/processor/joint controller status for each processing activity |
| ID.BE-P2 | Priorities for organisational mission, objectives, and activities are established and communicated | Align privacy programme with business objectives; ensure privacy is a design requirement |
| ID.BE-P3 | Systems/products/services that support organisational priorities are identified and key requirements communicated | Identify which processing activities are critical to business operations and prioritise privacy investment accordingly |
The organisation understands the privacy risks to individuals and how such processing creates privacy risks to the organisation.
| Subcategory | Description | Implementation |
|---|---|---|
| ID.RA-P1 | Contextual factors related to the systems/products/services and data actions are identified | Assess context: relationship with data subjects, data subject expectations, sensitivity, volume, collection method |
| ID.RA-P2 | Data analytic inputs and outputs are identified and evaluated | For data analytics and AI, identify inputs (training data, inference data) and outputs (predictions, scores, decisions) |
| ID.RA-P3 | Potential problems for individuals that arise from data processing are identified | Identify privacy harms: loss of autonomy, discrimination, economic loss, physical harm, reputational damage, loss of trust |
| ID.RA-P4 | Problematic data actions, the likelihood that they occur, and the resulting problems for individuals are identified and assessed | Assess likelihood and severity of each problematic data action — aligned with GDPR DPIA risk assessment |
| ID.RA-P5 | Risk responses are identified and prioritised | For each identified risk, determine response: mitigate, transfer, avoid, accept |
The organisation identifies, assesses, and manages privacy risks associated with data processing by third parties.
| Subcategory | Description | Implementation |
|---|---|---|
| ID.DE-P1 | Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, and managed | Vendor privacy management programme with due diligence, contractual requirements, and ongoing monitoring |
| ID.DE-P2 | Data processing ecosystem parties are identified, prioritised, and assessed | Map all processors, sub-processors, and third-party recipients with risk rating |
| ID.DE-P3 | Contracts with data processing ecosystem parties are established, maintained, and managed | Art. 28 DPAs with all processors; joint controller arrangements per Art. 26 |
| ID.DE-P4 | Interoperability frameworks or mechanisms are established for data processing ecosystem parties | Standard data formats, APIs, and privacy-preserving data exchange protocols |
| ID.DE-P5 | Data processing ecosystem parties are managed consistent with the organisation's risk strategy | Ongoing processor performance monitoring, audit rights exercise, sub-processor change management |
| NIST PF Subcategory | GDPR Equivalent | Implementation Overlap |
|---|---|---|
| ID.IM-P1 through P8 | Art. 30 Records of Processing Activities | RoPA fulfils the core inventory and mapping requirements |
| ID.BE-P1 | Art. 26 Joint Controllers, Art. 28 Processors | Role determination aligns directly |
| ID.RA-P1 through P5 | Art. 35 DPIA | DPIA risk assessment methodology maps to NIST risk assessment |
| ID.DE-P1 through P5 | Art. 28 Processor Requirements | Processor governance maps to ecosystem risk management |
While the NIST Privacy Framework is voluntary and not directly enforceable, organisations demonstrating NIST PF implementation show a mature privacy programme that can support GDPR accountability under Art. 5(2) and Art. 24. US state privacy laws (California CPRA, Virginia VCDPA, Colorado CPA) increasingly reference the NIST PF as a compliance resource.