NIST Privacy Framework — IDENTIFY Function
Implement the NIST Privacy Framework IDENTIFY function including ID.BE business environment, ID.DA data actions, ID.IM improvement, and ID.RA risk assessment subcategories. Provides control mapping, gap analysis templates, and implementation workflows for privacy risk identification.
NIST Privacy Framework — IDENTIFY Function
Overview
The IDENTIFY function in the NIST Privacy Framework (Version 1.0, January 2020) enables organizations to develop organizational understanding of privacy risk arising from data processing. This skill covers all four subcategories: Business Environment (ID.BE), Data Actions (ID.DA), Improvement (ID.IM), and Risk Assessment (ID.RA).
IDENTIFY Function Subcategories
ID.BE — Business Environment
Understanding the organization's mission, objectives, stakeholders, and activities to prioritize privacy risk management decisions.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| ID.BE-P1 | The organization's role(s) in the data processing ecosystem are identified and communicated | Document whether the organization acts as data controller, processor, or both. Map all data flows identifying organizational role at each stage. |
| ID.BE-P2 | Priorities for organizational mission, objectives, and activities are established and communicated | Align privacy objectives with business strategy. Ensure executive leadership endorses privacy as a business priority. |
| ID.BE-P3 | Systems/products/services that process data are identified and prioritized | Maintain an inventory of all systems processing personal data. Classify by risk tier based on data sensitivity and volume. |
ID.DA — Data Actions
Understanding the data actions the organization performs and associated privacy risks.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| ID.DA-P1 | A data processing ecosystem inventory is created and maintained | Catalog all data processing activities including collection points, storage locations, sharing partners, and retention periods. |
| ID.DA-P2 | Owners of data actions are identified | Assign clear ownership for each data processing activity. Document accountability chains from operational to executive level. |
| ID.DA-P3 | Problematic data actions are identified and prioritized for management | Use the NIST problematic data actions catalog to assess risk. Score based on likelihood and impact to individuals. |
ID.IM — Improvement
Continuous improvement of privacy risk management.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| ID.IM-P1 | A process for continuous improvement of the privacy risk assessment approach is established | Schedule quarterly reviews of risk methodology. Incorporate lessons from incidents and regulatory developments. |
| ID.IM-P2 | Privacy risk assessment findings are incorporated into improvement plans | Track remediation actions in a centralized register. Assign deadlines and owners for each improvement item. |
ID.RA — Risk Assessment
Understanding and evaluating privacy risks.
| Subcategory | Description | Implementation Guidance |
|---|---|---|
| ID.RA-P1 | Data actions and their expected problematic data actions are identified | Map each data action to potential problematic outcomes using NIST's catalog of problematic data actions. |
| ID.RA-P2 | Organizational systems, products, and services are monitored for problematic data actions | Deploy continuous monitoring for unauthorized access, unexpected data flows, and policy violations. |
| ID.RA-P3 | Risk responses are identified and prioritized | Define response strategies: mitigate, transfer, avoid, or accept. Document rationale for each risk response decision. |
Implementation Workflow
Phase 1: Inventory and Discovery (Weeks 1-4)
- Stakeholder Identification: Identify all internal and external stakeholders involved in data processing
- System Inventory: Catalog all systems, applications, and services that process personal data
- Data Flow Mapping: Document how data moves through the organization from collection to deletion
- Role Classification: Determine the organization's role (controller/processor) for each data processing activity
Phase 2: Data Action Analysis (Weeks 5-8)
- Data Action Catalog: Document all data actions (collection, retention, logging, generation, disclosure, transfer)
- Ownership Assignment: Assign data stewards for each data action category
- Problematic Data Action Screening: Evaluate each data action against NIST's problematic data actions list
- Impact Assessment: Score each problematic data action on likelihood and severity scales (1-5)
Phase 3: Risk Assessment (Weeks 9-12)
- Risk Scoring: Calculate risk scores as Likelihood x Impact for each identified problematic data action
- Risk Prioritization: Rank risks and identify those exceeding organizational risk tolerance
- Response Planning: Select and document risk response strategies for each high-priority risk
- Control Mapping: Map existing and planned controls to identified risks
Phase 4: Continuous Improvement (Ongoing)
- Quarterly Reviews: Reassess risk landscape and update risk register
- Incident Integration: Incorporate findings from privacy incidents into risk assessments
- Regulatory Monitoring: Track changes in applicable privacy regulations
- Metrics Tracking: Monitor key risk indicators and report to governance bodies
Control Mapping to Other Frameworks
| NIST PF IDENTIFY | ISO 27701 | GDPR Article | CCPA Section |
|---|---|---|---|
| ID.BE-P1 | 5.2.1 | Art. 24, 26, 28 | 1798.140(d),(v) |
| ID.BE-P2 | 5.2.2 | Art. 5(2) | 1798.100 |
| ID.BE-P3 | A.7.2.1 | Art. 30 | 1798.110 |
| ID.DA-P1 | A.7.2.8 | Art. 30(1) | 1798.110(c) |
| ID.DA-P2 | 5.3 | Art. 37-39 | 1798.130 |
| ID.DA-P3 | A.7.2.5 | Art. 35 | 1798.185 |
| ID.RA-P1 | 6.1.2 | Art. 35(7) | 1798.185(a)(15) |
| ID.RA-P2 | 9.1 | Art. 32(1)(d) | 1798.150 |
| ID.RA-P3 | 6.1.3 | Art. 35(7)(d) | 1798.185(a)(15) |
Maturity Assessment
Level 1 — Initial
- Ad hoc privacy risk identification
- No formal inventory of data processing activities
- Reactive approach to privacy issues
Level 2 — Managed
- Basic data inventory exists
- Some data actions documented
- Risk assessments conducted periodically
Level 3 — Defined
- Comprehensive data processing inventory maintained
- All data actions cataloged with owners
- Structured risk assessment process in place
Level 4 — Quantitatively Managed
- Metrics-driven risk assessment
- Automated monitoring of data actions
- Quantitative risk scoring methodology
Level 5 — Optimizing
- Continuous improvement process embedded
- Predictive risk analytics
- Industry-leading privacy risk management practices
References
- NIST Privacy Framework Version 1.0 (January 16, 2020)
- NIST SP 800-37 Rev. 2 — Risk Management Framework
- NIST IR 8062 — An Introduction to Privacy Engineering and Risk Management in Federal Systems
- ISO/IEC 27701:2019 — Privacy Information Management
No additional documents ship with this skill.
Related Skills
Data Subject Rights for AI Systems
Implements data subject rights mechanisms for AI systems including right to explanation of AI decisions, contestation procedures, human review, model…
Lawful Basis for AI Training Data
Assesses lawful basis for AI training data processing per EDPB April 2025 report on LLMs and general-purpose AI. Covers legitimate interest balancing…
Managing Consent for Analytics Cookies
Managing consent for analytics cookies and implementing privacy-preserving measurement. Covers GA4 privacy configuration, consent mode fallback behav…
Applying Privacy Design Patterns
Systematic application of the eight privacy design patterns per Hoepman: minimize, hide, separate, abstract, inform, control, enforce, and demonstrat…
User Input
[COMMUNITY] Assess EU Data Act (Regulation 2023/2854) compliance for connected products, data holders, and data processing service providers
