Privacy Framework Perspectives and Success Stories

“We initially deployed the NIST Privacy Framework in 2021 and continue to use it as our benchmark for assessing alignment with data protection laws. The Framework is embedded and integral to identifying any activities we need to perform to maintain our ongoing compliance with relevant data protection laws for a business that operates in multiple jurisdictions worldwide.”
-Graham Gilhooley, Data Protection Senior Manager, Alter Domus
August 9, 2023

---

 “The NIST Privacy Framework really came along at an ideal time for us. We were just beginning this journey to build a new privacy program for Truist, and the Privacy Framework is a great tool to help us do exactly what we're trying to do, which is looking at the existing privacy programs for two different companies and building a new privacy program. There needs to be an evolution of our privacy program, and so as we look to take that next step and gain maturity as this new company, the NIST Privacy Framework is the tool that we've decided to latch on to as a way to help guide what we're going to do at Truist.”
-Ron Whitworth, Senior Vice President and Chief Privacy Officer, Truist
November 12, 2020

"The National Institute of Standards and Technology (NIST) Privacy Framework, published in January 2020, is quickly becoming the mainstream control set for organizations to align with when assessing their data privacy posture, developing readiness roadmaps, and maturing their privacy program."
-JD Supra, LLC
September 2, 2021| [Source]

---

"As a communications advisor for executive and technical privacy professionals, I know that a critical aspect of influencing business leaders is establishing credibility and trust in your vision and your ability to execute it. For professionals who need to lead organizations through increasing levels of privacy maturation, the NIST Privacy Framework provides a credible, industry-vetted roadmap for securing clear goals and priorities with business leaders. Additionally, the Framework's familiarity among regulatory agencies offers additional confidence for organizations striving to demonstrate honest privacy commitments beyond compliance."
-Melanie Ensign, Founder and CEO, Discernable Inc.
January 21, 2021

---

“Increasingly, individuals are focused on how seriously an organization takes privacy. The NIST Privacy Framework not only helps organizations develop a robust program to address privacy risk, but it allows them to promote and share that focus by saying, hey, we're implementing the NIST Privacy Framework because we care about your privacy.”
- Caitlin Fennessy, CIPP/US, Research Director, International Association of Privacy Professionals
November 12, 2020

“Recently, one of my startup clients came to me and said, we want to have a best in class privacy program. We want to use privacy as a competitive advantage, go above and beyond US law. We want to be able to implement one global privacy policy and be consistent. We don't think our customers should have different rights and different protections based on geography. And they wanted to know what I would recommend as they started the process of developing a privacy program. I suggested that they consider the NIST Privacy Framework. Although the NIST Privacy Framework doesn't identify any particular company's legal or compliance obligations, it helps facilitate conversations and discussions around privacy risk, data governance, potential problems for individuals that can arise from processing data, and ways to mitigate risk. It presents a new, more strategic way of thinking about the benefits of using data and the potential problems, which entrepreneurs seem to get and embrace.”
- Marc Groman, Principal, Groman Consulting Group LLC
November 12, 2020

“When an organization builds a strong privacy program based on the NIST Privacy Framework, and it is positive and yielding the results it's supposed to, it is a strong competitive advantage. Customers are going to be looking for businesses and entities that they can trust.”
- Juliet Okafor, JD, Executive Officer and Founder, RevolutionCyber
November 12, 2020

 “Equifax is proud to be an early adopter of the NIST Privacy Framework.  This framework provides an avenue for companies to assess where their privacy program is today, set goals and evaluate their progress toward achieving those goals. In addition, the framework provides a robust lens through which companies can view the benefits of privacy. Not only are we complying with privacy laws, such as the California Consumer Privacy Act (CCPA), but we are committed to building trust with consumers and customers who use our services or products. This framework is critical to helping us do that."
- Nick Oldham, Chief Privacy Officer, Equifax
January 28, 2020 | [Source]

“Global privacy landscape is becoming even more complex today. To meet the expectation to privacy from 200 million users around the world, LINE has always been committed to and seeking an opportunity to improve our privacy program.  LINE decided to become an early adopter of NIST Privacy Framework because it provides a flexible and comprehensive roadmap for visualizing and improving our privacy program. We sincerely applaud the effort of NIST for developing this Framework.  We expect that the Framework will be widely accepted as its sibling Cybersecurity Framework is, as we see it a prominent instrument for protecting the integrity of this data-driven economy.” 
- Takesh Nakayama, Chief Privacy Officer and Chief Information Security Officer, LINE
January 16, 2020

“Since its publication in January 2020, I’ve been a supporter of the NIST Privacy Framework and its authoritative yet flexible approach to creating or enhancing privacy programs. A purely legal approach to privacy compliance makes it challenging for organizations to identify and remediate the highest privacy-related risks, consistently and at scale, especially considering emerging privacy laws and disruptive technology. I now have the privilege of driving adoption of this risk-based framework at Medline. In today’s complex business environment, privacy professionals need a tool that supports nuanced decision-making based on risk management principles. With the NIST Privacy Framework, we finally have a menu of options that enhance and support privacy program development for companies of all sizes and sectors.”
-Dana Garbo, Chief Privacy Officer, Medline Industries, LP
September 29, 2023

---

“Privacy in healthcare has many areas that must be considered, especially now with so much innovation and emerging technologies. The availability and accessibility of the NIST Privacy Framework within the industry is so important. It is a meaningful and valuable way to understand organizational maturity in a current state with the lens toward future goals. It allows for the opportunity to identify gaps, prioritize initiatives, and continuously make ongoing gains. My use of the NIST Privacy Framework has been crucial to addressing risks from a multi-dimensional perspective.”
-Karen Habercoss, Chief Privacy Officer, The University of Chicago Medicine
August 15, 2023

---

“If privacy laws haven't touched you yet, they will start to touch you, and you're going to have to do something about it. The NIST Privacy Framework allows organizations to get their hands around privacy risk at the very beginning stages of things. It can be scaled up or down, it's flexible, and so it doesn't matter how mature you are. It allows for you to pick and choose those areas that are more important to you at a particular time. The Privacy Framework can be a market differentiator for the organization that's following it to be able to grow their business and separate their business from other companies that may not be doing the same.”
- Mary N. Chaney, Esq., CISSP, CIPP/US, Director of Information Security and Privacy, ESPERION Therapeutics, Inc.
November 12, 2020

"The NIST Privacy Framework is an invaluable tool in creating clear and accessible communication across a variety of business groups; facilitating a broader awareness of complex privacy risks and the strong intersection of privacy risk and organizational risk.  The intentional design of the NIST Privacy Framework provides a mechanism to connect conceptual privacy principles and specific technical requirements, fueling dynamic discussions and creative solutions as a result of stronger collaboration across business groups."
- Lauren Ulvestad, Principal Data Protection & Privacy Product Engineer, Cardiac Rhythm & Heart Failure (CRHF), Medtronic
January 24, 2020

“We’re excited to see this effort make the progress it has made in since it began over a year ago – the NIST Privacy Framework is an important step forward in helping organizations of all types understand what is actually necessary to control when an organization has plans to use any sensitive information in their business. At athenahealth and in healthcare broadly, privacy is at the core of the profession. To now have a serious endeavor to defining what that means in a way that harmonizes the various approaches industry has tried to implement to protect data into a single set, developed by many voices, has the potential to be transformative.” 
- Taylor Lehmann, VP, Chief Information Security Officer, AthenaHealth
January 16, 2020

“Data Privacy is an important issue that impacts every person with a digital footprint. Careless and inappropriate use of personal information destroys the trust that is necessary for activities we all participate in every day. With the proper frameworks in use, individuals and organizations will have greater confidence in how they engage in certain transactions (healthcare, banking, and technology, to name a few). This, in turn, will continue to support a growing and stable economy. FairWarning supports the use of best practices and applauds NIST in the release of its well-crafted Privacy Framework. We look forward to continuing our collaboration and striving to create a culture of privacy in our customers' organizations and beyond.”
- Ed Holmes, CEO, FairWarning 
January 16, 2020 

“Incorporating the NIST Privacy Framework into our service, Privacy Navigator, became a necessity lately because our clients increasingly ask us, ‘What is the best practice privacy protection standard across America?’ We believe that the answer to that is NIST, because this framework encourages organizations to take ethical privacy protection actions, meet compliance obligations, and protect individual privacy rights. What makes the NIST Privacy Framework even more remarkable is that it gives organizations the implementation support on top of a core set of controls (i.e., the standard becomes actionable and part of the organization’s DNA.)”
- Pan Xuan, Founder and CEO, PrivacyOne
March 11, 2022

---

"The NIST Privacy Framework is an essential tool for building and maturing a privacy program.  It provides a risk-based, flexible blueprint for 'what' your program needs and implementation guidance on 'how' to build trust and demonstrate compliance."
- Harvey Jang, Vice President, Chief Privacy Officer, Cisco
January 15, 2021

---

“The protection of an individual’s private data is one of the most pressing issues of our time. For that reason, IBM supports the Privacy Framework developed by the National Institute of Standards and Technology. This framework will be a valuable tool that will drive accountability and make it easier for organizations to implement privacy protections. We also hope it will inform national privacy legislation by giving the public greater confidence that industry now has an effective enterprise risk management tool to enhance consumer privacy in the digital age.”
- Christina Montgomery, Chief Privacy Officer, IBM 
November 12, 2020

“The NIST Privacy Framework is a useful tool for companies building a data protection program from the ground up and will also help organizations to assess their privacy maturity. We appreciate NIST’s efforts to develop this voluntary framework.”
- Barbara Cosgrove, Vice President and Chief Privacy Officer, Workday
November 12, 2020

“There are a number of reasons why NIST’s Privacy Framework makes sense to us at Okta: It’s flexible. Rather than offering a rigid set of requirements that companies must comply with, NIST has put forward a comprehensive set of best practices that implementing organizations can use to complement their existing approach to privacy. It has global applicability. NIST designed the framework to be future-proof to changing laws and regulations, and this neutrality allows the framework’s practices to apply across global territories and with various data protection requirements. It provides a bedrock foundation from which organizations can ensure compliance and communicate sensible, trustworthy policies to stakeholders.”
-Tim McIntyre, Associate General Counsel, Privacy & Product, Okta
March 4, 2020 | [Source]

public sECTOR

“As a privacy professional for about 20 years, I have seen modernizations in technology and services compel significant adjustments in Federal missions and policy. More than ever, these changes require methodologies, processes, and ideas that are easy to understand and easy to teach. It is crucial to be able to organize and communicate what is required to understand how changes and risks apply to an environment (like cybersecurity), and then instigate cooperation toward desired outcomes such as legislative compliance. This is where the Privacy Framework’s broad understanding of how to prioritize and respond to privacy risk comes into play. It promotes a common language for understanding, managing, and communicating for those who develop systems, products, and services. If we are to succeed in innovating, while managing and protecting personal information, it is going to take adherence to the standards and concepts offered by the Framework to enable all involved to stay on the same page. To make sure we continue to improve our missions, resources in the Framework offer tools that will allow for more and better innovations in technology and services, a better understanding of compliance matters, and thus, better protection of our critical information.”
-John Nelson, Senior Privacy Analyst, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency
March 24, 2021

---

“When you are competing for funds and resources, it is difficult to make the case to build a privacy program. However, this cultural change is essentially free if you have the materials available for people and the language that helps them understand how it applies to their environment. The NIST Privacy Framework has been one of the tools we've been able to use to make that cultural shift, even when we're not able to staff a large privacy team and make a big push. We are incrementally making changes at the project level, at the staff level, at the training level that feel very impactful and lasting.”
- Jaime Lees, Chief Data Officer, Arlington County Government
November 12, 2020

Success Story (PDF)

“I am proud the CFTC is taking the lead by becoming the first federal agency to adopt the NIST Privacy Framework. Adopting this framework will put us on the cutting edge of data privacy protection.”
- Heath P. Tarbert, Chairman, U.S. Commodity Futures Trading Commission (CFTC)
January 28, 2020 | [Source]

“Protecting individuals’ privacy is of utmost importance to the CFTC and we are excited to integrate the Privacy Framework into our existing operations.”
- Charles Cutshall, Chief Privacy Officer, U.S. Commodity Futures Trading Commission (CFTC)
January 28, 2020 | [Source]

“In the modern data-enabled economy, businesses work hard to deliver innovative products and services while managing risks to privacy inherent in the processing of personal data. As organizations face an increasingly fragmented landscape of domestic and global privacy laws, the NIST Privacy Framework provides valuable substantive guidance to companies of all sizes and sectors for the trustworthy evaluation and management of privacy risk. We welcome the collaborative, flexible, and forward-looking approach that NIST has taken in developing this important resource.”
-Arthur Sidney, Vice President of Public Policy, CCIA
April 28, 2021

“NIST’s Privacy Framework offers valuable guidance to organizations seeking to comply with an evolving landscape of privacy laws and regulations both globally and in the United States. This framework serves as a lodestar for organizations of all sizes and across industries by providing effective and consistent yet flexible guidance to help them more effectively design privacy into products and services and better manage privacy risks while fostering customer trust in an increasingly data-driven world. We also appreciate the consideration given to our recommendations as the Privacy Framework and Privacy Roadmap were being built last year, and look forward to working with NIST as it continues its important work.”
- John Miller, Senior Vice President of Policy and Senior Counsel, ITI
January 17, 2020 | [Source]