2. Framework: Privacy Governance Flashcards
What does the terms ‘privacy governance’ refer to?
Refers to the components that:
- Guide a privacy function toward compliance
AND
- Enable it to support business objectives and goals.
What are the components of organizational privacy governance?
- Vision and mission statement;
- Scope;
- Framework;
- Strategy; and
- Team structure.
How can the privacy program scope be identified?
Through the identification of the following:
- PI information collected and processed; and
- Applicable privacy and data protection laws and regulations.
Why should an organization identify the PI collected and processed?
Maintaining written documentation about personal information, including information about how an organization (1) processes the data, and (2) the recipients of the data is formalized through Article 30 of the GDPR.
What questions should be asked to define the scope of a privacy program?
- Who collects, uses, and maintains PI ? (Organizations are also required to understand the roles and obligations of service providers)
- What types of PI are collected, and what is the purpose of the collection?
- Where is the data stored? (Applications and systems, as well as countries)
- To whom is the data transferred?
- Who has access to the data both internally and externally? (Ex., third-parties)
- When (ex., during transaction and hiring process) and how (ex. through an online form) is the data collected?
- How long is the data retained, and how is it deleted?
- What security controls are in place to protect the data?
What is considered to be best practice when doing business in a jurisdiction with no data protection regulations?
Best practice is to institute the organization’s requirements, policies, and procedures to the highest level achievable instead of reducing them to the level of the country in which business is being conducted.
In a nutshell, use the most restrictive policies as it also reduces privacy related risks for the organization.
What are some scope challenges?
Domestic privacy programs may need to monitor state and/or regional laws as well as industry-specific laws, while global programs need to be cognizant of cultural norms, differences, and approaches to privacy protection.
What are some examples of privacy protection regulation approaches around the globe?
- US: Sectoral and state specific laws (Laws address specific industry sector and/or apply to the residents of a specific state)
- EU, UK, Canada: Comprehensive laws (Laws govern the collection, use, and dissemination of PI and an official oversight agency).
- Australia: Co-regulatory model (Industry develops enforcement standards that are overseen by a privacy agency).
- US, Japan, Singapore: Self-regulated model (Companies use a code of practice by a group of companies known as industry bodies, ex., Online Privacy Alliance, TrustArc, WebTrust)
What are the privacy challenges faced by organizations operating in the US?
Organizations must determine whether they are subject to a law or industry standard. (Ex., Financial institutions are subject to the Gramm-Leach-Bliley Act (GLBA); health providers are subject to HIPAA and merchants handling cardholder information must follow the Payment Card Industry Data Security Standard)
Do US states have data breach notification laws?
Yes, all 50 states have data breach notification laws.
If an organization processes the PI of any resident of a state, to the extent that nonencrypted data has been compromised, compliance regulations may include notifying the residents of the state, as well as government bodies and state attorneys.
What is a successful approach to scoping an organization’s privacy program?
- Understanding of the end-to-end personal information data life cycle.
- Consideration of the legal, cultural, and personal expectations.
- Customized privacy approach.
- Awareness of privacy challenges, including the interpretation of laws and regulations as well as enforcement activities and processes.
- Monitoring of all legal compliance factors for both local and global markets.
What is a privacy strategy?
Privacy strategy is an organization’s approach to communicating and supporting the privacy program and its vision.
What are the benefits of implementing a privacy strategy?
- Management’s growing awareness of the importance of protecting PI and the financial impacts of mismanagement
AND
- Awareness that everyone has a role in PI protection and every individual within an organization contributes to the success of the privacy program.
What is a challenge when it comes to building a privacy program and supporting strategy?
Gaining consensus from member’s of the organization’s management on privacy as a business imperative.
Who is best suited as a privacy program sponsor?
Someone who understands the importance of privacy and will act as an advocate for the program.
Effective sponsors typically have experience with the organization, the respect of colleagues, and access to or ownership of the budget.
Frequently, sponsors function as risk compliance executives (Ex., chief information security officers, chief compliance officers, or general counsels.)
In larger organizations, who is included in the executive privacy team?
- Senior risk executive;
- Senior compliance executive;
- Senior HR executive;
- Senior legal executive;
- Senior information executive;
- Senior physical security/business continuity executive;
- Senior marketing executive;
- Senior representative of the business.
What are the best practices to develop internal stakeholder privacy partnerships?
- Become aware how others treat and view PI;
- Understand their use of the data in a business context;
- Assist with building privacy requirements into their ongoing projects to help reduce risk;
- Offering to help staff meet their objectives while offering solutions to reduce risk of personal information exposure;
- Inviting staff to be a part of privacy advocate group to further privacy best practices.
What is the benefit of an internal stakeholder privacy workshop?
It levels the privacy playing field by (1) defining privacy for the organization, (2) explaining the market expectations, (3) answering questions, and (4) reducing confusion.
What is a key role of internal privacy stakeholder steering committee?
Ensure clear ownership of assets and responsibilities.
What can an effective privacy program achieve?
- Material compliance with the various privacy laws and regulations in-scope for the organization;
- Competitive advantage by reflecting the value the organization places on the protection of PI; and
- Support business commitment and objectives to stakeholders, customers, partners, and vendors.
What are the privacy questions most frameworks answer?
- Are the privacy risks properly defined and identified?
- Has the privacy program been properly implemented into all key workstreams (particularly for an organization with global presence)?
- Has the organization assigned responsibility and accountability for managing a privacy program?
- Does the organization understand any gaps in privacy management?
- Does the organization monitor privacy management?
- Are employees properly trained, and does the organization have a privacy awareness program?
- Does the organization follow industry best practices for data inventories, risk assessments, and privacy impact assessments?
- Does the organization have an incident response plan?
- Does the organization communicate privacy-related matters and update that material as needed?
- Does the organization use a common language to address and manage cybersecurity risk based on business and organizational needs?
What frameworks can be used as a foundation to build a privacy program?
- Principles and standards
- Laws, regulations, and programs
What are some examples of privacy principles and standrds?
- Fair Information Practices
- OECD Guidelines on the Protection of Privacy and Transborder Flows of personal Data
- Generally Accepted Privacy Principles (GAPP)
- Canadian Standards Association (CSA) Privacy Code
- Asia-Pacific Economic Cooperation (APEC) Privacy Framework
- European Telecommunications Standard Institute (ETSI)
- National Institute of Standards and Technology (NIST) Privacy framework
What type of approach does a framework use?
Uses a risk-based, customizable approach to identifying and managing privacy risk and considers the following components:
- Core: set of privacy protection activities
- Profiles: various factors such as risk appetite, desired future state, resources, etc.
- Tiers: level of operational maturity that is achievable for a given profile
