2. Frameworks and Governance

Question 1

Privacy Governance - Guiding a privacy function toward compliance with privacy laws and regulations and enabling them to support the organization’s broader business goals which are:

Answer 1

1. Create a privacy vision and mission statement
2. Define a program scope
3. Select a privacy framework
4. Develop a privacy strategy
5. Structure the privacy team

Question 2

No Standard Organizational Structure for Privacy is required, Instead Consider:

Answer 2

1.Department Influence

2. Global Scope
3. Best Funded
4. Best Executes Enterprise Projects
5. Strongest Supporter of Privacy

Question 3

What do Privacy Program Frameworks do?

Answer 3

• Provide a benchmark to measure your program.
• Create policies, procedures, & processes to ensure the organization knows how to be compliant
• Create checklists to guide the team thru privacy management

-Can be: Standards, Laws/Regulations, and/or Frameworks

Question 4

Policy Lifecycle

Answer 4

1. Draft
2. Get Approval
3. Disseminate & Socialize
4. Train
5. Review and Revise

Question 5

DPO Job Description: Tasks

Answer 5

1. Work closely with regulators & advise stakeholders to work toward compliance
2. Ensure organizations are aware of their training and awareness obligations
3. Keep up with changes to laws and technology
4. Build, implement and manage privacy programs

Question 6

DPO Job Description: Skills

Answer 6

Risk/IT - experience assessing risk & best practice mitigation
Legal - experience and independence
Communication
Leadership & Board Exposure
Self-Starter / Board Level
Common touch teaching
Credible & no conflict of interest

Question 7

Privacy Governance Models

Answer 7

Centralized: One team or person is responsible.

Decentralized/Local: Decision-making is delegated to lower levels allowing info to flow bottom to top.

Hybrid - Combines centralized and decentralized model is Most Common.

Question 8

Buy-In for Privacy Strategy

Answer 8

1. Build Relationships
2. Find champions outside the privacy office
3. Pitching Privacy
4. Creating steering groups of stakeholders
5. Create awareness for the program internally and externally

Question 9

RACI MATRIX - Ownership of Stakeholders Assets & Responsibilities

Answer 9

• who is Responsible
• who is Accountable
• who needs to be Consulted
• who needs to be Informed

Question 10

Key Functional Areas (Departments) to Create & Enforce the Privacy Program

Answer 10

• Communications
• IT
• Procurement
• Marketing
• Learning and Development

Question 11

Internal Audit and Risk Management

Answer 11

Internal Audit - reports to audit committee to ensure its unbiased

Risk Management - ensure business and regulatory requirements are met through detailed analysis.

Some organizations use privacy tech vendors to help achieve compliance

Question 12

GDPR Article 37
GDPR Article 38
GDPR Article 39

Answer 12

GDPR Article 37 - DPO must be appointed, expert in privacy

GDPR Article 38 - DPO must report to the highest levels of the org

GDPR Article 39: DPO Activities shall include:
- monitoring companies compliance with GDPR
- provide advice during DPIAs
- cooperate with supervisory authorities