Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPM > 2: Privacy Program Framework: Privacy Governance > Flashcards

2: Privacy Program Framework: Privacy Governance Flashcards

1
Q

Components of “Privacy Governance” (5)

A
  • create org privacy vision and mission statement
  • define the scope of the privacy program
  • select appropriate privacy framework
  • develop the organizational privacy strategy
  • structure the privacy team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does a Privacy Vision and Mission Statement do?

A
  • lays the groundwork for the rest of the privacy program.

- the vision should align with the organization’s broader purpose and objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Privacy Program Scope

A
  • organizational legal and regulatory compliance obligations
    1. identify the PI collected & processed
    2. identify the privacy and data protection laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Things to consider about PI collected and processed

A
  • who collects, uses and discloses/maintains PI?
  • what type of PI
  • reasons for collection
  • data storage
  • transferred to whom
  • access
  • when is the data collected
  • storage/retention
  • security protocols to protect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What if data is cross-jurisdictional?

A

use the most restrictive regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Scope challenges

A

Consider:

  • domestic laws
  • state/regional laws
  • industry specific
  • global differences and approaches
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

US vs EU Privacy Protection approaches

A

US - limited sectoral approach, laws apply to specific industry sectors or categories of data, or to specific states
EU - more comprehensive approach that applies to all personal data, regardless of sector or location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Protection Models (4)

A 
Sectoral laws/state specific (US)
Comprehensive laws (EU)
Co-regulatory model (AUS)
Self-regulated model (US, Japan, Singapore)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Sectoral/State specific laws

A

Laws that specifically address a particular industry sector, or apply to residents of a specific state
US

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Comprehensive laws

A

Apply to the collection, use and disclosure of PI in public and private sectors with an official oversight agency (to review concerns and provide guidance to businesses and individuals)
EU, CAN, UK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Co-regulatory Model

A

Similar to comprehensive model, industry develops enforcement standards that are overseen by privacy agency
AUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Self-regulated Model

A

Companies use a code of practice by an industry body, i.e. OPA, TrustArc, WebTrust, PCI DSS (some states have adopted as law)
US, Japan, Singapore

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Privacy Program Scope requires:

A
  • end to end of data lifecycle
  • considerations to meet legal, cultural, and personal expectations
  • customize approach from global and local perspective
  • aware of privacy challenges, incl laws/regs and enforcement activities and processes
  • monitoring for compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Developing a Privacy Strategy

A

Need organizational support to implement and for accountability, every individual contributes.
Identify stakeholders and internal partnerships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privacy Strategy - challenges

A

gaining consensus from organization management, look for privacy sponsors / champions for support.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Privacy Champions

A

A privacy champion at the executive level acts as an advocate and sponsor to further foster privacy as a core organization concept.
- keep champions informed so the can advocate and privacy becomes embedded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Best Practices for Internal Partnerships?

A
  • how do others treat and view PI?
  • use of data in their business context
  • build privacy requirements into their ongoing projects to help reduce risk
  • offer to help meet objectives with solutions to reduce risk
  • invite staff to a privacy advocate group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Stakeholder Privacy Workshop

A

Conduct a privacy workshop for stakeholders to level the privacy playing field by defining privacy for the organization, explaining the market expectations, answering questions, and reducing confusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Program Ownership

A
  • ensure clear ownership of assets and responsibilities

- record using agendas, minutes and actions (also helps with audits and accountability requirements)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Develop and Implement Framework

A

manageable approach to operationalizing the controls to protect and handle PI

  • reach compliance
  • competitive advantage, engendering trust
  • support business commitment and objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Frameworks - Definition

A

the various processes, templates, tools, laws and standards to guide in privacy program management.

22
Q

Framework includes:

A
  • are risks defined and identified?
  • program implemented in all workstreams?
  • assigned responsibility and accountability for privacy program management
  • gaps?
  • monitored?
  • employees trained? awareness program?
  • follow industry best practice for data inventories, risk assessments, PIAs?
  • incident response plan?
  • communicate privacy-related matters and update material
  • use common language to address and manage cybersecurity risk
23
Q

Frameworks - 2 categories

A
  1. Principles and Standards

2. Laws, Regulations, and Programs

24
Q

Principles and Standards

A
  • Fair Information Practices
  • Organization for Economic Co-operation and Development (OECD), basis of EU DPD and GDPR
  • GAPP
  • CSA Privacy Code (base of PIPEDA)
  • APEC
  • ETSI
  • NIST agnostic to technologies, sectors, laws or jurisdictions
25
Q

Fair Information Practices include:

A
  • rights of individuals (notice, choice and consent, data subject rights)
  • controls on information (info sec, info quality)
  • information life cycle (collection, use and retention, disclosure, destructions)
  • management (man and administration, monitoring, enforcement)
26
Q

NIST

A

Privacy Framework - 3 key parts
Suitable for all size of organizations
Agnostic to technology/sector/law

27
Q

How does the NIST framework help manage privacy risk?

A
  • embedding privacy when designing and deploying systems, products and services
  • communicating about privacy practices
  • encouraging cross-organization workforce collaboration
28
Q

3 parts to NIST framework

A
  1. core set of privacy protection activities
  2. profiles core activities based on risk appetite, future state, resources, etc.
  3. tiers - consider level of operational maturity achievable based on profile based on key criteria
29
Q

PbD - definition

A

ensure every stage of development takes privacy into account

affirm the Fair Information Practices but you beyond to aim for the highest standard

30
Q

Pbd - principles

A
  1. proactive > reactive
  2. privacy as default
  3. embedded in design
  4. full functionality
  5. end to end security
  6. visibility and transparency
  7. respect for user privacy (user centric)
31
Q

Examples of Laws, Regulations and Programs
- Canada
-EU
- EU-US
- BCR
- HIPAA
- DPA

A

CA: PIPEDA well developed, generic privacy principles
EU: GDPR, framework for data protection, increased obligations and national laws
EU-US Privacy Shield, cross border data protection, replaced Safe Harbour Framework, invalidated by Schrems II
BCR Binding Corporate Rules - legally binding internal corporate privacy rules within a corporate group
HIPAA - national standards for electronic healthcare transactions. Patients must opt in before their information can be shared
DPA - local data protection authorities - France’s CNIL provide guidance on legal frameworks

32
Q

Rationalizing Requirements for a framework

A
  • most data privacy legislation = the obligations on regulated entities
  • data protection reg’s usually include: notice, choice, consent, purpose limitations, limits on retaining data, individual rights to access, correction and deletion of data, and the obligation to safeguard data (all generally covered by privacy frameworks).
  • need to also address ‘outliers’ that fall outside of the obligations, i.e. when the local law exceeds the national law or industry/data specifi requirements.

-look at the strictest standard when seeking a solution.

33
Q

Technology for governance, risk and complicance

A
  • usually selected in order to demonstrate compliance
  • include data mapping, assessment management modules, supplier due diligence, and incident response tools and DSAR (data subject access requests)
34
Q

GCR Tools

A
  • integrating governance, management and assurance of performance, risk and compliance activities.
    used to:
  • create and distribute policies and controls, map to regs and internal compliance
  • assess if controls are in place and working
  • ease risk assessments and mitigation
35
Q

Privacy Team Structure: Governance Models

A
  • consider global/regional implications or needs
  • will need executive leadership support for successful implementation
  • Should:
    involve senior leadership
    stakeholders
    develop internal partnerships
    provide flexiblity
    leverage communication
    leverage collaboration

3 models: centralized | local (decentralized) | hybrid

36
Q

Governance model - centralized

A

uses a single channel function, planning and decision-making by one group
typically a CPO, chief privacy officer

+ use same resources throughout org (efficient)
- those furthest from the issue are addressing it

37
Q

Governance model - local

A

decentralized
delegate decision making authority down to the lower levels of an org
- likely to run with less-rigid policies and wider spans of control
- flat structure
- if correct controls are in place, there is a bottom to top flow of info; creating a well informed base

+ those closest to the issue are addressing it
- inefficient, each manager/layer has to create own practices

38
Q

Governance model - hybrid

A

combo of centralized and local
- main department for privacy-related affairs, and the local entities fulfill the directives issued

+ dictate core values and have the employees implement those that fit/reach goals

39
Q

Org Model - CPO

A

Chief Privacy Officer
corporate leader, develop and operationalize privacy strategy and program
common with large, global orgs

40
Q

Org Model - Privacy directory/ manager

A

mid level position that reports to CPO
assists with implementation of strategy/program

41
Q

Org Model - Privacy Analyst

A

entry level
more tactical privacy program tasks

42
Q

Org Model - Business line privacy leaders

A

senior management
large multinational corps, number of business lines, brands or siloed regions

43
Q

Org Model - Privacy/legal counsels

A

legal resource within the privacy team, or with legal but working on privacy related matters (3rd party due diligence, negotiating DPA’s, breaches and incidents, regular notifications and complaints)

44
Q

Org Model - first responders

A

i.e. incident response team members

45
Q

Org Model - DPO

A

Data Protection Officer
for companies subject to GDPR
not a full time role

46
Q

Org Model - Privacy Engineer

A

technical implementation of privacy requirements into product design and leading implementation of PbD principles in the org

47
Q

Org Model -Privacy Technologist

A

technology professional that play a role in protecting privacy in or within technology.
audit, risk and compliance managers, data professionals, data architects, data scientists,
these roles are not necessarily within the privacy office

48
Q

Organizational Structure Considerations

A
  • hierarchy of command - authority establishes trail of responsibility
  • role definition - clearly defined to create expectations and performance
  • evaluation of outcomes
  • alteration of org structure - flexibility to change to meet demands
  • significance - complex for large orgs, flat for small orgs
  • types of structures - product, functional, etc.
  • customers - consider needs
  • benefits - to org, customers, stakeholders
49
Q

The DPO Role - required when?

A

Article 37 of GDPR
- designate an individual to be responsible for monitoring an orgs privacy compliance
- by public authorities or bodies
- where ‘core’ activities require ‘ regular and systematic monitoring of data subjects on a large scale’
- where ‘core’ activities consist of processing ‘special’ categories of data, or data relating to criminal convictions/offences on a large scale

50
Q

DPO - reporting structure and independence

A

required to report to the highest management level of the controller or processor

51
Q

DPO - qualifications and responsibilities

A

“expert knowledge of data protection law and practices”

52
Q

Privacy Awareness vs Training

A

Training programs are formal.
Awareness is less formal, ongoing efforts. Designed to remind of privacy lessons they have already learned

CIPM (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions