6. Information Management from US Flashcards
What are the roles of a privacy professional?
- Research- laws, guidelines, common practices and tools. Monitor current events and changing guidelines
- Education- Educate the organization about privacy laws, polices, risks and recommended practices
- Polices and Procedures- Designing and recommending
- Monitoring- Monitoring internal and external threats to privacy. Monitoring and managing organizational risk
What are the four types of risk?
- Reputational Risk
- Investment Risk
- Legal Risk
- Operation Risk
What is Reputational risk?
• Damaging trust in the brand: Organizations can face both legal enforcement and reputational harm if they do not adhere to their stated privacy policies
What is Investment Risk?
• Hampering the ability of the organization to receive an appropriate return on its investments in information, IT and information processing programs
What is Legal Risk?
- Not complying with privacy laws (state, federal and international)
- Not fulfilling contractual commitments
What is Operational Risk?
- Affecting efficiency
* Inhibiting use of personal information that benefits the organization and customers
What are the four steps in developing and information management program?
- Discover
- Build
- Communicate
- Evolve
In developing and information management program, what all should be done in discover?
The process of information management program development begins with “discovery.”
Consider: • Accountability • Company policy goals • PI data inventory • Data locations • Data sharing • Data transfers • Data flows • Data classification • Data risk
Tasks include:
• Self-assessing and identifying privacy risk
• Classifying PI according to sensitivity
• Developing and documenting best practices
In developing and information management program, what all should be done in Build?
Once an assessment of practices and goals is complete, determine how best to meet those goals by building a privacy program that both facilitates and restricts the flow of personal information (as appropriate).
This includes:
1. Internal privacy policies:
o Enforceable legal documents (contracts)
o Policy reviews
2. External privacy notices
o Common practices, sometimes required by law
o Promises to consumers
o Notices that accurately reflect policy and practices
o Version control
o Accessible online
In developing and information management program, what all should be done in Communicate?
Even a well-constructed privacy program will not be successful if those involved in handling PI are not fully trained.
Communication is key, as well as:
• Documenting and updating policies and procedures
• Conveying policies, procedures and goals to decision-makers and consumer-facing employees
• Training and awareness programs for staff and management
• Individual accountability for compliance
In developing and information management program, what all should be done in Evolve?
Information management practices evolve in response to changing technologies, laws, market conditions and other factors. Once an information management program is established, there must be a process for review and update. Failure to do so can
result in a company falling out of compliance with its public privacy promises or failing to meet other organizational goals.
Key actions include:
1. Affirmation and monitoring
o Do policies and practices still comply with law, conform with company needs and support incident response programs?
2. Adaptation
o What changes are necessary to comply with new laws, current company goals and industry practices?
What are the steps in an Incident response program?
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
