All Questions Flashcards

1
Q

What are the goals of a privacy program manager?

A
  • identify privacy obligations for the org
  • identify business, employee and customer privacy risks
  • identify existing documentation, policies and procedures
  • create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is accountability?

A

Accountable organisations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws.

They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can the IT group carry the mantle of privacy by design?

A

By implementing privacy principles into the realm of technology development by limiting the data fields built into a tool or application to only those actually required to perform a process or action, or by building in functions that enable the user to easily delete data according to a Retention schedule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is privacy governance?

A

The components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization’s broader business objectives and goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the components of privacy governance?

A
  • creating the organisational privacy vision and Mission statement
  • defining the scope of the privacy program
  • selecting an appropriate privacy framework
  • developing the organisational privacy strategy
  • structuring the privacy team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What two steps are usually adopted to identify the privacy program’s scope?

A
  1. Identify the personal information collected and processed
  2. Identify in-scope privacy and data protection laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which Article of the GDPR has formalized the maintenance of written documentation about personal information (including info about how the org processes data, the categories of individuals impacted, and the recipients of data)

A

Article 30

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What country takes the sectoral approach to privacy and data protection?

A

US

Enactment of laws that specifically address a particular industry sector, such as

  • financial transactions
  • credit records
  • law enforcement
  • medical records
  • communications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What countries employ the comprehensive model for data protection?

A

EU member states and Canada

Govern the collection, use and dissemination of personal information in private and public sectors with an official oversight enforcement agency that:

  • remedies past injustices
  • promotes electronic commerce
  • ensures consistency with pan-European laws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What country adopts the co-regulatory model for data protection?

A

Australia

Variant of the comprehensive model, where industry develops enforcement standards that are overseen by a privacy agency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What countries adopt the self- regulatory model for data protection?

A

US, Japan and Singapore

Companies use a code of practice by industry bodies. The Online Privacy Alliance, TrustArc, BBBOnline and Webtrust are examples of this type of model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What entities are subject to the Gramm-Leach-Bliley Act?

A

Financial institutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When is a DPO required under s37 GDPR?

A

(A) by public authorities or bodies
(B) Where the organization’s “core” activities consist of processing operations that require “regular and systematic monitoring of data subjects on a large scale
(C) Where the org’s core activities consist of processing “special” categories of data on a large scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Formally appointing a DPO will subject the organisation to what DPO requirements?

A
  • reporting structure and independence (Article 38) : DPO is required to report to highest management level.
  • qualifications and responsibilities : expert knowledge of data protection law and practices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the requirements on a DPO under Article 39 GDPR?

A

(A) Monitoring company’s compliance with GDPR

(B) providing advice during data protection impact assessments

(C) Cooperating with supervisory authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the maximum amount of penalty for breach of HITECH?

A

1.5 million

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the differences between privacy assessments, PIAs and DPIAs in terms of type of assessment?

A

Privacy assessment - measures an organisation’s compliance with laws and internal policies.

PIA- Analysis of privacy risks associated with processing information in relation to a project, product or service

DPIA- under GDPR, process designed to identify risks arising from the processing of personal data and to minimise these risks as much and as early as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the differences between how privacy assessments, PIAs and DPIAs are triggered?

A

Privacy assessments- BAU audit at a predefined time period or in response to a security or privacy event or at a request of an enforcement authority.

PIAs - emanate from industry codes, organisational policy, laws, regulations, or supervisory authorities

DPIAs - when Processing is likely to result in high risk to the rights and freedoms of natural persons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the differences between the standards used for privacy assessments, vs PIAs and DPIAs?

A

Privacy assessments- subject like employee interviews, or objective like info system logs

PIAs - ISO 29134

DPIAs- minimum features : (a) description of processing, including its purpose and the legitimate interest being pursued; (b) the necessity of the processing, its proportionality and the risks it poses to data subjects; and (c) measures to address the risks specified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of privacy assessments, PIAs and DPIAs facilitate privacy by design?

A

PIAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which US government act requires PIAs from government agencies?

A

E-Government Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When are PIAs required by the US gov pursuant to the E-Government Act of 2002?

A

(A) When developing or procuring IT systems containing PII of the public; or
(B) when initiating an electronic collection of PII

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Under the E-Government Act of 2002, what requirements precedes a PIA to determine whether a PIA is needed?

A

Privacy Threshold Analysis

The PTA will seek to determine:
(A) from whom data is collected
(B) what types of personal data are collected
(C) how such data is shared
(D) whether the data has been merged
(E) Whether any determinations have been made as to the info security aspects of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Under ISO 29134, what is the performing phase?

A
  1. Identifying information flows of PII
  2. analysing the implications of the use case
  3. Determining the relevant privacy-safeguarding requirements
  4. Assessing privacy risks using steps or risk identification, risk analysis and risk evaluation
  5. Privacy risk treatment option
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the follow up phase under ISO 29134?

A
  • preparing and publishing the PIA report
  • implementing the privacy risk treatment plan
  • reviewing the PIS and reflecting changes to the process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the fine for failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required?

A

Admin fine of up to 10k euros, or 2% or total worldwide annual revenue, whichever is higher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the examples for when a processing operation is likely to result in high risks under Article 35 of the GDPR?

A

(a) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and in which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or

(C) a systematic monitoring of a publicly accessible area on a large scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What factors does the WP29 recommend be considered when determining whether the processing is carried out on a large scale?

A

(1) the no. of data subjects concerned, either as a specific number or as a proportion of the relevant population;
(2) the volume of data and/or the range of different data items being processed;
(3) the duration, or permanence, of the data processing activity; and
(4) the geographical extent of the processing activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

As part of the accountability principle, what info must a data controller maintain?

A

A record of processing activities under its protection responsibility including the purposes of processing, a description of the categories of data and the recipients of the data and where possible, a general description of the technical and organisational security measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What should a DPIA include as a minimum under the GDPR?

A

(A) a description of the processing, including its purpose and the legitimate interest being pursued
(B) Necessity of the Processing, it’s proportionality and the risks that it poses to data subjects
(C) Measures to address the risks identified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which three guides are the CNIL’s PIA method?

A
  1. The method explains how to carry out a PIA
  2. The models help to formalise a PIA by detailing how to handle the different sections introduced in the method
  3. The knowledge base is a code of practice that lists measures to be used to treat the risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

When must the supervisory authority be contacted in the context of a DPIA?

A

Whenever the data controller cannot find sufficient measures to reduce risks to an acceptable level, consultation with the supervisory authority will be necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is attestation?

A

It is a tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is NIST 800-60?

A

A guide from the National Institute of Standards and Technology and the US Department of Commerce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Info security requires ongoing assessment of threats and risks and of procedures and controls, consistent with three key attributes. of w

A

Confidentiality, integrity and availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What rule sets forth required disposal protections for financial institutions?

A

The Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the difference between the privacy policy and the privacy notice?

A

The privacy policy is the high-level governance that aligns with the privacy vision or Mission statement of the organisation. Internal document:

The privacy notice is an external communication which describes how the organisation collects, uses, shares, retains and disclosed its personal information based on the organisation’s privacy policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Supporting policies must contain the following

A

1) Issue/ objective statement
2) Statements of the organisation’s position
3) Applicability
4) Roles and responsibilities
5) Compliance
6) Points of contacts and supplementary information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

How can action been taken against breaches of privacy notices in the US?

A

Section 5(a) or the Federal Trade Commission Act prohibits unfair and deceptive trade practices and allows the FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

How often must credit information be provided to consumers free of charge once a year under the Federal Credit Reporting Act in the US?

A

Free of charge once a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What are the obligations placed on employers under the Federal Credit Reporting Act?

A

FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check.

Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment. This information must be provided in a standalone written notice separate from an employment application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Under the Health Insurance Portability and Accountability Act (HIPAA), when must changes be implemented for corrections?

A

Within 60 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Who enforces the Do Not Call Registry in the US?

A

Federal Communications Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which Act provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual?

A

Privacy Act of 1974

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What are the three categories of law enforcement and national security records which are not subject to the requirements of the Freedom of Information Act?

A
  1. existence of ongoing criminal law enforcement investigation when the subject is unaware and disclosure could interfere with enforcement proceedings
  2. Informant records
  3. FBI- existence of foreign intelligence or counterintelligence
46
Q

Which was the first state in the US to require commercial website or online service Operators To conspicuously post privacy notices on their websites or online services?

A

California Online Privacy Protection Act

47
Q

What are the differences between the Delaware Online Privacy Protection Act and CalOPPA?

A
  1. CalOPPA applies to consumers while DOPPA applies to users
  2. CalOPPA is limited to commercial website and apps; DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps.
48
Q

What are the similarities between CalOPPA and DOPPA?

A

Both require that Operators disclose in their privacy notices how they respond to Do Not Track requests regarding the collection of consumers’ and users’ PII

49
Q

What is California’s Shine the Light law?

A

Gives California residents the right to request and be notified about how businesses use and share their personal information with other businesses for direct marketing purposes

The law also gives consumers a private right of action in the event that a business fails to respond to a consumer’s request

50
Q

What is California’s Online Eraser law?

A

Designed to protect individuals under the age of 18, requires Operators of websites, online services, online applications and mobile applications to permit minors who Are registered users to request and remove content he posted

51
Q

What is the California Consumer Privacy Act of 2018?

A

Landmark privacy bill to be implemented 1 Jan 2020

Ability to request a record of:

  • What types of personal info an organisation holds about the requestor, it’s sources and the specific personal information that has been collected
  • information about the use of the individual ‘s personal information in terms of both business use and third party sharing
  • right to erasure
  • option for consumers to opt out of having their data sold to third parties
52
Q

Which act provides the most robust consumer rights of the biometric laws adopted thus far?

A

Illinois Biometric Information Privacy Act

BIPA requires that a private entity notify an individual in writing of its intent to collect biometric information; inform the individual of the purpose and length of term for which biometric information is being collected and used, and receive a written release authorising the use.

A private entity must also obtain consent for further disclosure of biometric identifiers.

53
Q

What are the statutory damages against an entity for violating BIPA?

A

Negligence - $1k

Intentional or reckless violation - $5k

54
Q

What are the exemptions for the right to erasure?

A

Orgs can decline data subjects’ requests to the extent that the processing is necessary:

(A) for exercising the right of freedom of expression and information
(B) for compliance with a legal obligation or performance of a task in public interest (eg. Public health, archiving and scientific, historical research or statistical purposes)

55
Q

For personal data processed for scientific and historical research purposes or statistical purposes, how far does the right to object go?

A

Under Article 21(6) GDPR, where personal data is processed for scientific and historical research data purposes or statistical purposes, the right to object exists only as far as the processing is not considered necessary for the performance of a task carried out for reasons of public interest

56
Q

What is irregular component or noise?

A

This analysis focuses on what is left over when the other components of the series (time and cyclical) have been accounted for. It is just the most difficult to detect- an example would be the absence of privacy breaches.

57
Q

What are the maturity levels in the Privacy Maturity Model?

A
  1. Ad hoc
  2. Repeatable
  3. Defined
  4. Managed (reviews are conducted to assess effectiveness of controls)
  5. Optimised (regular feedback)
58
Q

What are the four common approaches for compliance monitoring?

A

Self monitoring, audit management, security/ system management and risk management

59
Q

What procedures should supplier monitoring cover?

A
  • appropriate private and security requirements
  • provider performance
  • security of mobile devices
60
Q

What are the types of audit?

A
  1. First party - will consider the org risk management culture, identify privacy risk factors, and evaluate control design and implementation
  2. Supplier audits
  3. Third party audits - NIST or ISO
61
Q

What is a metric lifecycle?

A

The processes and methods to sustain a metric to match the ever changing needs of an organisation

62
Q

What categories constitute preparedness?

A
  1. Training
  2. Getting an incident response plan in place
  3. Understanding key stakeholders
  4. Getting insurance coverage when appropriate
  5. Managing vendors who might be a part of an incident
63
Q

Who are the relevant regulators to notify in the US?

A

The state attorney general and the FTC

64
Q

In the healthcare industry, which regulator should be notified in a healthcare breach?

A

Department of Health and Human Services

65
Q

What are the seven foundational principles of Privacy by Design?

A
  1. Proactive, not reactive; preventative not remedial
  2. Privacy as the default
  3. Privacy embedded into design
  4. Full functionality - positive-sum, not zero-sum
  5. End to end security - full lifecycle protection
  6. Visibility and transparency
  7. Respect for user privacy
66
Q

What are the qualities of the Privacy by Design Paradigm?

A
  1. Being proactive - by default, privacy controls are part of the system engineering requirements. They are tested for effectiveness and monitored continuously
  2. Embedded privacy controls - this involves putting them into systems and applications, auditing them for regulatory compliance, and evaluating them when new threats to information systems are discovered
  3. Demonstrating respect for users - privacy and security controls coexist transparently to a user: they do not diminish the necessary authoritarians to access data. The protection of organisational information assets is enabled without unnecessary trade offs.
67
Q

Which EU principles summarize the data protection by design and default?

A

Article 25 GDPR- data protection by design and default

Recital 78 - appropriate technical and organisational measures

68
Q

What are the appropriate technical and organisational measures under Recital 78?

A
  • pseudonymizing personal data as soon as possible
  • transparency with regard to the functions and processing of personal data
  • enabling the data subject to monitor the data processing, enabling the controller to create and improve security features
69
Q

What is privacy engineering?

A

Privacy engineering provides a methodology and technical tools based on industry guidelines and best practices, including the Unified Modeling Language

70
Q

What does information security aim to Ensure throughout the data lifecycle?

A

Confidentiality - prevention of unauthorised disclosure

Integrity- information is protected from unauthorised or unintentional alternation, modification or deletion

Availability - information is readily accessible to authorised users

71
Q

What does accountability and assurance mean in information security?

A

Accountability means entity ownership is traceable, while assurance means all other four objectives are met

72
Q

What are the categories of information security controls?

A

Preventative, Detective, corrective

73
Q

What are the different nature of information security controls

A

Physical, administrative or policy controls, technical controls

74
Q

What ISO provides the overview of information security management systems?

A

ISO/IEC 27000:2018

75
Q

What is the standard that provides requirements for an ISMS?

A

ISO/IEC 27001

76
Q

What is an ISMS information security management system?

A

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management system

77
Q

What are the areas of overlap for information security and privacy?

A
  • integrity / accuracy
  • authorised access
  • accountability
  • access/ availability
78
Q

Why is there not a complete overlap between privacy and information security?

A
  1. Privacy has a wider set of obligations and responsibilities than information security does (such as collection Limitation, openness, relevancy, use Limitation)
  2. Confidentiality - personal info is not always nonpublic
  3. You can have security without privacy, but you cannot have privacy without security
79
Q

A survey commissioned by the IAPP and Trustarc found the nexus of information privacy and information security is driven by…

A

The mutual goal of preventing or mitigating data breaches.

80
Q

What are some of the ways for information privacy and information security programs to align?

A
  • increased involvement of privacy personnel on information security teams and vice versa
  • employment of core privacy functions will an IT motivated to get a better handle on their data and the extent of their corporate risk
  • increased investment in privacy technology
  • increased use of privacy impact assessments and data inventory and classification
  • increased use of data retention policies
81
Q

What are the four principles for better alignment for information security and data privacy

A
  • teaming
  • don’t reinvent
  • stay aware
  • tank and prioritise
82
Q

Basic security principles for role-based access include:

A
  • segregation of duties
  • least privilege
  • need to know access
83
Q

Required administrative or policy controls for privacy can be found in four areas. What are they?

A
  1. Laws and regulations
  2. Self regulatory regime
  3. Industry practices
  4. Corporate ethos/ policy
84
Q

What are the four types of technical controls?

A

Obfuscation, data minimise ion, security, privacy engineering technologies

85
Q

What regulations require data privacy training?

A

US Health Insurance Portability and Accountability Act HIPAA

86
Q

What Act prohibits unfair and deceptive trade practices and allows the US FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices

A

Section 5(a) of the FTC Act

87
Q

Which organisations have endorsed a layered approach to privacy notices?

A

Endorsed by both the FTC and the EU’s Article 29 Working Party, now the European Data Protection Board

88
Q

The Digital Advertising Alliance regulates the use of its icon on websites and mobile screens by requiring compliance with DAA principles relating to what?

A

Notice, opt out and limitations on data collection and use

89
Q

What is the age for parental consent under the California Consumer Privacy Act?

A

Parental or legal Guardian consent for children under the age of 13 and the affirmative consent of children between 13 and 16 years of age prior to engaging in data selling

90
Q

What obligations does the Federal Credit Reporting Act place on employers?

A

FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check. Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment.

91
Q

How Long do individuals have to obtain a copy of their information under HIPAA?

A

30 days

92
Q

Under HIPAA, an individual has the right to change any incorrect information and add any missing or incomplete information and these changes must be implemented within how many days?

A

60 days

93
Q

Who enforces the Do not call registry?

A

FTC and Federal Communications Commission

94
Q

Who enforces CAN-SPAM?

A

FTC

95
Q

What are the nine exemptions to information that may be requested under the Freedom of Information Act?

A
  1. Information that is classified to protect national security
  2. Information related solely to the internal personnel rules and practices of an agency
  3. Information that is prohibited from disclosure by another federal law
  4. Trade secrets or commercial or financial information that is confidential or privileged
  5. Privileged communications within or between agencies
  6. Information that, if disclosed, would invade another individual’s personal privacy
  7. Information compiled for various law enforcement purposes
  8. Information that concerns the supervision of financial institutions
  9. Geological information on wells
96
Q

What is the scope of the CalOPPA?

A

The law applies to any website or online service operator in the US and possibly the world whose website collects personally identifiable information from Californian consumers

97
Q

What are the differences between DOPPA and CalOPPA?

A
  • scope (consumers under CalOPPA and users under DOPPA)
  • DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps, while CalOPPA is limited to commercial websites and apps
98
Q

What are the exceptions for the California Online eraser law?

A

A service operator is not required to comply with the request for removal and deletion if the content about the minor was posted by a third party other than the minor, who is a registered user of the website;

If a minor does not follow instructions provided to the minor on how to request removal of content

If a minor received compensation or other consideration for the content

99
Q

Under Article 13 of the GDPR, what information do data subjects have the right to be provided with in relation to their relationship with the controller?

A

1: controller’s identity and contact details
2: reasons or purposes for processing their personal data
3: legal basis for processing
4: recipients of that data
5: other relevant information necessary to Ensure the fair and transparent processing of the data
6: the controller must identify the source of data if collected or obtained from a third party, in order to effectively enable the data subject to pursue their rights

100
Q

What are the exemptions to the right of erasure in Article 17(3)?

A

Data subjects’ requests can be declined to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information
  • for compliance with a legal obligation which requires processing in the public interest, like public health, archiving and scientific, historical research or statistical purposes
101
Q

How does the right to object work under Article 21(1) whenever a controller justifies the data processing on the basis of its legitimate interests?

A

Data subjects can object to such processing. As a consequence, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing

102
Q

Under the draft PI Security Specification, the handling of personal information and personal sensitive information must follow the seven principles of:

A
  1. Consistent rights and responsibilities
  2. Clear purpose
  3. Choice and consent
  4. Minimal and necessary uses
  5. Openness and transparency
  6. Security assurance
  7. Data subject participation
103
Q

What are the three sub tasks of strategic management

A

1) Define privacy vision and Mission statement
2) Develop privacy strategy
3) Structure privacy team

104
Q

What should a privacy vision/ Mission statement include?

A

1) Develop privacy objectives
2) Define scope
3) Identify legal and regulatory compliance challenges
4) Identify Personal Information Legal Requirements

105
Q

Steps to develop a privacy strategy

A

1) ID stakeholders and internal partnerships
2) Leverage key functions
3) Create a process for interfacing
4) Develop a data governance strategy
5) Conduct a privacy workshop

106
Q

What is a Privacy Program Framework?

A

Implementation roadmap that provides structure or checklists to guide privacy professionals through management and prompts for details to determine privacy relevant decisions

107
Q

What are the four parts of the privacy operational life cycle?

A

1) Assess
2) Protect
3) Sustain
4) Respond

A pretty sweet rabbit

108
Q

All of the following are factors in determining whether an organisation can craft a common solution to the privacy requirements of multiple jurisdictions except:

A

(A) effective date of most restrictive law

Other factors that can be considered:
(B) Implementation complexity
(C) legal regulations
(D) cost

109
Q

What are nongovernmental organisations that advocate for privacy protection known as?

A

External privacy organisations

110
Q

What step can best help you to identify the specific needs and objectives of Country Fresh regarding privacy protection?

A

Development of the business case.

111
Q

What is a privacy program framework?

A

This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy- relevant decisions for the organization