Chapter 1

Question 1

What are the 4 goals of a privacy manager?

Answer 1

1) Identify privacy obligations for the organization
2) Identify business, employee and customer privacy risks
3) Identify existing documentation, policy and procedures
4) Create, review and implement policies and procedures that effect positive practices and together comprise a privacy program

Question 2

The five goals of a privacy program are to:

Answer 2

1) Promote consumer trust and confidence
2) Enhance the organization’s reputation
3) Facilitate privacy program awareness, where relevant, of employees, customers, partners and service providers
4) Respond effectively to privacy breaches
5) Continually monitor, maintain and improve the privacy program

Question 3

What is accountability?

Answer 3

Accountable organizations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
Ownership is traceable

Question 4

How can accountability benefit organizations?

Answer 4

Accountability as defined by laws can actually benefit organizations because in exchange it can give organizations a degree of flexibility about how exactly they will comply with their obligations

Question 5

How does privacy enhance an organization’s brand? 3

Answer 5

1) Meets regulatory compliance obligations
2) Reduces the risk of a data breach
3) Meets expectations of a client

Question 6

What are the activities supporting a privacy program that might be carried out by different functions in an organization 5

Answer 6

1) Adoption of privacy policies and procedures
2) Development of privacy training and communications
3) Deployment of privacy and security enhancing controls
4) Contract develop and management of third parties who process the personal info of the organization
5) Assessment of compliance with regulations

Question 7

As a rule privacy policies and procedures are created at an enterprise of functional level

Answer 7

At a functional level

Question 8

In a function, which group typically is responsible for security enhancing tools like encryption, data parameter security controls and data loss preventions?

Answer 8

Information security

Question 9

What are the five components of a privacy program

Answer 9

1) Privacy vision and mission statement
2) Scope of the privacy program
3) Appropriate privacy framework
4) Organizational privacy strategy
5) A privacy team

Question 10

What are the two steps to identifying the scope of a privacy program?

Answer 10

Identify the personal information collected and processed

Identify in scope privacy and data protection laws and regulations

Question 11

What are the considerations when identifying collected data? 7

Answer 11

Who collects data
What type of information are collected a
Where is the data stored physically
When is data collected
Why do we collect the data?
How long is the data retained and how is it deleted?
What security controls are in place to collect the data?

Question 12

What is considered a general best practice when dealing with countries with different privacy regulations?

Answer 12

Choose the most restrictive of the two policies

Question 13

What is PCI DSS

Answer 13

Payment Card Industry Data Security Standard - a global industry standard that is not a law but imposes data protection requirements on institutions and notification requirements

Question 14

What are the three groupings of privacy frameworks

Answer 14

1) Principles and Standards ex. GAAP
2) Laws, Regulations & Standards ex. HIPAA
3) Privacy Program Management Solutions e.g. ex. privacy by design

Question 15

What are the three considerations when deciding to adopt the strictest standard of privacy

Answer 15

Violate other data privacy laws
Budgetary concerns
Contradict organizational goals and objectives

Question 16

What are the things that a privacy tech vendor might manage 6

Answer 16

1) Assessment
2) Consent
3) Data mapping
4) Incident response
5) Privacy information
6) Website scanning/compliance

Question 17

What are the services provided by an external enterprise program management service 4

Answer 17

1) Activity monitoring
2) Data discovery
3) De-identification/pseudonymization
4) Enterprise communications

Question 18

What does GRC stand for?

Answer 18

Governance Risk Compliance, generally in the context of a tool

Question 19

What does a GRC tool usually used for? 3

Answer 19

Governance Risk Compliance tools generally:

1) Create and distribute policies and controls and map them to regulations and internal compliance requirements
2) Asses whether controls are in place and working and fix them if not
3) Ease risk assessment and mitigation

Question 20

What is a privacy strategy?

Answer 20

An organization’s approach to communicating and obtaining support for a privacy program.

Question 21

Describe a centralized governance model

Answer 21

Leaves one person or team responsible for all privacy related affairs
Works best in single-channel functions were data flows in one direction
Advantages: efficient
Disadvantages: requires many permissions

Question 22

Describe a local or decentralized governance model

Answer 22

Decisionmaking is delegated down
Less rigid and more spans of control
Advantages: decisions are made by those who understand their function
Disadvantages: roles are repeated

Question 23

Describe a hybrid governance model

Answer 23

Typically one department has responsibilities for privacy-related affairs, issuing policies, directives, and core values
Local entities fulfill responsibilities
Each region might have a privacy manager

Question 24

What does DPO mean

Answer 24

Data Privacy Officer is the designated individual accountable for an organization’s privacy compliance, often required by data privacy regulations
The DPO must report to the highest level of controller and possess expert knowledge of data protection law and practices

Question 25

What are the reasons why a DPO might be required? 3

Answer 25

1) By public, authorities or bodies 2) When the business's core activities require processing of data which require regular and systematic monitoring on a large scale 3) When the organization's core activities consist of processing special categories of data at a large scale

Question 26

What are common elements of a global law or regulation? 6

Answer 26

``` Notice Choice and consent Purpose limitations Individual rights Data retention limits Data Rights ```

Question 27

What are the categories of privacy laws? 10

Answer 27

General privacy laws - apply to whole country Federal privacy laws - entire country but to a specific sector State/province laws (e.g. GLBA; HIPAA, COPPA) Health Financial Online Communication Information Education Privacy in one's home

Question 28

What does GDPR stand for?

Answer 28

General Data Privacy Regulation is a framework for data protection with increased accountability for organizations. It is rapidly becoming the global standard for data privacy protection.

Question 29

To whom does GDPR apply?

Answer 29

Personal data of those in the EU regardless of location of data processing related to the offering of goods and services, monitoring of their behavior as far as the behavior occurs in the EU.

Question 30

Under GDPR what are the 5 things consumers can do?

Answer 30

1) Withdraw consent for processing 2) Request a copy of their data 3) Request to move their data to different location in a machine readable format 4) Request you delete data 5) Object to automated decisionmaking processes includig profiling

Question 31

What 4 things can regulators do under GDPR?

Answer 31

1) Ask for records of processing activities and proof of compliance 2) Impose temporary data processing bans, require data breach notifications or order erasure of personal data 3) Suspend cross-border data flows 4) Enforce penalties up to 20M Euro or 4% of annual revenue for noncompliance

Question 32

When can data be transferred to another country?

Answer 32

Unless transfer of the data is specifically banned by low it can be transferred to a country with roughly similar privacy protections

Question 33

In what form might a privacy framework take? 4

Answer 33

Resuable structures Checklists Templates Processes & Procedures

Question 34

What is the data usage lifecycle? 5

Answer 34

``` Collection Usage Transfers Retention Destruction ```

Question 35

What is the process called where the data inventory or data map is compared to applicable laws and regulations?

Answer 35

Gap analysis

Question 36

What is the best way to maintain a record of processing activities?

Answer 36

Maintain a data flow analysis report identifying the different categories of personal data, purposes for which data is processed, the recipients and the way data flows around the business as well as externally

Question 37

The data flow analysis should only contain personal data (T/F)

Answer 37

False, non-personal data should be collected as implementing a new process means revised or new apps systems must thoroughly document the personal data they are processing

Question 38

When data processing activities should be included in a data inventory or data map? 5

Answer 38

``` Security used to protect data Retention periods for data Who has access to the data Who the data is disclosed to The legal basis for processing it ```

Question 39

What are the 3 types of assessments and impact assessments?

Answer 39

privacy assessments PIAs DPIA

Question 40

What is a Privacy Assessment

Answer 40

Privacy assessments measure an organization's compliance with laws, regulations, adopted standards and internal policies and procedures.

Question 41

What is the scope of a privacy assessment? 8

Answer 41

``` Education & awareness Monitoring and responding to the regulatory environment Data, systems and process assessments Risk assessments Incidence response Contracts Remediation Program assurance ```

Question 42

What is a PIA?

Answer 42

A privacy impact assessment is an analysis of risk associated with processing personal information in relation to a project, product or service It is a risk management tool used to identify the privacy/data protection risks to individuals and organizations.

Question 43

What is privacy by design?

Answer 43

Privacy by design is the concept of building privacy directly into technology, systems and practices at the design phase. It helps ensure privacy is considered from the outset.

Question 44

When should an organization conduct a PIA? 3

Answer 44

Prior to the development of a project, product, or service that requires the collection of PII When there are new or revised industry standards, organizational policies, or laws and regulations When the organization creates new privacy risks through changes in the way PII is handled

Question 45

What tools might an organization use to prioritize PIAs?

Answer 45

A PIA express tool or a Privacy Threshold Analysis (PTA)

Question 46

What are the 5 phases of a PIA

Answer 46

1) Identifying flows of PII 2) Analyzing the implications of the use case 3) Determining the relevant privacy safeguarding requirements 4) Assessing privacy risk 5) ) Preparig to treat privacy risk by choosing the privacy treatment, controls

Question 47

What is a DPIA?

Answer 47

A Data Protection Impact Assessment describes a process designed to identify risks arising out of the processing of personal data and to minimize those risks as much and as early as possible. A DPIA may be mandated by GDPR with fines assessed for failing to comply.

Question 48

When is a DPIA required

Answer 48

In cases where the processing is "likely to result in a high risk to the rights and freedoms of natural persons" the controller shall, prior to processing, carry out a DPIA. Risks include profiling that might lead to legal outcomes criminal, legal or health data of individuals, on a very large scale, data matching, analysis on vulnerable populations, or use of a new technology.

Question 49

What should a DPIA include (3)

Answer 49

Per the GDPR a Data Protection Impact Assessment should include: 1) A description of the processing including its purpose and the interest being pursued 2) The necessity of the processing, its proportionalit and the risks it poses to its data subjects 3) Measures to address the risks identirfied

Question 50

What are the two qualities of a good attestation?

Answer 50

Yes/no questions | Specific

Question 51

What are the 3 qualities of information security

Answer 51

1) Confidentiality - limited to authorized parties 2) Integrity - assurance that the data is authentic and complete 3) Availability - knowledge that the data is accessible as needed by those authorized to use it

Question 52

When working with a vendor, what kind of contract language should be included in the statement of work?

Answer 52

1) Type of information the vendor will have access to 2) Vendor plans to protect PI 3) Vendor responsibilities in the event of a data breach 4) Disposal of data upon termination 5) Limitations on data use 6) Rights of audit 7) Liability for a data breach

Question 53

How must one assess vendors under GDPR?

Answer 53

Use of contracts is a key control mechanism. The controller is obliged to demonstrate that the processor can competently manage their data through vetting and validation. If the controller is unable to establish proof of the processor's competent they must walk away.

Question 54

Mergers and acquisition processes should include a privacy checkpoint that evaluates: 6

Answer 54

1) Applicable new compliance requirements 2) Sector-specific laws 3) Standards 4) Jurisdictional laws 5) Existing client agreements 6) New resources, technologies and processes

Question 55

What is a privacy policy?

Answer 55

A privacy policy governs the privacy goals and strategic direction of the organization's privacy office. They should be considered the highest level of governance for any organization. It is a high-level governance that aligns to the privacy vision and mission statement of the organization.

Question 56

What are examples of documents supporting a privacy policy? 3

Answer 56

1) Organization standards, such as uniforms, identification badges and physical building systems 2) Guidelines on topics such as the use of antivirus software, firewalls and email security 3) Procedures to define and then describe the detailed steps employees should follow to accomplish tasks, such as hiring or creating new user accounts

Question 57

The privacy policy also supports a variety of documents communicated internally and externally that:

Answer 57

1) Explain to customers how the organization handles their personal information 2) Explain to employees how the organization handles personal information 3) Describe steps for employees handling personal information 4) Outline how data will be processed

Question 58

What are the 4 general components of a privacy policy?

Answer 58

1) Purpose: Why the policy exists as well as the goals of the privacy policy and program 2) Scope: Which resources the policy protects 3) Risks & Responsibilities: Assigns privacy responsibilities to roles throughout the organization and serves as the basis for establishing all employee and data user accountability 4) Compliance: the process by which the policy will be adhered to and penalties for failing to do so

Question 59

What is the difference between a privacy policy and a privacy notice

Answer 59

A privacy policy is an internal document for employees defining all aspects of privacy for the organization. A privacy notice is an external communication describing how the data collects and uses data based on its priacy policy.

Question 60

What is the most common cause of data breaches, data loss and data misappropriation?

Answer 60

employees and data users

Question 61

An information security policy serves 4 purposes

Answer 61

1) Protect against unauthorized access to data and information services 2) Provide stakeholders with information efficiently while maintaining confidentiality, integrity and availability 3) Promote compliance with laws and policies 4) Promote data quality

Question 62

What does CIA stand for

Answer 62

Confidentiality - prevention of unauthorized disclosure Integrity - protection from unauthorized modification or deletion Availability - readily accessible to authorized users

Question 63

A vendor should be held to the same privacy standards as the organization (T/F)

Answer 63

True

Question 64

A vendor should be included in a monitoring plan (T/F)

Answer 64

True, This may include recurrring onsite visits, attestations or periodic reassessments

Question 65

What should data retention and destruction policies support?

Answer 65

The idea that personal information should be retained only for as long as necessary to perform its stated purpose

Question 66

What is a good way integrate privacy policies into employees' everday tasks?

Answer 66

Aligning policies with existing business procedures, training employees and raising awareness

Question 67

What are data subjects

Answer 67

Identified or identifiable individuals whose personal information is being processed by an organization.

Question 68

A company can be fined for acting in a manner inconsistent with it's privacy notices (T/F)

Answer 68

True, in the US the Federal Trade Commission can initiate enforcement practices for deceptive consumer practices

Question 69

What information should a privacy notice include? 6

Answer 69

``` Who you are What information is collected How it will be used With who you will share the data How the behavior of website visitors is monitored How subjects may exercise their rights ```

Question 70

What is a layered design privacy notice mean?

Answer 70

High level overview with hyperlinks the reader can click on to get more detail or more detailed text below

Question 71

What is just in time design privacy notice

Answer 71

Collected just before the information is collected. This his best used when information is collected at multiple points and helps digest the information for rhe reader.

Question 72

How can icons or symbols be used in privacy notices?

Answer 72

Another layered approach which help navigate, especially useful when space is constrained.

Question 73

What is a privacy dashboard?

Answer 73

A privacy notification is built into the existing platform and can provide more personalized notices and choices

Question 74

A data subject unchecking a box to participate would be an example of

Answer 74

Opt out consent

Question 75

What is COPPA?

Answer 75

U.S. Children's Online Privacy Protection Act which has specific rules around providing privacy notices to children and gaining parental consent for children under age 13.

Question 76

What is the FCRA

Answer 76

Federal Credit Reporting Act - Allows consumers to access credit file and notify of incorrect info and get a examination in 30 days. Can get 1 free report a year Remove outdated information Right to be notified of adverse action or employment decisions based on their credit file Financial informations must notify plans of providing adverse info

Question 77

What is HIPAA

Answer 77

Health Insurance Portability an Accountability Act Regulates use and disclosure of protected health info. Gives consumers a right to their health records - must be provided in 30 days and correct any errors within 60 days. Can find out who has access and limit aceess.

Question 78

What is the DNC?

Answer 78

Do Not Call registry, customers can file a complaint about unwanted calls or texts

Question 79

What is the Privacy Act of 1974

Answer 79

Consumers have the right to files on them from a federal agency and request an amendment

Question 80

Freedom of Information Act

Answer 80

Federal agencies are required to disclose info to the public upon request except for national security, personnel info, trade secrets, privileged communication between agencies, law enforcement, invades privacy, financial institutions or wells

Question 81

California Online Privacy Protection Act

Answer 81

Requires information in the privacy notice on the types of PII captured, honors do not track etc.

Question 82

CCPA

Answer 82

California Consumer Privacy Act permits: The ability to request a record of the PII an organization holds about the requestor, source and PII. Right to erasure Right to opt out of marketing

Question 83

What are the 9 rights of the GDPR

Answer 83

``` Right of access Right to rectification Right to erasure (or right to be forgotten) Right to withdraw consent Right to restrict processing Obligation to notify with whom data has been shared Right to portability Right to object Right to automated decisionmaking ```

Question 84

Under the GDPR how long does a controller have to confirm or clarify a data request

Answer 84

1 month, however during that time the organization must decide whether it can act on the user's request and if not proceeding notify the requestor of their rights to lodge a complaint

Question 85

True or false: GDPR requires upon request a processor to notify a data subject of automatic processing

Answer 85

True

Question 86

Under GDPR under the right to be forgotten, the controller must

Answer 86

Delete their data | Take reasonable steps to inform third parties that are processing the data

Question 87

Under GDPR when can an entity decline requests to be forgotten

Answer 87

Right of freedom of expression and information Compliance with legal obligation like public health or statistical purposes Establishing or defending against legal claims

Question 88

Under GDPR requirements in what format should right to data portability data be shared

Answer 88

In a structured, commonly used and machine readable format

Question 89

What kind of people are most likely to make a data inquiry under GDPR?

Answer 89

Recently terminated or disciplined employees for grounds to threaten litigation

Question 90

Which country has the strictest privacy protections

Answer 90

S. Korea with very detailed required notices, prohibiting denying goods to those who deny consent to certain processing

Question 91

What did a 2018 study of the cost of a data breach estimate the cost of a breach in the US to be?

Answer 91

$148 per record or $3.9M, however the deployment of a response team lowers to $14 per record

Question 92

What did a 2018 study of the cost of a breach find the likelihood of a breach to be in the next 2 years?

Answer 92

27.9%

Question 93

Privacy training should be limited to employees (T/F)

Answer 93

False, contractors and vendors should also be included

Question 94

What is the difference between a privacy training program and awareness program?

Answer 94

Training communicates the company's privacy message, policies and processes. The awareness program reinforces the privacy message to shape expected behaviors and best practices.

Question 95

What are the 4 typical mistakes of an education & awareness program?

Answer 95

Equating education with awareness Using 1 communication channel Lacking effective measurement Eliminating education or awareness due to budget constraints

Question 96

Employees can be expected to be trained on every aspect of privacy regulation (T/F)

Answer 96

False, they ca only be trained on guiding principles and expected outcomes

Question 97

What are examples of metrics to measure the effectiveness of a privacy training/awareness program?

Answer 97

``` Number/frequency of sessions Number of attendees Percent of training completed Results of quizzes Changes to the number of privacy incident reports or requests of consultation ```

Question 98

What is privacy by design?

Answer 98

Framework that dictates that privacy and data protection are embedded throughout the entire lifecycle of technologies, from design to and disposal.

Question 99

What are the 7 principles of Privacy by Design?

Answer 99

1) Proactive, not reactive; Preventative, not remedial 2) Privacy as a default 3) Privacy embedded into design 4) Full functionality, not zero sum game 5) End to end security 6) Visibility & transparency 7) Respect for user privacy

Question 100

What is pseudonymization?

Answer 100

Process where identifyable fields in a record are replaced with an artificial one to make it less identifialbe while still retaining its value for analysis

Question 101

What is privacy engineering?

Answer 101

Concept facilitating Privacy by Design - methodologies, tools and guidelines such that engineered systems maintain acceptable levels of privacy.

Question 102

What are preventative, detective and corrective controls?

Answer 102

Preventative - used to avoid undesirable events Detective - identify and characterize an incident in progress Corrective - limit the extent of damage

Question 103

What is the difference between information privacy and information security?

Answer 103

Privacy addresses the right of individuals to control how and to what extent their information is collected and processed; Security safeguards the confidentiality, integrity and availability of their data. You can have security without privacy but not privacy without security.

Question 104

True or false - all personal information is private

Answer 104

False - phone book as an example

Question 105

What are examples of technical controls? 4

Answer 105

Obfuscation - hashing masking or tokenizing Minimization - collection limited to what's needed Security - measures to protect PETs or Privacy Engineering Technologies - cryptos, etc

Question 106

What are the three forms of damage to a corporation that can arise from a breach

Answer 106

Reputational Litigation from consumers Regulatory intervention

Question 107

What is the difference between a data incident and a data breach?

Answer 107

An incident is where the confidentiality, integrity of availability (CIA) to be compromised. A breach is where unauthorized acquisition or access to data. All breaches are incidents but not all incidents are breaches.

Question 108

How do breaches occur?

Answer 108

50% malicious intent, 25% human error, 25% system error

Question 109

What are the 5 categories of data breach preparedness?

Answer 109

``` Training Incident response plan Understanding key stakeholdsers Insurance coverage Managing vendors (optional) ```

Question 110

True or false, incident planning should be led by the Information Security team

Answer 110

False it should be led by the Privacy team with legal

Question 111

An incident response plan should be integrated into an organization's larger business continuity plan (T/F)

Answer 111

True

Question 112

What is the strategic value of investing in an incident response plan?

Answer 112

Exposure of gaps in applications & procedures Overall security Reduced financial liability and regulatory exposure Lower breach-related costs Preservation of brand reputation

Question 113

What are the three categories of tasks in an incident response plan?

Answer 113

Secure operations Notify appropriate parties Fix vulnerabilities

Question 114

The first thing an incident response plan should call for is to notify regulatory agencies

Answer 114

False, containment and notification should be balanced; legal should determine whether notification of of regulatory bodies should occur

Question 115

What is the importance of privilege in a breach?

Answer 115

Information shared with counsel is protected. Because of this it's preferable to engage outside counsel as courts have ruled that privilege does not exist among in-house counse

Question 116

All breaches require notification (T/F)

Answer 116

False varies by type of breach and by jurisdtiction

Question 117

What are the consequences of inconsistent messaging following a breach?

Answer 117

Pubic misunderstanding Legal liability Loss of trust & consumer confidence Evidence of poor planning

Question 118

What is the probability of a data breach in a 24 month periord?

Answer 118

28%

Question 119

What are the 3 benefits of using metrics to track objectives?

Answer 119

Normalizing brings it into everyday conversations Removes terminology and jargon Consider but are not based on any technology Helps advances the maturity of the program

Question 120

What is the role of a metric owner?

Answer 120

Champion the purpose and intent of the metric; does not need to be responsible for data collection or metric.

Question 121

What is the Privacy Maturity Model

Answer 121

Sets maturity levels for privacy programs and operations. Focuses on a scale instead of an endpoint ranging from Ad Hoc to Optimized.

Question 122

What are the 4 forms of monitoring?

Answer 122

Tools that automate monitoring Audits review people processes and other business operations Breaches - tracking severity and resolution Complaints

Question 123

What is the difference between an audit and an assessment?

Answer 123

An audit is evidenced based

Question 124

What are the 5 phases of an audit?

Answer 124

``` Plan Prepare Audit Report Followup ```