Chapter 1 Flashcards
What are the 4 goals of a privacy manager?
1) Identify privacy obligations for the organization
2) Identify business, employee and customer privacy risks
3) Identify existing documentation, policy and procedures
4) Create, review and implement policies and procedures that effect positive practices and together comprise a privacy program
The five goals of a privacy program are to:
1) Promote consumer trust and confidence
2) Enhance the organization’s reputation
3) Facilitate privacy program awareness, where relevant, of employees, customers, partners and service providers
4) Respond effectively to privacy breaches
5) Continually monitor, maintain and improve the privacy program
What is accountability?
Accountable organizations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
Ownership is traceable
How can accountability benefit organizations?
Accountability as defined by laws can actually benefit organizations because in exchange it can give organizations a degree of flexibility about how exactly they will comply with their obligations
How does privacy enhance an organization’s brand? 3
1) Meets regulatory compliance obligations
2) Reduces the risk of a data breach
3) Meets expectations of a client
What are the activities supporting a privacy program that might be carried out by different functions in an organization 5
1) Adoption of privacy policies and procedures
2) Development of privacy training and communications
3) Deployment of privacy and security enhancing controls
4) Contract develop and management of third parties who process the personal info of the organization
5) Assessment of compliance with regulations
As a rule privacy policies and procedures are created at an enterprise of functional level
At a functional level
In a function, which group typically is responsible for security enhancing tools like encryption, data parameter security controls and data loss preventions?
Information security
What are the five components of a privacy program
1) Privacy vision and mission statement
2) Scope of the privacy program
3) Appropriate privacy framework
4) Organizational privacy strategy
5) A privacy team
What are the two steps to identifying the scope of a privacy program?
Identify the personal information collected and processed
Identify in scope privacy and data protection laws and regulations
What are the considerations when identifying collected data? 7
Who collects data
What type of information are collected a
Where is the data stored physically
When is data collected
Why do we collect the data?
How long is the data retained and how is it deleted?
What security controls are in place to collect the data?
What is considered a general best practice when dealing with countries with different privacy regulations?
Choose the most restrictive of the two policies
What is PCI DSS
Payment Card Industry Data Security Standard - a global industry standard that is not a law but imposes data protection requirements on institutions and notification requirements
What are the three groupings of privacy frameworks
1) Principles and Standards ex. GAAP
2) Laws, Regulations & Standards ex. HIPAA
3) Privacy Program Management Solutions e.g. ex. privacy by design
What are the three considerations when deciding to adopt the strictest standard of privacy
Violate other data privacy laws
Budgetary concerns
Contradict organizational goals and objectives
What are the things that a privacy tech vendor might manage 6
1) Assessment
2) Consent
3) Data mapping
4) Incident response
5) Privacy information
6) Website scanning/compliance
What are the services provided by an external enterprise program management service 4
1) Activity monitoring
2) Data discovery
3) De-identification/pseudonymization
4) Enterprise communications
What does GRC stand for?
Governance Risk Compliance, generally in the context of a tool
What does a GRC tool usually used for? 3
Governance Risk Compliance tools generally:
1) Create and distribute policies and controls and map them to regulations and internal compliance requirements
2) Asses whether controls are in place and working and fix them if not
3) Ease risk assessment and mitigation
What is a privacy strategy?
An organization’s approach to communicating and obtaining support for a privacy program.
Describe a centralized governance model
Leaves one person or team responsible for all privacy related affairs
Works best in single-channel functions were data flows in one direction
Advantages: efficient
Disadvantages: requires many permissions
Describe a local or decentralized governance model
Decisionmaking is delegated down
Less rigid and more spans of control
Advantages: decisions are made by those who understand their function
Disadvantages: roles are repeated
Describe a hybrid governance model
Typically one department has responsibilities for privacy-related affairs, issuing policies, directives, and core values
Local entities fulfill responsibilities
Each region might have a privacy manager
What does DPO mean
Data Privacy Officer is the designated individual accountable for an organization’s privacy compliance, often required by data privacy regulations
The DPO must report to the highest level of controller and possess expert knowledge of data protection law and practices
What are the reasons why a DPO might be required? 3
1) By public, authorities or bodies
2) When the business’s core activities require processing of data which require regular and systematic monitoring on a large scale
3) When the organization’s core activities consist of processing special categories of data at a large scale
What are common elements of a global law or regulation? 6
Notice Choice and consent Purpose limitations Individual rights Data retention limits Data Rights
What are the categories of privacy laws? 10
General privacy laws - apply to whole country
Federal privacy laws - entire country but to a specific sector
State/province laws (e.g. GLBA; HIPAA, COPPA)
Health
Financial
Online
Communication
Information
Education
Privacy in one’s home
What does GDPR stand for?
General Data Privacy Regulation is a framework for data protection with increased accountability for organizations. It is rapidly becoming the global standard for data privacy protection.
To whom does GDPR apply?
Personal data of those in the EU regardless of location of data processing related to the offering of goods and services, monitoring of their behavior as far as the behavior occurs in the EU.
Under GDPR what are the 5 things consumers can do?
1) Withdraw consent for processing
2) Request a copy of their data
3) Request to move their data to different location in a machine readable format
4) Request you delete data
5) Object to automated decisionmaking processes includig profiling
What 4 things can regulators do under GDPR?
1) Ask for records of processing activities and proof of compliance
2) Impose temporary data processing bans, require data breach notifications or order erasure of personal data
3) Suspend cross-border data flows
4) Enforce penalties up to 20M Euro or 4% of annual revenue for noncompliance
When can data be transferred to another country?
Unless transfer of the data is specifically banned by low it can be transferred to a country with roughly similar privacy protections
In what form might a privacy framework take? 4
Resuable structures
Checklists
Templates
Processes & Procedures
What is the data usage lifecycle? 5
Collection Usage Transfers Retention Destruction
What is the process called where the data inventory or data map is compared to applicable laws and regulations?
Gap analysis
What is the best way to maintain a record of processing activities?
Maintain a data flow analysis report identifying the different categories of personal data, purposes for which data is processed, the recipients and the way data flows around the business as well as externally
The data flow analysis should only contain personal data (T/F)
False, non-personal data should be collected as implementing a new process means revised or new apps systems must thoroughly document the personal data they are processing
When data processing activities should be included in a data inventory or data map? 5
Security used to protect data Retention periods for data Who has access to the data Who the data is disclosed to The legal basis for processing it
What are the 3 types of assessments and impact assessments?
privacy assessments
PIAs
DPIA
What is a Privacy Assessment
Privacy assessments measure an organization’s compliance with laws, regulations, adopted standards and internal policies and procedures.
What is the scope of a privacy assessment? 8
Education & awareness Monitoring and responding to the regulatory environment Data, systems and process assessments Risk assessments Incidence response Contracts Remediation Program assurance
What is a PIA?
A privacy impact assessment is an analysis of risk associated with processing personal information in relation to a project, product or service
It is a risk management tool used to identify the privacy/data protection risks to individuals and organizations.
What is privacy by design?
Privacy by design is the concept of building privacy directly into technology, systems and practices at the design phase. It helps ensure privacy is considered from the outset.
When should an organization conduct a PIA? 3
Prior to the development of a project, product, or service that requires the collection of PII
When there are new or revised industry standards, organizational policies, or laws and regulations
When the organization creates new privacy risks through changes in the way PII is handled
What tools might an organization use to prioritize PIAs?
A PIA express tool or a Privacy Threshold Analysis (PTA)
What are the 5 phases of a PIA
1) Identifying flows of PII
2) Analyzing the implications of the use case
3) Determining the relevant privacy safeguarding requirements
4) Assessing privacy risk
5) ) Preparig to treat privacy risk by choosing the privacy treatment, controls
What is a DPIA?
A Data Protection Impact Assessment describes a process designed to identify risks arising out of the processing of personal data and to minimize those risks as much and as early as possible. A DPIA may be mandated by GDPR with fines assessed for failing to comply.
When is a DPIA required
In cases where the processing is “likely to result in a high risk to the rights and freedoms of natural persons” the controller shall, prior to processing, carry out a DPIA. Risks include profiling that might lead to legal outcomes criminal, legal or health data of individuals, on a very large scale, data matching, analysis on vulnerable populations, or use of a new technology.
What should a DPIA include (3)
Per the GDPR a Data Protection Impact Assessment should include:
1) A description of the processing including its purpose and the interest being pursued
2) The necessity of the processing, its proportionalit and the risks it poses to its data subjects
3) Measures to address the risks identirfied
What are the two qualities of a good attestation?
Yes/no questions
Specific
What are the 3 qualities of information security
1) Confidentiality - limited to authorized parties
2) Integrity - assurance that the data is authentic and complete
3) Availability - knowledge that the data is accessible as needed by those authorized to use it
When working with a vendor, what kind of contract language should be included in the statement of work?
1) Type of information the vendor will have access to
2) Vendor plans to protect PI
3) Vendor responsibilities in the event of a data breach
4) Disposal of data upon termination
5) Limitations on data use
6) Rights of audit
7) Liability for a data breach
How must one assess vendors under GDPR?
Use of contracts is a key control mechanism. The controller is obliged to demonstrate that the processor can competently manage their data through vetting and validation. If the controller is unable to establish proof of the processor’s competent they must walk away.
Mergers and acquisition processes should include a privacy checkpoint that evaluates: 6
1) Applicable new compliance requirements
2) Sector-specific laws
3) Standards
4) Jurisdictional laws
5) Existing client agreements
6) New resources, technologies and processes
What is a privacy policy?
A privacy policy governs the privacy goals and strategic direction of the organization’s privacy office. They should be considered the highest level of governance for any organization.
It is a high-level governance that aligns to the privacy vision and mission statement of the organization.
What are examples of documents supporting a privacy policy? 3
1) Organization standards, such as uniforms, identification badges and physical building systems
2) Guidelines on topics such as the use of antivirus software, firewalls and email security
3) Procedures to define and then describe the detailed steps employees should follow to accomplish tasks, such as hiring or creating new user accounts
The privacy policy also supports a variety of documents communicated internally and externally that:
1) Explain to customers how the organization handles their personal information
2) Explain to employees how the organization handles personal information
3) Describe steps for employees handling personal information
4) Outline how data will be processed
What are the 4 general components of a privacy policy?
1) Purpose: Why the policy exists as well as the goals of the privacy policy and program
2) Scope: Which resources the policy protects
3) Risks & Responsibilities: Assigns privacy responsibilities to roles throughout the organization and serves as the basis for establishing all employee and data user accountability
4) Compliance: the process by which the policy will be adhered to and penalties for failing to do so
What is the difference between a privacy policy and a privacy notice
A privacy policy is an internal document for employees defining all aspects of privacy for the organization. A privacy notice is an external communication describing how the data collects and uses data based on its priacy policy.
What is the most common cause of data breaches, data loss and data misappropriation?
employees and data users
An information security policy serves 4 purposes
1) Protect against unauthorized access to data and information services
2) Provide stakeholders with information efficiently while maintaining confidentiality, integrity and availability
3) Promote compliance with laws and policies
4) Promote data quality
What does CIA stand for
Confidentiality - prevention of unauthorized disclosure
Integrity - protection from unauthorized modification or deletion
Availability - readily accessible to authorized users
A vendor should be held to the same privacy standards as the organization (T/F)
True
A vendor should be included in a monitoring plan (T/F)
True, This may include recurrring onsite visits, attestations or periodic reassessments
What should data retention and destruction policies support?
The idea that personal information should be retained only for as long as necessary to perform its stated purpose
What is a good way integrate privacy policies into employees’ everday tasks?
Aligning policies with existing business procedures, training employees and raising awareness
What are data subjects
Identified or identifiable individuals whose personal information is being processed by an organization.
A company can be fined for acting in a manner inconsistent with it’s privacy notices (T/F)
True, in the US the Federal Trade Commission can initiate enforcement practices for deceptive consumer practices
What information should a privacy notice include? 6
Who you are What information is collected How it will be used With who you will share the data How the behavior of website visitors is monitored How subjects may exercise their rights
What is a layered design privacy notice mean?
High level overview with hyperlinks the reader can click on to get more detail or more detailed text below
What is just in time design privacy notice
Collected just before the information is collected. This his best used when information is collected at multiple points and helps digest the information for rhe reader.
How can icons or symbols be used in privacy notices?
Another layered approach which help navigate, especially useful when space is constrained.
What is a privacy dashboard?
A privacy notification is built into the existing platform and can provide more personalized notices and choices
A data subject unchecking a box to participate would be an example of
Opt out consent
What is COPPA?
U.S. Children’s Online Privacy Protection Act which has specific rules around providing privacy notices to children and gaining parental consent for children under age 13.
What is the FCRA
Federal Credit Reporting Act -
Allows consumers to access credit file and notify of incorrect info and get a examination in 30 days. Can get 1 free report a year
Remove outdated information
Right to be notified of adverse action or employment decisions based on their credit file
Financial informations must notify plans of providing adverse info
What is HIPAA
Health Insurance Portability an Accountability Act
Regulates use and disclosure of protected health info. Gives consumers a right to their health records - must be provided in 30 days and correct any errors within 60 days. Can find out who has access and limit aceess.
What is the DNC?
Do Not Call registry, customers can file a complaint about unwanted calls or texts
What is the Privacy Act of 1974
Consumers have the right to files on them from a federal agency and request an amendment
Freedom of Information Act
Federal agencies are required to disclose info to the public upon request except for national security, personnel info, trade secrets, privileged communication between agencies, law enforcement, invades privacy, financial institutions or wells
California Online Privacy Protection Act
Requires information in the privacy notice on the types of PII captured, honors do not track etc.
CCPA
California Consumer Privacy Act permits:
The ability to request a record of the PII an organization holds about the requestor, source and PII.
Right to erasure
Right to opt out of marketing
What are the 9 rights of the GDPR
Right of access Right to rectification Right to erasure (or right to be forgotten) Right to withdraw consent Right to restrict processing Obligation to notify with whom data has been shared Right to portability Right to object Right to automated decisionmaking
Under the GDPR how long does a controller have to confirm or clarify a data request
1 month, however during that time the organization must decide whether it can act on the user’s request and if not proceeding notify the requestor of their rights to lodge a complaint
True or false: GDPR requires upon request a processor to notify a data subject of automatic processing
True
Under GDPR under the right to be forgotten, the controller must
Delete their data
Take reasonable steps to inform third parties that are processing the data
Under GDPR when can an entity decline requests to be forgotten
Right of freedom of expression and information
Compliance with legal obligation like public health or statistical purposes
Establishing or defending against legal claims
Under GDPR requirements in what format should right to data portability data be shared
In a structured, commonly used and machine readable format
What kind of people are most likely to make a data inquiry under GDPR?
Recently terminated or disciplined employees for grounds to threaten litigation
Which country has the strictest privacy protections
S. Korea with very detailed required notices, prohibiting denying goods to those who deny consent to certain processing
What did a 2018 study of the cost of a data breach estimate the cost of a breach in the US to be?
$148 per record or $3.9M, however the deployment of a response team lowers to $14 per record
What did a 2018 study of the cost of a breach find the likelihood of a breach to be in the next 2 years?
27.9%
Privacy training should be limited to employees (T/F)
False, contractors and vendors should also be included
What is the difference between a privacy training program and awareness program?
Training communicates the company’s privacy message, policies and processes. The awareness program reinforces the privacy message to shape expected behaviors and best practices.
What are the 4 typical mistakes of an education & awareness program?
Equating education with awareness
Using 1 communication channel
Lacking effective measurement
Eliminating education or awareness due to budget constraints
Employees can be expected to be trained on every aspect of privacy regulation (T/F)
False, they ca only be trained on guiding principles and expected outcomes
What are examples of metrics to measure the effectiveness of a privacy training/awareness program?
Number/frequency of sessions Number of attendees Percent of training completed Results of quizzes Changes to the number of privacy incident reports or requests of consultation
What is privacy by design?
Framework that dictates that privacy and data protection are embedded throughout the entire lifecycle of technologies, from design to and disposal.
What are the 7 principles of Privacy by Design?
1) Proactive, not reactive; Preventative, not remedial
2) Privacy as a default
3) Privacy embedded into design
4) Full functionality, not zero sum game
5) End to end security
6) Visibility & transparency
7) Respect for user privacy
What is pseudonymization?
Process where identifyable fields in a record are replaced with an artificial one to make it less identifialbe while still retaining its value for analysis
What is privacy engineering?
Concept facilitating Privacy by Design - methodologies, tools and guidelines such that engineered systems maintain acceptable levels of privacy.
What are preventative, detective and corrective controls?
Preventative - used to avoid undesirable events
Detective - identify and characterize an incident in progress
Corrective - limit the extent of damage
What is the difference between information privacy and information security?
Privacy addresses the right of individuals to control how and to what extent their information is collected and processed; Security safeguards the confidentiality, integrity and availability of their data. You can have security without privacy but not privacy without security.
True or false - all personal information is private
False - phone book as an example
What are examples of technical controls? 4
Obfuscation - hashing masking or tokenizing
Minimization - collection limited to what’s needed
Security - measures to protect
PETs or Privacy Engineering Technologies - cryptos, etc
What are the three forms of damage to a corporation that can arise from a breach
Reputational
Litigation from consumers
Regulatory intervention
What is the difference between a data incident and a data breach?
An incident is where the confidentiality, integrity of availability (CIA) to be compromised. A breach is where unauthorized acquisition or access to data. All breaches are incidents but not all incidents are breaches.
How do breaches occur?
50% malicious intent, 25% human error, 25% system error
What are the 5 categories of data breach preparedness?
Training Incident response plan Understanding key stakeholdsers Insurance coverage Managing vendors (optional)
True or false, incident planning should be led by the Information Security team
False it should be led by the Privacy team with legal
An incident response plan should be integrated into an organization’s larger business continuity plan (T/F)
True
What is the strategic value of investing in an incident response plan?
Exposure of gaps in applications & procedures
Overall security
Reduced financial liability and regulatory exposure
Lower breach-related costs
Preservation of brand reputation
What are the three categories of tasks in an incident response plan?
Secure operations
Notify appropriate parties
Fix vulnerabilities
The first thing an incident response plan should call for is to notify regulatory agencies
False, containment and notification should be balanced; legal should determine whether notification of of regulatory bodies should occur
What is the importance of privilege in a breach?
Information shared with counsel is protected. Because of this it’s preferable to engage outside counsel as courts have ruled that privilege does not exist among in-house counse
All breaches require notification (T/F)
False varies by type of breach and by jurisdtiction
What are the consequences of inconsistent messaging following a breach?
Pubic misunderstanding
Legal liability
Loss of trust & consumer confidence
Evidence of poor planning
What is the probability of a data breach in a 24 month periord?
28%
What are the 3 benefits of using metrics to track objectives?
Normalizing brings it into everyday conversations
Removes terminology and jargon
Consider but are not based on any technology
Helps advances the maturity of the program
What is the role of a metric owner?
Champion the purpose and intent of the metric; does not need to be responsible for data collection or metric.
What is the Privacy Maturity Model
Sets maturity levels for privacy programs and operations. Focuses on a scale instead of an endpoint ranging from Ad Hoc to Optimized.
What are the 4 forms of monitoring?
Tools that automate monitoring
Audits review people processes and other business operations
Breaches - tracking severity and resolution
Complaints
What is the difference between an audit and an assessment?
An audit is evidenced based
What are the 5 phases of an audit?
Plan Prepare Audit Report Followup
