Chapter 1 Flashcards
What are the 4 goals of a privacy manager?
1) Identify privacy obligations for the organization
2) Identify business, employee and customer privacy risks
3) Identify existing documentation, policy and procedures
4) Create, review and implement policies and procedures that effect positive practices and together comprise a privacy program
The five goals of a privacy program are to:
1) Promote consumer trust and confidence
2) Enhance the organization’s reputation
3) Facilitate privacy program awareness, where relevant, of employees, customers, partners and service providers
4) Respond effectively to privacy breaches
5) Continually monitor, maintain and improve the privacy program
What is accountability?
Accountable organizations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws
They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.
Ownership is traceable
How can accountability benefit organizations?
Accountability as defined by laws can actually benefit organizations because in exchange it can give organizations a degree of flexibility about how exactly they will comply with their obligations
How does privacy enhance an organization’s brand? 3
1) Meets regulatory compliance obligations
2) Reduces the risk of a data breach
3) Meets expectations of a client
What are the activities supporting a privacy program that might be carried out by different functions in an organization 5
1) Adoption of privacy policies and procedures
2) Development of privacy training and communications
3) Deployment of privacy and security enhancing controls
4) Contract develop and management of third parties who process the personal info of the organization
5) Assessment of compliance with regulations
As a rule privacy policies and procedures are created at an enterprise of functional level
At a functional level
In a function, which group typically is responsible for security enhancing tools like encryption, data parameter security controls and data loss preventions?
Information security
What are the five components of a privacy program
1) Privacy vision and mission statement
2) Scope of the privacy program
3) Appropriate privacy framework
4) Organizational privacy strategy
5) A privacy team
What are the two steps to identifying the scope of a privacy program?
Identify the personal information collected and processed
Identify in scope privacy and data protection laws and regulations
What are the considerations when identifying collected data? 7
Who collects data
What type of information are collected a
Where is the data stored physically
When is data collected
Why do we collect the data?
How long is the data retained and how is it deleted?
What security controls are in place to collect the data?
What is considered a general best practice when dealing with countries with different privacy regulations?
Choose the most restrictive of the two policies
What is PCI DSS
Payment Card Industry Data Security Standard - a global industry standard that is not a law but imposes data protection requirements on institutions and notification requirements
What are the three groupings of privacy frameworks
1) Principles and Standards ex. GAAP
2) Laws, Regulations & Standards ex. HIPAA
3) Privacy Program Management Solutions e.g. ex. privacy by design
What are the three considerations when deciding to adopt the strictest standard of privacy
Violate other data privacy laws
Budgetary concerns
Contradict organizational goals and objectives
What are the things that a privacy tech vendor might manage 6
1) Assessment
2) Consent
3) Data mapping
4) Incident response
5) Privacy information
6) Website scanning/compliance
What are the services provided by an external enterprise program management service 4
1) Activity monitoring
2) Data discovery
3) De-identification/pseudonymization
4) Enterprise communications
What does GRC stand for?
Governance Risk Compliance, generally in the context of a tool
What does a GRC tool usually used for? 3
Governance Risk Compliance tools generally:
1) Create and distribute policies and controls and map them to regulations and internal compliance requirements
2) Asses whether controls are in place and working and fix them if not
3) Ease risk assessment and mitigation
What is a privacy strategy?
An organization’s approach to communicating and obtaining support for a privacy program.
Describe a centralized governance model
Leaves one person or team responsible for all privacy related affairs
Works best in single-channel functions were data flows in one direction
Advantages: efficient
Disadvantages: requires many permissions
Describe a local or decentralized governance model
Decisionmaking is delegated down
Less rigid and more spans of control
Advantages: decisions are made by those who understand their function
Disadvantages: roles are repeated
Describe a hybrid governance model
Typically one department has responsibilities for privacy-related affairs, issuing policies, directives, and core values
Local entities fulfill responsibilities
Each region might have a privacy manager
What does DPO mean
Data Privacy Officer is the designated individual accountable for an organization’s privacy compliance, often required by data privacy regulations
The DPO must report to the highest level of controller and possess expert knowledge of data protection law and practices