Chapter 4 Flashcards
1
Q
Roles of privacy professional
A
- Alert org to varying perspectives about privacy, risk and compliance. Can be divergent.
- help org manage risks from processing, consistent with org’s mission, growth, profitability, and other goals.
- Identify where compliance difficult in practice,
- Design policies to close gaps between policies and operations.
- Develop privacy notices and privacy program.
2
Q
Risks of Using PI Improperly
A
- Legal risks - laws, contracts, committments.
- Reputational risks -
- Operational risks - administratively efficient privacy program, so as not to be too heavy handed and inhibit beneficial uses.
- Investment risks - ROR on investments in information, IT and processing.
3
Q
4 Basic Steps for Information Management
A
- Discover - identify issues, self-assessment, determine practices.
- Build - Procedure development and verification, full implementation.
- Communicate - Document, train/educate
- Evolve - affirmation, monitoring/enforcement, adaptation.
4
Q
Phase 1 - Discover
A
- Applicable laws?
- Risk tolerance?
- Competition’s approach?
- Business partners approach?
From these questions, develop policy goals as foundation.
Get broad participation across org.
5
Q
Phase 2 - Build
A
- Determine how to meet policy goals by facilitating and restricting data flows.
- Close coordination across org.
6
Q
Phase 3 - Communicate
A
- Train individuals who need to know it.
- Assign accountability.
- Broader, high level communication to senior leaders and externally
- Written policies, notice.
7
Q
Phase 4 - Evolve
A
- Process for review and update
- Enforce it as well (TL)
8
Q
Data Inventory
A
- Customer data and employee data
- Document data flows and location, means of sharing and with whom and why.
- Review and update periodically.
9
Q
Data Classification
A
- levels of sensitivity
- clearances of who can handle.
- baseline level of protection.
- data segregation as necessary/appropriate.
- Helps org in compliance audits, respond to discovery requests, and use storage in cost-effective manner.
10
Q
Determining Data Accountability
A
- Where, how and for what length of time is the data stored?
- How sensitive is the information? Confidential, proprietary, sensitive, restricted, and public are common categories.
- Should the info be encrypted?
- Will info be transferred to or from other countries and if so, how?
- Who determines the rules that apply to the information?
- How is the information to be processed, and how will these processes be maintained?
- Is the use of such data dependent upon other systems?
-
11
Q
Communication of Privacy Notice
A
- Make accessible online. Make accessible in place of business. - Provide updates and revisions. - Ensure appropriate personnel are knowledgeable about the policy (like customer service reps). -
12
Q
Privacy Laws Requiring Opt-In Consent, and Circumstances Where Opt-In is Appropriate
A
COPPA - consent of parent before collecting PI of children under 13
HIPAA - consent before PHI disclosed to 3rd parties, subject to exceptions.
FCRA - consent before consumer’s credit report provided to employer, lender or other authorized recipient.
FTC believes opt-in consent should ocurr before PI collected under one privacy notice is processed under a materially changed privacy notice.
Industry segments may require double opt-in - where opt in and then confirm (email marketing, eg).
- Opt-in preferred as best practice for geo-location data
- GDPR requires opt-in for marketing to occur.
13
Q
No choice / no option cases
A
- Implied authority to process PI in some cases.
- Online order - shared with shipping company, CC processor, and fulfillment.
- Internal operations, such as improving services offered, fraud prevention, legal compliance, and first party marketing.
- 2012 FTC report noted no consent if processing consistent with context of transaction, company’s relationship with consumer, or required by or specifically authorized by law.
14
Q
Opt-Out
A
- GLBA requires opt-out before transferring PI of customer of fin. institution to an unafilliated 3rd party for 3rd party’s own use.
- Video Privacy Protection Act requires opt-out before covered movie / other rental data provided to 3rd party.
- CAN-SPAM requires email marketers to provide an opt-o eut.
- Do Not Call rules provide opt-out of telemarketing calls, both in general and company by company.
- Data & Marketing Association operates opt-out system for consumers not wanting commercial mail sent to their home.
- Ditto for online advertising orgs like The Network Advertising Initiative, TrustArc, and Digital Advertising Alliance.
15
Q
Managing User Preferences - Challenges
A
- Scope of an opt-out or opt-in. By channel (email vs. phone, eg),
- Mechanism for providing user preference. Generally, channel for marketing is required channel for user preference (don’t require you to mail in your email preferences).
- Linking. Good practice is to implement opt-out or other user preference across channels and platforms.
- Time period for implementing user prefs. - How soon become operational. CAN-SPAM and Telemarketing Sales Rules mandate specific time periods.
- 3rd party vendors - these should honor the customer preferences.
