Chapter 4 - Privacy Operational Lifecycle: Assess: Data Assessments

Question 1

What is the Data Management Association (DAMA) International definition of Data Governance

Answer 1

Planning, oversight and control over management of data and the use of data and data related sources

Question 2

What are the ten spokes of the data management wheel according to DAMA

Answer 2

1 architecture
2 modelling and design
3 storage and operations
4 security
5 integration and interoperability
6 documents and content
7 reference and master data
8 warehousing and BI
9 metadata
10 quality

Question 3

What are common organisational data governance roles

Answer 3

Strategic - Steering committee / c-level: steers and approves strategy, governance and policies.

Managerial - functional owners responsible for data assets. Responsible for delivering requirements.

Operational - stewards and day to day accountability.

Question 4

What are the elements of a data inventory

Answer 4

1. The nature of the data repository
2. The owner of the repository
3. The legal entity of the processing
4. Volume of information in the repository
5. Format of the information
6. The use of the information
7. Data retention
8. Types of data (e.g. email, ids)
9. Location of storage
10. Where is data accessed
11. International transfers
12. With whom is data shared
13. Transfer mechanisms

Question 5

Does the ROPA requirements under Article 30 apply to controllers or processors?

Answer 5

Both

Question 6

When is a ROPA not required?

Answer 6

If less than 250 persons, processing is occasional, does not include sensitive personal information and is not likely to result in a risk to the rights and freedoms of individuals.

Question 7

What are the three types of assessments?

Answer 7

1. Privacy assessments
2. Privacy impact assessments
3. Data privacy impact assessments

Question 8

Name on time a PIA is required by the US Government under the E-Gov Act of 2002

Answer 8

When developing or procuring IT systems that process PII of the public or when initiating an electronic collection of PII

Question 9

Name the ISO standard involved in determining a PIA

Answer 9

ISO 29134 which is a set of guidelines (not standards) for how to do conduct a PIA including the 4 steps of a PIA

1. Threshold determination if PIA needed
2. Preparing a PIA
3. Performing a PIA
4. Following up on a PIA

Question 10

When is a DPIA required?

Answer 10

Under GDPR a DPIA is required when the processing is likely to result in high risk to individuals.

Question 11

What examples does article 35(3) of GDPR give for when a DPIA is required

Answer 11

1. Profiling
2. Large scale processing
3. Systematic processing on a large scale

Question 12

What are the Article 29 Working Party Guidelines for when a DPIA is required?

Answer 12

1. Evaluation or scoring
2. ADM
3. Systemic monitoring
4. Sensitive data
5. Large scale processing
6. Matching or combining data sets
7. Vulnerable data subjects
8. New technology / new uses
9. When processing restricts ability to exercise rights

Question 13

What are the three key aspects of Information Security

Answer 13

Confidentiality
Integrity
Availability

Question 14

What are information security controls designed to achieve

Answer 14

Prevent, detect or correct a security incident

Question 15

What are the three types of information security controls?

Answer 15

Physical controls, administrative controls and technical controls

Question 16

What are factors to consider for ensuring proper physical information security

Answer 16

1. Quality of locks on document storage facilities
2. Access control to premises
3. Protection against man made and natural threats
4. Disposal of physical and electronic files
5. Methods for keeping IT assets secure

Question 17

What are the three ways that NIST 800 recommends for removing data from hardware devices

Answer 17

Clearing, purging or destroying

Question 18

What are the factors to consider when assessing vendors?

Answer 18

1. reputation
2. Financial condition and insurance
3. IS controls / certifications
4. Transfer mechanism with vendor
5. Disposal of information
6. Employee training and awareness
7. Vendor incident response
8. Audit rights
9. Policies and procedures
10. DPOs

Question 19

What are the three cloud computing models

Answer 19

IaaS - user responsible for software and applications
PaaS - user responsible for applications
SaaS - provider does all

Question 20

What factors should you consider when assessing a cloud service provider?

Answer 20

1. Certifications and standard
2. Technologies
3. Service road map - how to stay up to date
4. Data management - how is data stored accessed and managed
5. Information security - auditable controls
6. Sub processors

Question 21

What does Article 28 of GDPR require controllers to satisfy themselves of prior to appointing a processor?

Answer 21

processors who can provide “sufficient guarantees” about the implementation of appropriate technical and organizational measures for compliance with the GDPR and the protection of the rights of data subjects.

Question 22

What must a business do to shift liability to a vendor under the CCPA?

Answer 22

Ensure written contracts in place limiting the processing of the vendor to the business purpose of the contract. Attestations of compliance also required.

Question 23

Will a vendor always be considered a third party under the CCPA?

Answer 23

Not necessarily, however if a vendor uses personal information for its own purposes then it may be considered a third party and data subjects may have the right to receive written notice of such disclosees.