Chapter 8: Privacy Governance Flashcards
List the elements of the Conceptualizing a Privacy Governance Program pyramid
Law & Policy Privacy Controls Security Controls Standards Compliance Technology
What is the role of the Law & Privacy element in the privacy governance program pyramid?
Translate fundamental requirements—whether foundational legal requirements or organizational privacy policies—into tooling that is manageable and scalable with the organization’s IT needs
What is the role of the Compliance element in the privacy governance program pyramid?
Building upon law and established organizational policy, compliance begins the translation into practical and measurable requirements and the process through which privacy can be implemented and evaluated
What is the concept of reasonable assurance?
Means that requirements and objectives are not absolute, but rather based upon some criteria that is deemed practical to implement and manage
Why is reasonable assurance so important when safeguarding privacy in IT?
It affords flexibility and is greatly valuable for managing the potential overengineering of solutions
It also grounds solutions in common sense
What are internal controls?
Objectives tied to practical measurements and designed to evaluate components governed by the privacy program
What are the 2 flavours of internal controls?
- Preventative - designed to stop an activity from occurring
* Detective - for identifying problematic behaviour after the event has occurred
What does compliance offer a privacy program?
Structure
What is the role of the Security element in the privacy governance program pyramid?
Protecting against unauthorized access and malicious actions
How are security risks often framed?
CIA
• Confidentiality
• Integrity
• Availability
Provide an example of how security and privacy differ
Security can reasonably assure that two parties exchange personal data securely, but it is privacy that reasonably assures that the authorized parties are in fact using the personal data appropriately
What benefits does security provide to privacy?
- Information security is more mature technologically
- Frameworks and certifications are well established
- Security thus provides privacy an avenue through which meaningful IT solutions can be developed to safeguard privacy
- As security and compliance are as intertwined as privacy and compliance, reasonably assured internal controls can be repurposed, or extended, as necessary in order to maturate the privacy governance program
- Important benefit for privacy: The ability to translate privacy into meaningful and understandable terminology for engineers
What benefits do industry standards such as NIST offer?
Establishment of a common language - this results in transparency
Standards provide a mechanism through which an organization can transparently describe its controls tied to governance and information technology in common and accessible terms
This helps build trust between an organization and its key stakeholders or customers and, in addition, provides auditability through independent third-party certification
What is the role of the Standards element in the privacy governance program pyramid?
Standards provide a mechanism both to fact-check if the security and privacy controls meet minimum expectations as defined by outside parties
What are the 2 overall aims of the privacy governance program?
To be:
• Structured
• Enduring
Designed controls should focus on structuring objectives and activities in measurable and discrete ways that connect, but do not embed, higher-order legal requirements or lower-level technological solutions