cipm Flashcards
Define privacy governance
Privacy governance refers to the framework and processes that ensure an organization effectively manages and protects personal information.
What are the components of a privacy vision/privacy mission statement?
- Value of privacy to the organization
- Organizational objectives
- Strategies to drive tactics to achieve intended outcomes
What is the purpose of a privacy mission statement?
To create awareness about the organization’s privacy practices both internally and externally.
How can a privacy mission statement create internal awareness?
By integrating the mission statement into training programs and internal communications.
How can a privacy mission statement create external awareness?
By sharing the mission statement externally to demonstrate transparency and commitment to privacy.
List considerations for defining a privacy program’s scope and charter.
- Initiation of a new privacy strategy
- Formal sign-off from the C-suite
- Justification for investment in a privacy program
- Program charter detailing what, why, how, who, how much, and when
What should a privacy strategy lay out?
Goals of the privacy program.
What are the basics of a privacy strategy?
- Business alignment
- Data governance of personal information
- Inquiry-/complaint-handling procedures
What is a privacy framework?
A structure that guides the privacy program, including policies, procedures, and processes for compliance.
What distinguishes a privacy strategy from a privacy framework?
A privacy strategy answers ‘why’ privacy is important, while a privacy framework answers ‘what’ form the privacy program will take.
What are common elements of privacy program frameworks?
- Policies
- Procedures
- Processes
- Checklists for privacy management
Name some widely recognized privacy frameworks.
- Fair Information Practices (FIPs)
- OECD Guidelines
- AICPA/CICA Generally Accepted Privacy Principles (GAPP)
- Canadian Standards Association Privacy Code
- APEC Privacy Framework
What does the GDPR require regarding a Data Protection Officer (DPO)?
Organizations must appoint a DPO to help with compliance.
List required skills for a Data Protection Officer under the GDPR.
- Risk/IT assessment
- Legal expertise
- Communication skills
- Leadership abilities
- Self-starter mentality
- Ability to teach and handle requests
What are typical responsibilities of a Data Protection Officer?
- Working with regulators
- Ensuring organizational training
- Keeping up with changes in law and technology
- Managing privacy programs
True or False: A Data Protection Officer can be dismissed for performing DPO-related duties.
False
What is a privacy champion?
An executive who serves as a sponsor for the privacy program and advocates for privacy as a core organizational concept.
How can organizations receive buy-in for a privacy program?
- Building relationships with key stakeholders
- Aligning business objectives with privacy objectives
- Demonstrating privacy as a benefit
What are the two main types of awareness for a privacy program?
- Internal awareness
- External awareness
Fill in the blank: The __________ provides guidelines for the protection of privacy and transborder flows of personal data.
[OECD Guidelines]
What is the significance of keeping a record of ownership in a privacy program?
To establish clear responsibilities and support from key stakeholders.
What is essential for the success of an organization’s privacy program?
Organization-wide effort
Each department must understand the impact of its activities on data protection.
How can advanced privacy programs benefit organizations externally?
Protect consumer data and create trusting customer relationships
Communicating the privacy program can build customer confidence and deliver measurable returns.
What is a RACI matrix used for?
To embed responsibilities
RACI stands for Responsible, Accountable, Consulted, Informed.
