CIPM Flashcards
Accountability
The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU GDPR and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Active Scanning Tools
DLP Network, storage, scans, and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block email or file transfers based on the data category and definition
American Institute for Certified Public Accountants (AICPA)
A US professional organization of certified public accountants and co-creator of the WEbTrust seal program
Anonymization
The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression, generalization, and noise addition
APEC Privacy Principles
A set on non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Seek to balance information privacy with business needs
Assess
The first of four phases of the privacy operational cycle; provides the steps, checklists, and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws. and objective-based privacy program frameworks
Audit Life Cycle
High-level, five-phase audit approach. Steps include: Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up
Behavioral Advertising
Advertising that is targeted at individuals based on the observation of their behavior over time
Binding Corporate Rules
BCRs are an appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. Ensure the same high level of protection of personal data is compiled with by all members of the organization group by means of a single set of binding and enforceable rules
Bureau of Competition
The US FTC Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy
Bureau of Consumer Protection
US FTC Bureau of Consumer Protection stops unfair, deceptive, and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities
Bureau of Economics
US FTC Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on business and consumers
Business case
The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements, and other considerations
Business Continuity & Disaster Recovery Plan (BCDR)
A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered
Business Continuity Plan
Typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after an event in order to help operations run smoothly. Eg: fire, flood, natural disaster, and terrorist attacks
Canadian Institute of Chartered Accountants (CICA)
CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical function of strategic planning, protection of the public and ethics, education and qualifications, standard-setting, and communication
Centralized Governance
Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point
Children’s Online Privacy Protection Act (COPPA) of 1998
US Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.
Choice
In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not
CIA Triad
AKA Security Triad; three common information security principles from the 1960’s: Confidentiality, Integrity, and Availability
Collection Limitation
A Fair Information Practices principle - it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with knowledge or consent of the data subject
Consent
Privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law.
Affirmative/Explicit Consent
A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties
Implicit Consent
Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual
Consumer Reporting Agency (CRA)
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee
Current Baseline
“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed
Cyber Liability Insurance
Cyber Liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs
Data Breach
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity or personal information maintained by a data collector
Data Controller
The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Data Inventory
Aka record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. The data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities
Data Life Cycle Management
Data Governance– policy-based approach to managing the flow of information through a life cycle from creation to final disposition.
Provides a holistic approach to the processes, roles, controls, and measures necessary to organize and maintain data, and has 11 elements
AKA Information Life Cycle Management
11 Elements of DLCM (Or ILCM)
- Enterprise Objectives
- Minimalization
- Simplicity of procedure and effective training
- Adequacy of infrastructure
- Information Security
- Authenticity and accuracy of one’s own records
- Retrievability
- Distribution controls
- Auditability
- Consistency of policies
- Enforcement
Data Protection Authority
Independent public authorities that supervise the application of data protection laws in the EU.
Provide advice on data protection issues and field complaints from individuals alleging violations of the GDPR
Each EU member state has their own DPA
Data Protection Impact Assessment
DPIA
The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.
It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts
Data Quality
A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
Quality of Data criteria (4)
The quality of data is judged by:
- Does it meet the business needs?
- Is it accurate?
- Is it complete?
- Is it recent?
Decentralized Governance
governance model involving the delegations of decision-making authority down to the lower levels in an organization, away from and lower than a central authority.
There are fewer tiers in the organizational structure, wider span of control, and bottom-to-top flow of decision-making and ideas
Aka Local Governance
Direct Marketing
When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio
Do Not Track
A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the US, which would allow consumers to opt out of web-usage tracking
Electronic Communications Privacy Act of 1986
Collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968.
ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers.
Applicable to email, telephone conversations, and data stored electronically.
The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases