CIPM Flashcards

1
Q

Top Privacy Team Responsibilities

A
  1. Compliance with laws and regulations
  2. Meet expectations of business clients and partners
  3. Safeguard data against attacks and threats
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Responsibilities of a Privacy Program Manager

A
  1. Identify privacy obligations
  2. Identify business, employee and customer privacy risks
  3. Identify existing documentation, policies and procedures
  4. Create, revise and implement policies and procedures that effect positive practices
    and together comprise a privacy program.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Goals of a Privacy Program

A
  1. Demonstrate compliance with applicable laws and regulations (at a minimum)
  2. Promote consumer trust and confidence
  3. Enhance organization’s reputation
  4. Facilitate privacy program awareness, where relevant, of employees, customers,
    partners and service providers
  5. Respond effectively to privacy breaches
  6. Continuously maintain and improve the privacy program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Privacy Mission Statement

A

Concisely communicates its privacy stance to all stakeholders (requires knowledge of privacy approaches, evaluating the intended objective, and gaining executive sponsor approval)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Common Elements of a Privacy Vision and Mission

A
  1. Value of Privacy
  2. Organization objectives
  3. Strategies to achieve intended outcomes
  4. Roles and Responsibilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Defining Privacy Program Scope and Charter

A
  1. Global and local laws, regulations and standards
  2. Cultural expectations and perspectives, including risk acceptance
  3. Business sector requirements
  4. Types of personal information the org collects/stores and how it’s used
  5. Regulatory challenges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Basics of a Privacy Strategy

A
  1. Goal of the org’s Privacy Program
  2. Business Alignment
  3. Data Governance
  4. Inquiry/Complaint Handling procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Privacy Program Framework

A

Implementation roadmaps that guide the privacy team through privacy management and prompt them for the details to determine all privacy relevant decisions for the org.

Policy framework should include:

  1. organizational policies
  2. standards and guidelines
  3. clearly defined program activities

Likely includes templates tools, processes, laws and standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Benefits of a Privacy Program Framework

A
  1. Reduce Risk
  2. Avoid/plan for incidents of data loss
  3. Sustain market value and reputation
  4. Provide measurements in compliance with laws, regulations, and standards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Privacy Framework Categories

A
  1. Principles and Standards (FIP, OECD, AICPA, CSA, etc)
  2. Laws, regulations, and programs (PIPEDA, GDPR, HIPAA, local data protection authorities, Binding Corporate Rules)
  3. Privacy Program Management solutions (Privacy by Design, ISVA, ENISA, NIST, CPA Canada)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Privacy Policy Lifecycle

A
  1. Draft inward facing policies that are practical, simple and easy to understand
  2. Get approval from stakeholders
  3. Disseminate and socialize to all employees
  4. Train employees and enforce policies
  5. Revise and review policies regularly (at least annually)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Privacy Governance Models

A
  1. Centralized (one person responsible for privacy)
  2. Localized or decentralized (decision making is delegated to lower levels of the organization)
  3. Hybrid (most common when a large org assigns an individual or organization responsibility for privacy-related affairs for the rest of the org)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Privacy Tech Vendors

A
  1. Privacy program management (PPM) - work directly with the privacy office (assessment, management, data mapping, etc)
  2. Enterprise program management (EPM) - provide solutions to support the needs of the privacy office and org (data discovery, activity monitoring, deidentification, etc.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Privacy Strategy vs. Privacy Framework

A

Privacy strategy = why

Privacy framework = what

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Steps to ensure compliance with applicable laws and regulations

A
  1. Identify applicable laws and regulations
  2. Create a data map/inventory
  3. Determine a mechanism for cross-border transfers
  4. Perform a complete Privacy Impact Assessment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Items that can affect an org’s legal obligations

A
  1. New processes
  2. Acquisitions
  3. Outsourcing agreements
  4. Divestitures
  5. New products & services
  6. Discontinued products & services
17
Q

Binding Corporate Rules (BCRs)

A

Mechanism that allows for an org to transfer data across borders.

Under GDPR, BCRs require approval from a supervisory authority.

At a minimum, BCRs must include structure and contact details for the concerned group, info about the data and transfer process, how the rules apply to the general data protection principles, complaint procedures, and compliance mechanics.

18
Q

Data Inventory/Data Map

A

A complete record of all the personal information your organization stores, uses, and processes

It can be used:
1. As a precursor to regulatory compliance and risk analysis

  1. To assess data, systems, and processes
  2. To inform data assessments, priorities, data lifecycle management, and data classification

Data inventories should:
1. Demonstrate the flows and classification of data

  1. Create a record of the authority of organizational systems processing personal information
  2. Analyze the types and uses of data
19
Q

Questions to ask during Data Mapping

A
  1. Collection (format, special protection by law, intended purpose of processing, type of info?)
  2. Usage (how often, for what purpose, identifiable, in what format?)
  3. Storage (how long is data kept, where is it housed geographically, from where is it accessed, where and how does it flow?)
20
Q

Privacy Assessment

A

Measures an organizations compliance with laws, regulations, adopted standards and internal policies and procedures.

When?
Should be conducted on a regular basis, ad hoc due to a privacy or security event, or at the request of an enforcement agency.

By Whom?
Internal audit, data protection officer, business function, external third party

How?
Subjective standards or objective standards

Then What?
Document results for management sign off, analyze results to improve and remediate program, monitor changes on ongoing basis

21
Q

Privacy Impact Assessment (PIA)

A

Specifically assess the privacy risks associated with processing personal information in relation to a project, product or service.

Requirements around PIAs may be mandated by industry, organizational policy, and laws and regulations.

22
Q

When should a PIA be conducted?

A
  1. Prior to deployment of a project, product, or service that involves the collection of personal information.
  2. When there are new or revised industry standards, organizational policies, or laws and regulations,
  3. And when the org makes changes to methods in which personal information is handled that create a new privacy risk.
23
Q

Data Protection Impact Assessment (DPIA)

A

DPIAs have specific triggers under the GDPR

  1. If the processing is likely to entail a high risk to the rights and freedoms of natural persons.
  2. The use of new technologies, in particular, whose consequences and risks are less understood, may increase the likelihood of a DPIA
  3. Article 35 of GDPR has specific examples
  4. See Article 29 Working Party’s Guidelines on DPIA
24
Q

Common Sections of a DPIA

A
  1. Project or system overview
  2. PIA/DPIA goals, timeframe, and scope
  3. Personal information, its source and the purpose for processing
  4. Identified risk to data subjects, including high risk
  5. A proposed strategy for risk mitigation or risk acceptance
  6. Conclusion
25
Q

Attestation

A

Tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities.

Questions should be specific and easy to answer. The designated department is required to answer and possibly provide evidence.

26
Q

Physical Assessments

A

Identify operational risk

Examples:

  • unlocked computer
  • monitor in open concept work space
  • customer document left on printer
  • etc.
27
Q

Vendor Assessments

A

Evaluation of a vendor for privacy and information security policies, access controls, where the personal info will be held and who has access to it.

Same assessment process should be followed each time the org considers a new vendor

28
Q

Risks of working with vendors

A
  1. Scope creep
  2. Process/quality standards
  3. Data breaches
  4. Oversight
  5. Laws and regulations
29
Q

Privacy Checkpoints for Mergers, Acquisitions and Divestitures

A
  1. Applicable new compliance requirements
  2. Existing client agreements
  3. New resources, technologies and processes
  4. Whether there may be concerns regarding economic concentration (org controls too large a portion of a market(

Divestitures should include a privacy check to ensure no unauthorized info remains on the org’s infrastructure