CIPM Flashcards
Top Privacy Team Responsibilities
- Compliance with laws and regulations
- Meet expectations of business clients and partners
- Safeguard data against attacks and threats
Responsibilities of a Privacy Program Manager
- Identify privacy obligations
- Identify business, employee and customer privacy risks
- Identify existing documentation, policies and procedures
- Create, revise and implement policies and procedures that effect positive practices
and together comprise a privacy program.
Goals of a Privacy Program
- Demonstrate compliance with applicable laws and regulations (at a minimum)
- Promote consumer trust and confidence
- Enhance organization’s reputation
- Facilitate privacy program awareness, where relevant, of employees, customers,
partners and service providers - Respond effectively to privacy breaches
- Continuously maintain and improve the privacy program
Privacy Mission Statement
Concisely communicates its privacy stance to all stakeholders (requires knowledge of privacy approaches, evaluating the intended objective, and gaining executive sponsor approval)
Common Elements of a Privacy Vision and Mission
- Value of Privacy
- Organization objectives
- Strategies to achieve intended outcomes
- Roles and Responsibilities
Defining Privacy Program Scope and Charter
- Global and local laws, regulations and standards
- Cultural expectations and perspectives, including risk acceptance
- Business sector requirements
- Types of personal information the org collects/stores and how it’s used
- Regulatory challenges
Basics of a Privacy Strategy
- Goal of the org’s Privacy Program
- Business Alignment
- Data Governance
- Inquiry/Complaint Handling procedures
Privacy Program Framework
Implementation roadmaps that guide the privacy team through privacy management and prompt them for the details to determine all privacy relevant decisions for the org.
Policy framework should include:
- organizational policies
- standards and guidelines
- clearly defined program activities
Likely includes templates tools, processes, laws and standards
Benefits of a Privacy Program Framework
- Reduce Risk
- Avoid/plan for incidents of data loss
- Sustain market value and reputation
- Provide measurements in compliance with laws, regulations, and standards
Privacy Framework Categories
- Principles and Standards (FIP, OECD, AICPA, CSA, etc)
- Laws, regulations, and programs (PIPEDA, GDPR, HIPAA, local data protection authorities, Binding Corporate Rules)
- Privacy Program Management solutions (Privacy by Design, ISVA, ENISA, NIST, CPA Canada)
Privacy Policy Lifecycle
- Draft inward facing policies that are practical, simple and easy to understand
- Get approval from stakeholders
- Disseminate and socialize to all employees
- Train employees and enforce policies
- Revise and review policies regularly (at least annually)
Privacy Governance Models
- Centralized (one person responsible for privacy)
- Localized or decentralized (decision making is delegated to lower levels of the organization)
- Hybrid (most common when a large org assigns an individual or organization responsibility for privacy-related affairs for the rest of the org)
Privacy Tech Vendors
- Privacy program management (PPM) - work directly with the privacy office (assessment, management, data mapping, etc)
- Enterprise program management (EPM) - provide solutions to support the needs of the privacy office and org (data discovery, activity monitoring, deidentification, etc.)
Privacy Strategy vs. Privacy Framework
Privacy strategy = why
Privacy framework = what
Steps to ensure compliance with applicable laws and regulations
- Identify applicable laws and regulations
- Create a data map/inventory
- Determine a mechanism for cross-border transfers
- Perform a complete Privacy Impact Assessment