CIPM BOK Outline

Question 1

Privacy Program Governance - 4 main subcategories

Answer 1

1. Organizational Level
2. Develop the Privacy Program Framework
3. Implement the Privacy Program Framework
4. Metrics

Question 2

Governance: Organizational Level - 4 main subcategories

Answer 2

1. Create a company vision
2. Establish Data Governance Model
3. Establish a privacy program
4. Structure the Privacy Team

Question 3

Create a company vision

Gov., Org level

Answer 3

1. Acquire knowledge on privacy approaches
2. Evaluate the intended objective
3. Gain executive sponsor approval for this vision

Question 4

Establish Data Governance Model

Gov., Org level

Answer 4

1. Centralized
2. Distributed
3. Hybrid

Question 5

Establish a Privacy Program

Gov., Org Level

Answer 5

1. Define program scope and charter
2. Identify the source, types, and uses of personal information within the organization and the applicable laws
3. Develop a Privacy Strategy

Question 6

Privacy Strategy

Gov., Org level, privacy program

Answer 6

1. Business alignment– finalize the operational business case for privacy, identify stakeholders, leverage key functions, create a process for interfacing within organization, align organizational culture and privacy/data protection objectives, and obtain funding/budget for privacy and the privacy team
2. Develop a data governance strategy for personal information (collection, authorized use, access, and destruction)
3. Plan inquiry/complaint handling procedures (customers, regulators, etc)

Question 7

Structure the Privacy team

Gov., Org level

Answer 7

1. Establish the organizational model, responsibilities, and reporting structure appropriate to the size of the organization
2. Designate a point of contact for privacy issues
3. Establish/endorse the measurement of professional competency

Question 8

Large Organization Structure

Answer 8

1. Chief Privacy Officer
2. Privacy Manager
3. Privacy Analysts
4. Business line privacy leaders
5. “First Responders”

Question 9

Small Organization Structure

Answer 9

Sole Data Protection Officer (DPO)

Question 10

Privacy Program Development

Gov

Answer 10

1. Develop organizational privacy policies, standards, and/or guidelines
2. Define privacy program activities

Question 11

Privacy Program Activities

Gov, Program Framework

Answer 11

1. Education and Awareness
2. Monitoring and responding to the regulatory environment
3. Internal policy compliance
4. Data inventories, data flows, and classification
5. Risk assessments (PIAs, PTAs, etc)
6. Incident Response and process, including jurisdictional regulations
7. Remediation
8. Program assurance, including audits

Question 12

Privacy Program Implementation

Gov

Answer 12

1. Communicate the framework to internal and external stakeholders
2. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework

Question 13

Ensuring continuous alignment of program

Gov, Program Implementation

Answer 13

1. Understand when national laws and regulations apply (e.g., GDPR, CCPA)
2. Understand when local laws and regulations apply
3. Understand penalties for noncompliance with laws and regulations
4. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioner, FTC, etc.)
5. Understand privacy implications of doing business with or basing operations in countries with inadequate, or without, privacy laws
6. Maintain the ability to manage a global privacy function
7. Maintain the ability to track multiple jurisdictions for changes in privacy law
8. Understand international data sharing arrangement agreements

Question 14

Metrics

Gov

Answer 14

1. Identify intended audience for metrics
2. Define reporting resources
3. Define privacy metrics for oversight and governance per audience
4. Identify systems/application collection points

Question 15

Defining Privacy Metrics

Gov., Metrics

Answer 15

1. Compliance metrics (i.e., collection, responses to data subject inquiries, use, retention, disclosure to third parties, incidents- breaches, complaints, inquiries- employees trained, PIA metrics, privacy risk indicators, percent of company functions represented by governance mechanisms)
2. Trending
3. Privacy program return on investment
4. Business resiliency metrics
5. Privacy program maturity levels
6. Resource utilization

Question 16

Privacy Operational Life Cycle

Answer 16

1. Assess your organization
2. Protect
3. Sustain
4. Respond

Question 17

Assess

life cycle

Answer 17

1. Document current baseline of your privacy program
2. Processors and third-party vendor assessment
3. Physical assessments
4. Mergers, acquisitions, and divestitures
5. Conduct analysis and assessments, as needed or appropriate

Question 18

Current baseline documentation

Life cycle, Assess

Answer 18

1. Education and Awareness
2. Monitoring and responding to the regulatory environment
3. Internal policy compliance
4. Data, systems, and process assessment (map data inventories, flows, and classifications, create “Record of Authority” of systems processing personal information within the organization, map and document data flow in systems and applications, and analyze and classify types and uses of data)
5. Risk assessments (PIAs, PTAs, etc)
6. Incident Response
7. Remediation
8. Determine desired state and perform gap analysis against an accepted standard or law
9. Program assurance, including audits

Question 19

Processors and third-party vendor assessment

Life Cycle, Assess

Answer 19

1. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer (Privacy and info security policies, access controls, where PI is being held, and who has access to PI)
2. Understand and leverage the different types of relationships (internal audit, info security, physical security, data protection authority)
3. Risk assessment (type of data being outsourced, location of data, implications of cloud computing strategies, legal compliance, records of retention, contractual requirements like incident response, and establish minimum standards for safeguarding information
4. Contractual requirements
5. Ongoing monitoring and auditing

Question 20

Physical Assessments

Life Cycle, Assess

Answer 20

Identify operational risk in:

1. Data centers and offices
2. Physical access controls
3. Document destruction
4. Media sanitization and disposal (e.g., hard drives, USB/thumb drives)
5. Device forensics
6. Device security (e.g., mobile devices, IoT, geo-tracking, imaging/copier hard drive security controls

Question 21

Mergers, Acquisitions, and Divestitures

Life Cycle, Assess

Answer 21

1. Due diligence

2. Risk assessment

Question 22

Conduct analysis and assessments, as needed or appropriate

Life Cycle, Assess

Answer 22

1. PTAs on systems, applications, and processes
2. PIAs - define the process for conducting, understand the life cycle of a PIA and incorporate PIAs into system, process, product life cycles

Question 23

Protect

Life Cycle

Answer 23

1. Data Life Cycle and governance (creation to deletion)
2. Info security practices (Access controls for physical and virtual systems, technical security controls, implement appropriate administrative safeguards
3. Privacy by Design (integrate PbD throughout the system development life cycle & establish privacy gates as part of the system development framework)

Question 24

Sustain

Life Cycle

Answer 24

1. Measure
2. Align
3. Audit
4. Communicate
5. Monitor

Question 25

Measure

Life cycle, sustain

Answer 25

1. Quantify the costs of technical controls
2. Manage data retention with respect to the organization’s policies
3. Define the methods for physical and electronic data destruction
4. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use

Question 26

Align

Life cycle, sustain

Answer 26

Integrate privacy requirements and representation into functional areas across the organization:

1. Information security
2. IT operations and development
3. Business continuity and disaster recovery planning
4. Mergers, acquisitions, and divestitures
5. Human resources
6. Compliance and ethics
7. Audit
8. Marketing/business development
9. Public relations
10. Procurement/sourcing
11. Legal and contracts
12. Security/emergency services
13. Finance
14. Others

Question 27

Audit

Life Cycle, sustain

Answer 27

1. Align program privacy operations to an internal and external compliance audit program (knowledge of audit processes & align to industry standards)
2. Audit compliance with privacy policies and standards
3. Audit data integrity and quality and communicate audit findings with stakeholders
4. Audit information access, modification, and disclosure accounting

Question 28

Communicate

Life cycle, sustain

Answer 28

1. Awareness

2. Targeted employee, management, and contractor training

Question 29

Communicating Awareness

Life cycle, sustain

Answer 29

1. Create awareness of the organization’s privacy program internally and externally
2. Ensure policy flexibility in order to cooperate legislative/regulatory/market requirements
3. Develop internal and external communication plans to ingrain organizational accountability
4. Identify, catalog, and maintain documents requiring updates as privacy requirements change

Question 30

Communicating Training

Life Cycle, Sustain

Answer 30

For targeted employee, management, and contractor training:

1. Privacy policies
2. Operational privacy practices (e.g., standard operating instructions), such as data creation/usage/retention/disposal, access control, reporting incidents, and key contacts

Question 31

Monitor

Life Cycle, Sustain

Answer 31

1. Environment (e.g., systems, applications) monitoring
2. Monitor compliance with established privacy policies
3. Monitor regulatory and legislative changes
4. Compliance monitoring (e.g., collection, use, and retention) with internal audit, self-regulation, retention strategy, exit strategy

Question 32

Respond

Life Cycle

Answer 32

1. Information Requests

2. Privacy incidents

Question 33

Responding to Information Requests

Life Cycle, Respond

Answer 33

1. Access
2. Redress
3. Correction
4. Managing data integrity

Question 34

Responding to Privacy Incidents

Life Cycle, Respond

Answer 34

1. Legal Compliance
2. Incident Response Planning
3. Incident detection
4. Incident Handling
5. Follow incident response process to ensure meeting jurisdictional, global, and business requirements
6. Identify incident reduction techniques
7. Incident metrics–quantify the cost of a privacy incident

Question 35

Legal Compliance in Incident Response

Life Cycle, Respond

Answer 35

1. Preventing harm
2. Collection limitations
3. Accountability
4. Monitoring and enforcement

Question 36

Incident Response Planning

Life Cycle, Response

Answer 36

1. Understand key roles and responsibilities by Identifying key business stakeholders (info security, legal, audit, human resources, marketing, biz development, communications and PR, and other) & establishing oversight team
2. Develop a privacy incident response plan
3. Identify elements of the privacy incident response plan
4. Integrate privacy incident response into business continuity planning

Question 37

Incident Detection

Life Cycle, Response

Answer 37

1. Define what constitutes a privacy incident
2. Identify reporting process
3. Coordinate detection responsibilities with Organization IT, Physical Security, Human resources, Investigation teams, and vendors

Question 38

Incident Handling

Life Cycle, Response

Answer 38

1. Understand key roles and responsibilities

2. Develop a communications plan to notify executive management

Question 39

Incident Response Process

Life Cycle, Response

Answer 39

1. Engage privacy team
2. Review the facts
3. Conduct analysis
4. Determine actions (contain, communicate, etc.)
5. Execute
6. Monitor
7. Review and apply lessons learned