Developing a Privacy Program - Section I.B. - Implementing a Privacy Program at the Organizational Level

Question 1

What “core activities” engaged in by a data controller will subject it to the requirement to appoint a DPO under the GDPR?

Answer 1

Processing activities that involve the regular or systemic monitoring of data subjects, or processing that includes certain “special” categories of information.

Question 2

What is a privacy workshop?

Answer 2

An education exercise that helps ensure that all relevant stakeholders are on the same page regarding the privacy challenges facing the organization and the extent of the undertaking necessary to implement a privacy program.

Question 3

True or False: All public authorities subject to the GDPR are required to appoint a DPO.

Answer 3

False. Under the GDPR, public authorities must appoint a DPO, but judicial courts are excluded from this requirement.

Question 4

How would you best describe the role of “privacy leader” in an organization?

Answer 4

The most senior officer responsible for privacy in an organization, having responsibility and oversight of the privacy program.

Question 5

At what level of an organization are privacy policies and practices most likely to be implemented?

Answer 5

Privacy practices and policies are implemented at the functional level of organizations, even when those policies and practices are developed by a centralized privacy office

Question 6

A distributed model of data governance works best for what types of organizations?

Answer 6

Smaller organizations or organizations with less-rigid compliance obligations.

Question 7

What does the GDPR describe as the requirements necessary to hold the position of a DPO?

Answer 7

Article 37 states that a DPO must possess “expert knowledge of data protection law and practices.”

Question 8

What is the general method used for active data collection over the internet?

Answer 8

The use of web forms.

Question 9

What department is the most common department in which organizations place the privacy function?

Answer 9

Legal Department

Question 10

True or False: There are only three models of data governance that organizations must choose from.

Answer 10

False. Although there are three primary models of data governance (centralized, distributed, and hybrid), organizations are not limited to just these three primary models.

Question 11

What is a hybrid model of data governance?

Answer 11

A model that combines aspects of both the centralized and distributed models of data governance.

A Hybrid Model of data governance combines the centralized and distributed models. Typically, this means that a centralized person or team is charged with developing privacy policies and procedures, but functional-level departments are responsible for implementing and supporting those policies. For example, this might mean that the central privacy office sets the core goals of the privacy program, while the local level decides which practices to implement in order to meet those goals. Alternatively, members of a privacy team might be placed at the functional level—for example, where a privacy professional is detailed to work at one location in a large national office that has a privacy team located at corporate headquarters.

Question 12

What are some of the disadvantages of a hybrid model of data governance?

Answer 12

Inefficiencies may be created by conflicting policies or the need to repeatedly make the same decision across multiple departments or locations.

Question 13

What are some of the benefits of a distributed model of data governance?

Answer 13

Advantages include:
(1) Information flows from the bottom-to-top, which allows for decisions to be made on a well-informed basis related to actual business functions;
(2) Functional-level expertise can be called upon in the decision-making process;
(3) Functional-level employees feel more ownership over privacy.

Question 14

What is a RACI matrix?

Answer 14

A means to establish a record of ownership that asks who is Responsible and Accountable, and who should be Consulted and Informed.

Question 15

What is a privacy strategy?

Answer 15

The process of communicating the proposed approach towards privacy to internal partners and the attempt to gain support for its implementation.

Question 16

What is a privacy champion?

Answer 16

Someone “at the executive level [that] acts as an advocate and sponsor to further foster privacy as a core organizational concept.”

Question 17

What are some tools organizations look at in order to establish professional competency of privacy team members?

Answer 17

(1) Education;
(2) Relevant certifications; and
(3) A match between professional background and the privacy goals of an organization.

Question 18

Under the PCI-DSS, who may issue fines for non-compliance?

Answer 18

The specific payment card brands that find a company that accepts or processes information in non-compliance.

Question 19

What is one effective way to find a privacy champion within an organization?

Answer 19

Holding informal meetings and having informal talks with executives and department heads.

Question 20

Is it permissible for a related group of corporate entities (e.g., parents and subsidiaries) to appoint a single DPO?

Answer 20

Yes

Question 21

Privacy Vision

Answer 21

A privacy vision should be a short, clear statement about an organization’s view on privacy.

Question 22

What are some benefits of properly documenting the roles and responsibilities assigned at the initial stages of developing a privacy program?

Answer 22

Facilitates communication and
creates a document that all stakeholders can refer to in order to understand what decisions have been made.

Question 23

What is the first step in creating a privacy management program?

Answer 23

Developing a privacy vision

A vital first step in developing a privacy management program is establishing a privacy vision for the organization, sometimes called a privacy mission statement. This vision sets the table for all other steps in privacy program development, as it serves as the fundamental principle that other policies and procedures should aim to achieve. A typical privacy vision is succinct and clear; someone reading it should be able to understand the organization’s privacy goals in less than 30 seconds.

Question 24

What department (or departments) in an organization is likely to be responsible for determining whether third party vendors are complying with internal privacy policies and practices of the data controller?

Answer 24

The legal or procurement department.

Question 25

Who is the intended audience for a privacy vision?

Answer 25

Both internal and external stakeholders

Question 26

What are some common challenges that must be overcome in deploying a privacy strategy?

Answer 26

Organizational complacency,
apprehension about putting money and assets into a new business function, and
a lack of understanding regarding the importance of privacy.

Question 27

True or False:
A comprehensive privacy program has the potential to cut costs, but will never add revenue to an organization.

Answer 27

False. A privacy program has the capacity to both cut costs and add revenue. This should be made clear to relevant stakeholders when implementing a privacy strategy.

Question 28

What is the automatic collection of data over the internet referred to as?

Answer 28

Passive data collection

Question 29

Does the PCI-DSS mandate specific compliance programs and policies that payment card industry members must implement?

Answer 29

No. Even though the PCI Security Standards Council sets the standards, “each payment card brand has its own program for compliance, validation levels and enforcement.”

Question 30

True or False: Business disruption is considered a “cost” by most organizations.

Answer 30

True. Because business disruption is thought of as a “cost” limiting that disruption is a key part of building a business case for privacy.

Question 31

An effective privacy champion is likely to have what characteristics or authority?

Answer 31

1) Experience with the organization
2) The respect of colleagues, and
3) Ownership of a budget

Question 32

What factors does the IAPP recommend in establishing a privacy team?

Answer 32

1) Hierarchy of command,
2) Role definition,
3) Evaluation of outcomes,
4) Alteration of organizational structure
5) Significance
6) Type of structures
7) Customer needs
8) Benefits

Question 33

What are two benefits of implementing a “most restrictive law” approach towards legal compliance obligations?

Answer 33

Simplified management and
lower overhead

Question 34

What are some of the goals of a privacy program manager?

Answer 34

The goals of a privacy program manager incldue
* identifying an organization’s privacy obligations and privacy risks,
* establishing and documenting privacy policies and procedures, and
* monitoring privacy pracitices

Organizations implement multiple data management models. One model is a centralized model, but not all organizations adopt such a model.

Even in organizations that have a centralized privacy office, the privacy policies and practices of an organization are implemented at the functional level of an organization.

Goals (Book):
* Define privacy obligations for the organization
* Identify and mitigate business, employees, vendor and customer privacy risks
* Identify existing documentation, policies, and procedures around the management of personal information
* Create, revise, and implement policies and procedures that effect positive practices and together comprise a privacy program
* Raise the data IQ of the organization to drive and embed a privacy-oriented culture

Question 35

Centralized Model of data governance

Answer 35

A Centralized Model of data governance is defined by the fact that one person (e.g., a Chief Privacy Officer) or one dedicated team is responsible for the privacy functions within an organization.

Under this model, all privacy issues flow through this person or team, which serves as a single point of contact for privacy-related issues. Decision-making therefore flows from the top-down.

This sort of data governance model typically works best for large organizations that operate in multiple jurisdictions or have complex compliance obligations.

Question 36

Centralized Model - Advantages

Answer 36

1) Streamlined decision-making
2) More efficient because it relies on a common understanding and dedicated expertise in privacy

Question 37

Centralized Model - Disadvantages

Answer 37

1) Potentially greater overhead costs
2) Functional-level employees cannot make decisions, and this may slow the implementation process

Question 38

Distributed Model - Disadvantages

Answer 38

1) Inefficiencies may be created because each privacy-related decision may need to be made numerous times by each separate department
2) Divergent or conflicting policies may be implemented by individual departments

Question 39

Hybrid Model - Advantages

Answer 39

1) The resources offered by a centralized approach are available
2) Allows an organization to maintain common privacy goals across the organization, while permitting local variance in how those goals are achieved

Question 40

IAPPs 5 best practices for developing internal parterns to support the privacy function.

Answer 40

1) Become aware of how others treat and view personal information
2) Understand their use of the data in a business context
3) Assist with building privacy requirements into their ongoing projects to help reduce risk
4) Offer to help staff meet their objectives while offering solutions to reduce risk of personal information exposure
5) Invite staff to be a part of the privacy advocate group to further privacy best practices

Question 41

What requirements set the floor for the scope of a privacy program?

Answer 41

1) Legal Requirements
2) Requirements of self-regulatory orgianizations

In addition to legal requirements, organizations may also be subject to self-regulatory frameworks and the obligations that they impose. Therefore, organizations must also be mindful of obligations from self-regulatory authorities when determining the scope of a privacy program. The failure to adhere to self-regulatory obligations can be severe.

Question 42

Art. 37 GDPR

Answer 42

Requirement to appoint a DPO

Article 37 of the GDPR requires organizations to appoint a DPO if, among other things, the organization’s “core activities” include large-scale processing of “special” categories of data, such as information about race, ethnicity, political affiliation, sexual orientation, genetic information, or criminal history. While the GDPR also mandates the other requirements listed, these are not tied to the “core activities” requirement of Article 37.

Question 43

The Fair Information Practice of “access” is commonly considered to include the right to view information an organization collects, along with what other right?

Answer 43

Right to update or correct

The FIP of “access” generally covers both being able to view information and ensure its accuracy. Although there is no uniform set of FIPs, “access” is commonly considered to be distinct from the FIPs of “notice” and “consent.”

Question 44

What is the name used to describe employees within an organization that are responsible for managing an organization’s response to privacy incidents?

Answer 44

Privacy first responders

An important, though less formal, role within an organization is a privacy “first responder.”

Privacy first responders are those employees responsible for managing the organization’s response to privacy incidents.

Question 45

From the perspective of a privacy program manager, what is the most important commonly accepted Fair Information Practice?

Answer 45

Accountability principle

Fair Information Practices can generally be broken down into two aspects of privacy protection:

• HOW an organization manages data and
• individual rights of data subjects.

Although the principles that fall into each category play an important role in information privacy management, the accountability principle is the most important from the perspective of a privacy program manager.

The accountability principles holds that an organization must
take responsibility for protecting personal information and
using it in a manner that is both consistent with the law and
done in a manner that treats the individual equitably.

Question 46

What is included in a privacy vision statement

Answer 46

There is no one particular way for organizations to develop a privacy vision.
Each should be unique to the organization itself.

Nevertheless, there are some common elements found in most privacy vision statements. These include:

(1) a statement on the value of privacy to the organization;
(2) the objectives of the organization;
(3) the strategies implemented to achieve those objectives; and
(4) the roles and responsibilities played by the organization (and those within it) to achieve those goals.

Question 47

What does a Privacy Program seek to protect?

Answer 47

A privacy program seeks to protect and manage multiple categories of information. Among other pieces of data, a privacy program seeks to protect trade secrets and other confidential or proprietary information about an organization.

Most importantly, however, a privacy program governs an organization’s use of “personal information,” sometimes referred to as “personally identifiable information.”

Question 48

What two (2) steps are required to define the scope of a privacy program?

Answer 48

1) Identification of what information is processed
2) Identification of what laws are applicable to the processing of that data

Defining the scope of a privacy program typically involves at least two preliminary steps.

First, an organization must identify the source, types, and uses of personal information within an organization.

Second, the organization must identify applicable laws and regulations based upon how information is collected and processed.

Other considerations, however, may be taken into account.

Question 49

The goals of a privacy program (at a minimum):

Answer 49

• Demonstrate an effective and auditale framework to enable compliance with applicable data protection laws and regulations
• Promote trust and confidence in the data entrusted by individuals, including consumers and employess
• Highlight that an organization takes its data privacy obligations seriously
• Respond effectively to privacy breaches and data subject requests
• Continually monitor, maintain, and improve the maturity of the privacy program

Question 50

Responsibilities of the privacy program manager include:

Answer 50

• Policies, Privacy Notices, Procedures, and Governance
• Privacy-related awareness and training
• Incident response and privacy investigations
• Regulator complaints
• Data subject requests
• Communications
• Privacy controls
• Privacy issues with existing products and services
• Privacy-related monitoring
• Privacy impact assessments
• Development of privacy staff
• Privacy-related data committees
• PdD in product development
• Privacy-related vendor management
• Privacy audits
• Privacy metrics
• Cross-border data transfers
• Preparation for legislative and regulatory change
• Privacy-related subscriptions
• Privacy-related travel
• Redress and consumer outreach
• Privacy-specific or -enhancing software
• Privacy related certification seals
• Cross-functional collaboration with legal, IT, IS or InfoSec, Cyber, Ethics team, amongh others
• Internal and external reporting

Question 51

What department in an organization is likely to be responsible for whether the organization is adequately following its internal privacy policies and controls?

Answer 51

The internal audit department

Question 52

A distributed model of data governance is also known by what two other names?

Answer 52

A localized or
de-centralized model

Question 53

T or F: Each org will have different qualifications that they look to in structuring a privacy team

Answer 53

True.
The necessary qualifications may be dictated to some extent by the structure of the org and data governance model implemented.

Question 54

What is the next step in development of a privacy program after executing on a privacy strategy?

Answer 54

Building a privacy team

Question 55

Appropriate Safeguards under GDPR that permit the transfer of data between the U.S. and E.U.

Answer 55

1) Binding Corporate Rules
2) Standard Contractual Clauses (SCC)
3) Ad hoc contract clauses
4) Codes of Conduct or Certification Mechanisms

Question 56

What are the potential consequences for failing to comply with PCI-DSS standards for companies that accept or process payment card information?

Answer 56

Potential fines and exclusion from banks or payment card systems.

Question 57

True or False: The only two considerations organizations should account for in defining the scope of a privacy program are identifying what data is processed and what laws apply to the processing of that data.

Answer 57

False. Although identification of what data is processed and what laws apply to the processing of that data are important considerations, other factors such as an organization’s culture or appetite for risk may be considered.

Question 58

Other than affecting the validity of the Privacy Shield Framework, what other transfer mechanism did the court in Schrems II call into doubt?

Answer 58

The use of SCCs to transfer data between the US and EU