Developing a Privacy Program - Section I.B. - Implementing a Privacy Program at the Organizational Level Flashcards
What “core activities” engaged in by a data controller will subject it to the requirement to appoint a DPO under the GDPR?
Processing activities that involve the regular or systemic monitoring of data subjects, or processing that includes certain “special” categories of information.
What is a privacy workshop?
An education exercise that helps ensure that all relevant stakeholders are on the same page regarding the privacy challenges facing the organization and the extent of the undertaking necessary to implement a privacy program.
True or False: All public authorities subject to the GDPR are required to appoint a DPO.
False. Under the GDPR, public authorities must appoint a DPO, but judicial courts are excluded from this requirement.
How would you best describe the role of “privacy leader” in an organization?
The most senior officer responsible for privacy in an organization, having responsibility and oversight of the privacy program.
At what level of an organization are privacy policies and practices most likely to be implemented?
Privacy practices and policies are implemented at the functional level of organizations, even when those policies and practices are developed by a centralized privacy office
A distributed model of data governance works best for what types of organizations?
Smaller organizations or organizations with less-rigid compliance obligations.
What does the GDPR describe as the requirements necessary to hold the position of a DPO?
Article 37 states that a DPO must possess “expert knowledge of data protection law and practices.”
What is the general method used for active data collection over the internet?
The use of web forms.
What department is the most common department in which organizations place the privacy function?
Legal Department
True or False: There are only three models of data governance that organizations must choose from.
False. Although there are three primary models of data governance (centralized, distributed, and hybrid), organizations are not limited to just these three primary models.
What is a hybrid model of data governance?
A model that combines aspects of both the centralized and distributed models of data governance.
A Hybrid Model of data governance combines the centralized and distributed models. Typically, this means that a centralized person or team is charged with developing privacy policies and procedures, but functional-level departments are responsible for implementing and supporting those policies. For example, this might mean that the central privacy office sets the core goals of the privacy program, while the local level decides which practices to implement in order to meet those goals. Alternatively, members of a privacy team might be placed at the functional level—for example, where a privacy professional is detailed to work at one location in a large national office that has a privacy team located at corporate headquarters.
What are some of the disadvantages of a hybrid model of data governance?
Inefficiencies may be created by conflicting policies or the need to repeatedly make the same decision across multiple departments or locations.
What are some of the benefits of a distributed model of data governance?
Advantages include:
(1) Information flows from the bottom-to-top, which allows for decisions to be made on a well-informed basis related to actual business functions;
(2) Functional-level expertise can be called upon in the decision-making process;
(3) Functional-level employees feel more ownership over privacy.
What is a RACI matrix?
A means to establish a record of ownership that asks who is Responsible and Accountable, and who should be Consulted and Informed.
What is a privacy strategy?
The process of communicating the proposed approach towards privacy to internal partners and the attempt to gain support for its implementation.
What is a privacy champion?
Someone “at the executive level [that] acts as an advocate and sponsor to further foster privacy as a core organizational concept.”
What are some tools organizations look at in order to establish professional competency of privacy team members?
(1) Education;
(2) Relevant certifications; and
(3) A match between professional background and the privacy goals of an organization.
Under the PCI-DSS, who may issue fines for non-compliance?
The specific payment card brands that find a company that accepts or processes information in non-compliance.
What is one effective way to find a privacy champion within an organization?
Holding informal meetings and having informal talks with executives and department heads.
Is it permissible for a related group of corporate entities (e.g., parents and subsidiaries) to appoint a single DPO?
Yes
Privacy Vision
A privacy vision should be a short, clear statement about an organization’s view on privacy.
What are some benefits of properly documenting the roles and responsibilities assigned at the initial stages of developing a privacy program?
Facilitates communication and
creates a document that all stakeholders can refer to in order to understand what decisions have been made.
What is the first step in creating a privacy management program?
Developing a privacy vision
A vital first step in developing a privacy management program is establishing a privacy vision for the organization, sometimes called a privacy mission statement. This vision sets the table for all other steps in privacy program development, as it serves as the fundamental principle that other policies and procedures should aim to achieve. A typical privacy vision is succinct and clear; someone reading it should be able to understand the organization’s privacy goals in less than 30 seconds.