Developing a Privacy Program - Section I.B. - Implementing a Privacy Program at the Organizational Level Flashcards

1
Q

What “core activities” engaged in by a data controller will subject it to the requirement to appoint a DPO under the GDPR?

A

Processing activities that involve the regular or systemic monitoring of data subjects, or processing that includes certain “special” categories of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a privacy workshop?

A

An education exercise that helps ensure that all relevant stakeholders are on the same page regarding the privacy challenges facing the organization and the extent of the undertaking necessary to implement a privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or False: All public authorities subject to the GDPR are required to appoint a DPO.

A

False. Under the GDPR, public authorities must appoint a DPO, but judicial courts are excluded from this requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How would you best describe the role of “privacy leader” in an organization?

A

The most senior officer responsible for privacy in an organization, having responsibility and oversight of the privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

At what level of an organization are privacy policies and practices most likely to be implemented?

A

Privacy practices and policies are implemented at the functional level of organizations, even when those policies and practices are developed by a centralized privacy office

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A distributed model of data governance works best for what types of organizations?

A

Smaller organizations or organizations with less-rigid compliance obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the GDPR describe as the requirements necessary to hold the position of a DPO?

A

Article 37 states that a DPO must possess “expert knowledge of data protection law and practices.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the general method used for active data collection over the internet?

A

The use of web forms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What department is the most common department in which organizations place the privacy function?

A

Legal Department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or False: There are only three models of data governance that organizations must choose from.

A

False. Although there are three primary models of data governance (centralized, distributed, and hybrid), organizations are not limited to just these three primary models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a hybrid model of data governance?

A

A model that combines aspects of both the centralized and distributed models of data governance.

A Hybrid Model of data governance combines the centralized and distributed models. Typically, this means that a centralized person or team is charged with developing privacy policies and procedures, but functional-level departments are responsible for implementing and supporting those policies. For example, this might mean that the central privacy office sets the core goals of the privacy program, while the local level decides which practices to implement in order to meet those goals. Alternatively, members of a privacy team might be placed at the functional level—for example, where a privacy professional is detailed to work at one location in a large national office that has a privacy team located at corporate headquarters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some of the disadvantages of a hybrid model of data governance?

A

Inefficiencies may be created by conflicting policies or the need to repeatedly make the same decision across multiple departments or locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some of the benefits of a distributed model of data governance?

A

Advantages include:
(1) Information flows from the bottom-to-top, which allows for decisions to be made on a well-informed basis related to actual business functions;
(2) Functional-level expertise can be called upon in the decision-making process;
(3) Functional-level employees feel more ownership over privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a RACI matrix?

A

A means to establish a record of ownership that asks who is Responsible and Accountable, and who should be Consulted and Informed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a privacy strategy?

A

The process of communicating the proposed approach towards privacy to internal partners and the attempt to gain support for its implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a privacy champion?

A

Someone “at the executive level [that] acts as an advocate and sponsor to further foster privacy as a core organizational concept.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are some tools organizations look at in order to establish professional competency of privacy team members?

A

(1) Education;
(2) Relevant certifications; and
(3) A match between professional background and the privacy goals of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Under the PCI-DSS, who may issue fines for non-compliance?

A

The specific payment card brands that find a company that accepts or processes information in non-compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is one effective way to find a privacy champion within an organization?

A

Holding informal meetings and having informal talks with executives and department heads.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Is it permissible for a related group of corporate entities (e.g., parents and subsidiaries) to appoint a single DPO?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Privacy Vision

A

A privacy vision should be a short, clear statement about an organization’s view on privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are some benefits of properly documenting the roles and responsibilities assigned at the initial stages of developing a privacy program?

A

Facilitates communication and
creates a document that all stakeholders can refer to in order to understand what decisions have been made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the first step in creating a privacy management program?

A

Developing a privacy vision

A vital first step in developing a privacy management program is establishing a privacy vision for the organization, sometimes called a privacy mission statement. This vision sets the table for all other steps in privacy program development, as it serves as the fundamental principle that other policies and procedures should aim to achieve. A typical privacy vision is succinct and clear; someone reading it should be able to understand the organization’s privacy goals in less than 30 seconds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What department (or departments) in an organization is likely to be responsible for determining whether third party vendors are complying with internal privacy policies and practices of the data controller?

A

The legal or procurement department.

25
Q

Who is the intended audience for a privacy vision?

A

Both internal and external stakeholders

26
Q

What are some common challenges that must be overcome in deploying a privacy strategy?

A

Organizational complacency,
apprehension about putting money and assets into a new business function, and
a lack of understanding regarding the importance of privacy.

27
Q

True or False:
A comprehensive privacy program has the potential to cut costs, but will never add revenue to an organization.

A

False. A privacy program has the capacity to both cut costs and add revenue. This should be made clear to relevant stakeholders when implementing a privacy strategy.

28
Q

What is the automatic collection of data over the internet referred to as?

A

Passive data collection

29
Q

Does the PCI-DSS mandate specific compliance programs and policies that payment card industry members must implement?

A

No. Even though the PCI Security Standards Council sets the standards, “each payment card brand has its own program for compliance, validation levels and enforcement.”

30
Q

True or False: Business disruption is considered a “cost” by most organizations.

A

True. Because business disruption is thought of as a “cost” limiting that disruption is a key part of building a business case for privacy.

31
Q

An effective privacy champion is likely to have what characteristics or authority?

A

1) Experience with the organization
2) The respect of colleagues, and
3) Ownership of a budget

32
Q

What factors does the IAPP recommend in establishing a privacy team?

A

1) Hierarchy of command,
2) Role definition,
3) Evaluation of outcomes,
4) Alteration of organizational structure
5) Significance
6) Type of structures
7) Customer needs
8) Benefits

33
Q

What are two benefits of implementing a “most restrictive law” approach towards legal compliance obligations?

A

Simplified management and
lower overhead

34
Q

What are some of the goals of a privacy program manager?

A

The goals of a privacy program manager incldue
* identifying an organization’s privacy obligations and privacy risks,
* establishing and documenting privacy policies and procedures, and
* monitoring privacy pracitices

Organizations implement multiple data management models. One model is a centralized model, but not all organizations adopt such a model.

Even in organizations that have a centralized privacy office, the privacy policies and practices of an organization are implemented at the functional level of an organization.

Goals (Book):
* Define privacy obligations for the organization
* Identify and mitigate business, employees, vendor and customer privacy risks
* Identify existing documentation, policies, and procedures around the management of personal information
* Create, revise, and implement policies and procedures that effect positive practices and together comprise a privacy program
* Raise the data IQ of the organization to drive and embed a privacy-oriented culture

35
Q

Centralized Model of data governance

A

A Centralized Model of data governance is defined by the fact that one person (e.g., a Chief Privacy Officer) or one dedicated team is responsible for the privacy functions within an organization.

Under this model, all privacy issues flow through this person or team, which serves as a single point of contact for privacy-related issues. Decision-making therefore flows from the top-down.

This sort of data governance model typically works best for large organizations that operate in multiple jurisdictions or have complex compliance obligations.

36
Q

Centralized Model - Advantages

A

1) Streamlined decision-making
2) More efficient because it relies on a common understanding and dedicated expertise in privacy

37
Q

Centralized Model - Disadvantages

A

1) Potentially greater overhead costs
2) Functional-level employees cannot make decisions, and this may slow the implementation process

38
Q

Distributed Model - Disadvantages

A

1) Inefficiencies may be created because each privacy-related decision may need to be made numerous times by each separate department
2) Divergent or conflicting policies may be implemented by individual departments

39
Q

Hybrid Model - Advantages

A

1) The resources offered by a centralized approach are available
2) Allows an organization to maintain common privacy goals across the organization, while permitting local variance in how those goals are achieved

40
Q

IAPPs 5 best practices for developing internal parterns to support the privacy function.

A

1) Become aware of how others treat and view personal information
2) Understand their use of the data in a business context
3) Assist with building privacy requirements into their ongoing projects to help reduce risk
4) Offer to help staff meet their objectives while offering solutions to reduce risk of personal information exposure
5) Invite staff to be a part of the privacy advocate group to further privacy best practices

41
Q

What requirements set the floor for the scope of a privacy program?

A

1) Legal Requirements
2) Requirements of self-regulatory orgianizations

In addition to legal requirements, organizations may also be subject to self-regulatory frameworks and the obligations that they impose. Therefore, organizations must also be mindful of obligations from self-regulatory authorities when determining the scope of a privacy program. The failure to adhere to self-regulatory obligations can be severe.

42
Q

Art. 37 GDPR

A

Requirement to appoint a DPO

Article 37 of the GDPR requires organizations to appoint a DPO if, among other things, the organization’s “core activities” include large-scale processing of “special” categories of data, such as information about race, ethnicity, political affiliation, sexual orientation, genetic information, or criminal history. While the GDPR also mandates the other requirements listed, these are not tied to the “core activities” requirement of Article 37.

43
Q

The Fair Information Practice of “access” is commonly considered to include the right to view information an organization collects, along with what other right?

A

Right to update or correct

The FIP of “access” generally covers both being able to view information and ensure its accuracy. Although there is no uniform set of FIPs, “access” is commonly considered to be distinct from the FIPs of “notice” and “consent.”

44
Q

What is the name used to describe employees within an organization that are responsible for managing an organization’s response to privacy incidents?

A

Privacy first responders

An important, though less formal, role within an organization is a privacy “first responder.”

Privacy first responders are those employees responsible for managing the organization’s response to privacy incidents.

45
Q

From the perspective of a privacy program manager, what is the most important commonly accepted Fair Information Practice?

A

Accountability principle

Fair Information Practices can generally be broken down into two aspects of privacy protection:

  • HOW an organization manages data and
  • individual rights of data subjects.

Although the principles that fall into each category play an important role in information privacy management, the accountability principle is the most important from the perspective of a privacy program manager.

The accountability principles holds that an organization must
take responsibility for protecting personal information and
using it in a manner that is both consistent with the law and
done in a manner that treats the individual equitably.

46
Q

What is included in a privacy vision statement

A

There is no one particular way for organizations to develop a privacy vision.
Each should be unique to the organization itself.

Nevertheless, there are some common elements found in most privacy vision statements. These include:

(1) a statement on the value of privacy to the organization;
(2) the objectives of the organization;
(3) the strategies implemented to achieve those objectives; and
(4) the roles and responsibilities played by the organization (and those within it) to achieve those goals.

47
Q

What does a Privacy Program seek to protect?

A

A privacy program seeks to protect and manage multiple categories of information. Among other pieces of data, a privacy program seeks to protect trade secrets and other confidential or proprietary information about an organization.

Most importantly, however, a privacy program governs an organization’s use of “personal information,” sometimes referred to as “personally identifiable information.”

48
Q

What two (2) steps are required to define the scope of a privacy program?

A

1) Identification of what information is processed
2) Identification of what laws are applicable to the processing of that data

Defining the scope of a privacy program typically involves at least two preliminary steps.

First, an organization must identify the source, types, and uses of personal information within an organization.

Second, the organization must identify applicable laws and regulations based upon how information is collected and processed.

Other considerations, however, may be taken into account.

49
Q

The goals of a privacy program (at a minimum):

A
  • Demonstrate an effective and auditale framework to enable compliance with applicable data protection laws and regulations
  • Promote trust and confidence in the data entrusted by individuals, including consumers and employess
  • Highlight that an organization takes its data privacy obligations seriously
  • Respond effectively to privacy breaches and data subject requests
  • Continually monitor, maintain, and improve the maturity of the privacy program
50
Q

Responsibilities of the privacy program manager include:

A
  • Policies, Privacy Notices, Procedures, and Governance
  • Privacy-related awareness and training
  • Incident response and privacy investigations
  • Regulator complaints
  • Data subject requests
  • Communications
  • Privacy controls
  • Privacy issues with existing products and services
  • Privacy-related monitoring
  • Privacy impact assessments
  • Development of privacy staff
  • Privacy-related data committees
  • PdD in product development
  • Privacy-related vendor management
  • Privacy audits
  • Privacy metrics
  • Cross-border data transfers
  • Preparation for legislative and regulatory change
  • Privacy-related subscriptions
  • Privacy-related travel
  • Redress and consumer outreach
  • Privacy-specific or -enhancing software
  • Privacy related certification seals
  • Cross-functional collaboration with legal, IT, IS or InfoSec, Cyber, Ethics team, amongh others
  • Internal and external reporting
51
Q

What department in an organization is likely to be responsible for whether the organization is adequately following its internal privacy policies and controls?

A

The internal audit department

52
Q

A distributed model of data governance is also known by what two other names?

A

A localized or
de-centralized model

53
Q

T or F: Each org will have different qualifications that they look to in structuring a privacy team

A

True.
The necessary qualifications may be dictated to some extent by the structure of the org and data governance model implemented.

54
Q

What is the next step in development of a privacy program after executing on a privacy strategy?

A

Building a privacy team

55
Q

Appropriate Safeguards under GDPR that permit the transfer of data between the U.S. and E.U.

A

1) Binding Corporate Rules
2) Standard Contractual Clauses (SCC)
3) Ad hoc contract clauses
4) Codes of Conduct or Certification Mechanisms

56
Q

What are the potential consequences for failing to comply with PCI-DSS standards for companies that accept or process payment card information?

A

Potential fines and exclusion from banks or payment card systems.

57
Q

True or False: The only two considerations organizations should account for in defining the scope of a privacy program are identifying what data is processed and what laws apply to the processing of that data.

A

False. Although identification of what data is processed and what laws apply to the processing of that data are important considerations, other factors such as an organization’s culture or appetite for risk may be considered.

58
Q

Other than affecting the validity of the Privacy Shield Framework, what other transfer mechanism did the court in Schrems II call into doubt?

A

The use of SCCs to transfer data between the US and EU