eBook - Notes Flashcards
What is the key role and goals of a Privacy Program Manager?
Role: The PPM leads the effort to ensure that privacy principles are being carried out through information security practices.
Goals:
1. Define privacy obligations for the organization
2. Identify and mitigate privacy risks
3. Identify existing documentation, policies, and procedures around the management of personal information.
4. Create, revise, and implement policies for a good privacy program
5. Raise the data IQ of organization to drive a privacy-oriented culture.
What are the key tasks and responsibilities of a Privacy Program Manager?
- Establish data governance through proper policies, procedures, and processes.
- Privacy related awareness and training
- Incident response and privacy investigations
- Regulator complaints
- Data subject requests
- Communications
- Privacy controls
- Privacy issues with existing products and services
- Audits, Metrics, Data Transfers
What is Privacy Program Management?
A structured approach to combining several projects in to a framework and lifecycle to protect personal information and the rights of individuals.
A structured privacy program reflects an organization’s thoughtful and intentional plan to protect personal information and the rights of individuals.
What are the four stages of a privacy governance life cycle?
- Assess - steps, checklists, processes necessary to assess any gaps in a privacy program compared to industry best practices, applicable laws, policies, framework etc.
- Protect - data lifecycle, information security and PbyDesign.
- Sustain - monitoring, auditing, and communication aspects of the framework. Audit, risk assessments,.
- Respond - to information requests, legal compliance, incident-response
What is Privacy Governance?
The components of a privacy program that guide a privacy function toward compliance with privacy laws, and supports broader business objectives and goals.
What are the key components of Privacy Governance?
-Creating the organizational privacy vision and mission statement
-Defining the scope of the privacy program
- Selecting an appropriate privacy framework
- Developing the organizational privacy strategy
- Structuring the privacy team
What is the purpose of the organizational privacy vision and mission statement?
It lays the groundwork for the rest of the privacy program.
Should align with the organization’s broader purpose and goal.
It should describe the privacy function’s raison d’etre.
What are the steps involved in defining the scope of a privacy program?
- Identify the personal information collected and processed
- Identify applicable privacy and data protection laws and regulations
What is a Privacy Strategy?
A privacy strategy is the organization’s approach to communicating
and supporting the privacy program and its vision.
How do you develop a privacy strategy?
- Identify stakeholders and internal partnerships
a) Gain consensus from management and key stakeholders
b) Where does the program sit, who else (Legal, IT, Security, HR etc.) should be involved?
c) Build a coalition of supporters.
d) Identify a program sponsor with budgetary powers - e.g. CISO, Chief Compliance Officer - Conduct a privacy workshop for stakeholders
- Keep a record of ownership
Why is it essential to develop and implement a framework?
- A framework can systematically handle risks and obligations of privacy regulations.
- It can help achieve compliance
- Serve as a business differentiator, engender trust
- Support business commitments to stakeholders
What is a framework and what does it help a Privacy Program do?
A framework is a collection of processes, templates, tools, laws and standards that guide privacy program management.
The privacy framework helps answer:
- Are privacy risks properly identified?
- Are there gaps?
- Monitoring of the program
- Employee Training
- Incident response plan etc.
What are the two categories of frameworks?
1) Principles and Standards - e.g. Fair Information Principles, OECD Privacy Principles, GAPP, Canada Privacy Code, APEC, NIST, ETSI, PbyD etc.
2) Laws, Regulations, and Programs - GDPR, PIPEDA, BCRs,
3) Rationalizing requirements - e.g. essentially implementing a solution that addresses all the requirements.
What are the seven principles of Privacy-by-design?
- Proactive not reactive; preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality - positive-sum, not zero-sum
- End-to-end security - full life cycle protection
- Visibility and transparency - keep it open
- Respect for user privacy - keep it user-centric
What are privacy technologies?
Privacy technologies help achieve and demonstrate compliance.
It includes things like:
* Consent management
* Data mapping tools
* Due diligence and risk assessment management
* Supplier due diligence
* Managing data subject access requests
* De-identification
* Incident response tools.
Important to understand that a product by itself does not guarantee compliance. It is part of a larger privacy program.
