Info Management in US

Question 1

What is Data inventory and why does it matter?

Answer 1

Organizations need to know all of the data that they have access to, control over, etc. This is important to help classify the data and properly manage it.

Question 2

What is data classification, and how is it usually determined?

Answer 2

The classification level assigned to data defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection that is appropriate for that data.

Typically determined based on the sensitivity level of the data (higher sensitivity = more classified)

Question 3

What are the four steps of information management program development?

Answer 3

Discovery
Build
Communicate
Evolve

Question 4

What should organizations consider during the “Discovery” phase of info management program development?

Answer 4

Consider:
* Accountability
* Company policy goals
* PI data inventory
* Data locations
* Data sharing
* Data transfers
* Data flows
* Data classification
* Data risk

Tasks include:
* Self-assessing and identifying privacy risk
* Classifying PI according to sensitivity
* Developing and documenting best practices

Question 5

What should organizations consider during the “Build” phase of info management program development?

Answer 5

building a privacy program that both facilitates and restricts the flow of personal information (as appropriate).

This includes:
* Internal privacy policies
o Enforceable legal documents (contracts)
o Policy reviews

• External privacy notices
  o Common practices, sometimes required by law
  o Promises to consumers
  o Notices that accurately reflect policy and practices
  o Version control
  o Accessible online

Question 6

What should organizations consider during the “Communicate” phase of info management program development?

Answer 6

Communication is key, as well as:
* Documenting and updating policies and procedures
* Conveying policies, procedures and goals to decision-makers and consumer-facing employees
* Training and awareness programs for staff and management
* Individual accountability for compliance

Question 7

What should organizations consider during the “Evolve” phase of info management program development?

Answer 7

Once an information management program is established, there must be a process for review and update. Failure to do so can result in a company falling out of compliance with its public privacy promises or failing to meet other organizational goals.

Key actions include:
* Affirmation and monitoring
o Do policies and practices still comply with law, conform with company needs and support incident response programs?

• Adaptation
  o What changes are necessary to comply with new laws, current company goals and industry practices?

Question 8

What are the four primary roles of the privacy professional?

Answer 8

Researching laws, guidelines, common practices and tools;

Monitoring current events and changing guidelines to provide guidance to the organization;

Educating the organization about privacy laws, organizational policies, risks and recommended practices;

Designing and recommending policies and procedures for the organization

Question 9

When designing and administering an privacy program, what types of risk should an organization consider?

Answer 9

Legal Risks - noncompliance with laws or contracts

Reputational Risks - damaging trust in the brand

Operational Risks- affecting efficiency, inhibiting innovative uses of personal data

Investment Risks- hampering org from receiving ROI in info, IT, info processing programs

Question 10

How should organizations manage User Preferences when it comes to personal data?

Answer 10

Users should have the choice to opt in before data is used or collected and opt out of information being sold or shared with third parties. Users should also have access to personal information held about them as well as the ability to challenge accuracy of the data.

Question 11

What are the steps to develop an Incident Response program?

Answer 11

Preparation- train, prepare

Identification- ID an incident

Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage

Eradication Finding the root cause of the incident and removing affected systems from the production environment

Recovery Permitting affected systems back into the production environment and ensuring no threat remains

Lessons Learned: document, learn from it

Question 12

Which members of an organization need to complete privacy training?

Answer 12

Everyone who handles personal information, including those who make decisions regarding it, such as leadership, should be trained in privacy.

Question 13

What questions should privacy professionals ask to determine Accountability?

Answer 13

• Where, how and for what length of time should the data be stored?
• How sensitive is the information?
• Will the information be transferred to or from other countries, and if so, how will it be transferred?
• Who determines the rules that apply to the information?
• How will the information be processed, and how will these processes be maintained?

Question 14

What is a privacy notice?

Answer 14

A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.

IAPP states that notices are external and policies are internal?

Question 15

What are key considerations when it comes to vendor management?

Answer 15

Vendor agreements should contain clear data ownership language

i. Data Ownership Provisions:
1. Customer retains uninhibited data ownership
2. Vendor’s right to use information is limited to activities performed on behalf of the customer
3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge
4. Vendor must delete information at the end of the contract

Question 16

What should organizations consider when choosing a vendor to process personal information on their behalf?

Answer 16

an organization should evaluate the vendor against specific standards, including vendor reputation and past history;
prior security incidents;
financial condition and insurance;
information security controls, including business continuity;
point of transfer;
disposal of information;
employee training and user awareness;
vendor incident response;
and privacy impact assessments.

Question 17

What are six mechanisms under the GDPR that allow organizations to transfer personal data across borders? What must be in place first?

Answer 17

• Adequacy Decisions
• Ad hoc contracts
• Standard contractual clauses
• Binding corporate rules
• Codes of conduct and/or self-certification mechanisms
• Derogations

An organization must first have a legal basis for processing personal data before it can transfer the data

Question 18

Describe the brief timeline of US/EU adequacy decisions.

Answer 18

U.S. Safe Harbor - adequate in 2000, invalidated in 2015 because of Schrems

Privacy Shield- set up in 2016 and formally approved, struck down in 2020 by Schrems 2.

EU-U.S. Data Privacy Framework- current working model, found adequate in 2023

Question 19

Why was the Safe Harbor agreement found inadequate after Schrems I ?

Answer 19

The CJEU finds Safe Harbor to lack protection of fundamental rights “essentially equivalent” to that in the EU. In particular, it says that national security, public interest and law enforcement have been placed above the Safe Harbor principles

Question 20

Why was the EU-US privacy shield found inadequate after Schrems II?

Answer 20

In a subsequent ruling of Data Protection Commission v. Facebook Ireland, Schrems, the Court of Justice of the European Union invalidated the European Commission’s adequacy determination for the EU-U.S. Privacy Shield, citing that:

• The U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter on Fundamental Rights
• EU data subjects lack actionable judicial redress and don’t have the right to an effective remedy in the U.S., as required by Article 47 of the EU Charter

The CJEU decision also included findings regarding the need for case-by-case assessments of the sufficiency of foreign protections when using standard contractual clauses.

Question 21

What are Binding Corporate Rules (BCRs) under the GDPR?

Answer 21

BCRs are legally binding internal corporate privacy rules for transferring personal information within a corporate group. They are typically used by corporations that operate in multiple jurisdictions.

Under the GDPR, BCRs require approval from a supervisory authority. At a minimum, BCRs must include structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply to general data protection principles, complaint procedures and compliance mechanisms.

Question 22

What are Standard Contractual Clauses (SCCs) under the GDPR?

Answer 22

A standard contractual clause, also known as a model clause (language written into a contract), may be a way for organizations to facilitate international data transfers. These were discussed in Schrems II.

Question 23

Name the other approved transfer mechanisms besides SCCs and BCRs?

Answer 23

Adequacy Decisions
Ad hoc contracts
Codes of conduct and/or self-certification mechanisms
Derogations

Note that regardless of which mechanism is employed for international data transfers, an organization must first have a legal basis for processing personal data before it can transfer the data.

Question 24

How did Schrems II affect the legality of SCCs?

Answer 24

In the wake of “Schrems II,” the legality of SCCs was upheld. However, to align the SCCs with the GDPR, meet changing needs and address the specific issues raised by Schrems II, the European Commission has adopted revised SCCs which are modular in nature. Companies will need to use these for all NEW data transfer contracts beginning in late September 2021 and incorporate them into EXISTING data transfer contracts beginning in late December 2022. Companies must still conduct case-by-case assessments (commonly referred to as a “transfer impact assessment” or “TIA”) on the laws in the recipient country to ensure essential equivalence to EU law for personal data being transferred under SCCs or BCRs. If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers.

Question 25

What does Article 24(1) of the GDPR require?

Answer 25

Article 24(1) of the GDPR mandates that the controller have a data protection program. Controllers must also continuously review and update their systems to ensure they remain robust.

Question 26

What are the four criteria that must be met to define personal data under the GDPR?

Answer 26

Article 4(1) of the GDPR defines it as “any information relating to an identified or identifiable natural person.”

“Any information” is understood to be literal. Information could be anything from a person’s name to their location.

“Relating to” refers to the information’s purpose and impact on someone’s privacy rights. Its juxtaposition with other content is also important. For example, a job title would not necessarily relate to a person, but a job title combined with a name likely would.

“Identified” means that an individual person has been named or singled out—for example, by specific characteristics. “Identifiable” refers to indirect identification, taking into account all the “means reasonably likely to be used” to identify the person (Recital 26).

A “natural person” is a real human being, as distinguished from a corporation. This person is referred to as the data subject.

Question 27

What are some requirements for data controllers under the GDPR?

Answer 27

Requirements for controllers include:
o Implementing data protection by design and data protection by default
o Conducting data protection impact assessments
o Maintaining data processing records
o Possibly needing to appoint a data protection officer

Question 28

Who is required to appoint a Data Protection Officer under the GDPR?

Answer 28

Organizations that fall under the scope of the GDPR, whose core activities involve processing personal data on a large scale, or who consistently process highly sensitive data or data relating to criminal convictions and offenses, must appoint a DPO.

Question 29

What is the APEC privacy framework?

Answer 29

The Asia-Pacific Economic Co-operation (APEC) Cross-border Privacy Enforcement Arrangement established a framework for members to share information in cross-border investigations and enforcement actions in the Asia-Pacific region, and facilitates communication between APEC and non-APEC members.

Question 30

What are the Sedona Conference standards for managing e-discovery compliance through data retention policies?

Answer 30

1. Administration by interdisciplinary teams
2. Continuous development of understanding policies and practices
3. Consensus on policies while considering industry standards
4. And technical solutions that parallel the functional requirements of the organization

Question 31

What are the issues with EU data protection rules and e-discovery in the US?

Answer 31

Parties can be caught between conflicting demands as another country’s laws may prohibit transfer of personal information outside of the country.

Nations under the GDPR are subject to greater restrictions versus U.S. discovery rules that value broad preservation, collection and production of information.

Question 32

How can I avoid transborder data production using the Hague Convention?

Answer 32

Under this treaty, the party seeking to displace the Federal Rules of Civil Procedure may demonstrate that the foreign law prohibits the discovery sought.

Question 33

How can organizations protect privacy during e-discovery?

Answer 33

Steps organizations can take to protect personal information when required to turn over large volumes of electronic data for discovery purposes include
placing limits on using company email for personal use,

discouraging the conduct of company business on personal devices,

and implementing policies for when employees leave the organization.

Question 34

What are EU-specific data subject rights provided by the GDPR?

Answer 34

These include access and rectification of personal data,
data portability,
erasure (or the “right to be forgotten”),
restriction of processing,
the right to object to processing of one’s personal data, and
the right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects … or similarly significant effects.”