Info Management in US Flashcards
What is Data inventory and why does it matter?
Organizations need to know all of the data that they have access to, control over, etc. This is important to help classify the data and properly manage it.
What is data classification, and how is it usually determined?
The classification level assigned to data defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection that is appropriate for that data.
Typically determined based on the sensitivity level of the data (higher sensitivity = more classified)
What are the four steps of information management program development?
Discovery
Build
Communicate
Evolve
What should organizations consider during the “Discovery” phase of info management program development?
Consider:
* Accountability
* Company policy goals
* PI data inventory
* Data locations
* Data sharing
* Data transfers
* Data flows
* Data classification
* Data risk
Tasks include:
* Self-assessing and identifying privacy risk
* Classifying PI according to sensitivity
* Developing and documenting best practices
What should organizations consider during the “Build” phase of info management program development?
building a privacy program that both facilitates and restricts the flow of personal information (as appropriate).
This includes:
* Internal privacy policies
o Enforceable legal documents (contracts)
o Policy reviews
- External privacy notices
o Common practices, sometimes required by law
o Promises to consumers
o Notices that accurately reflect policy and practices
o Version control
o Accessible online
What should organizations consider during the “Communicate” phase of info management program development?
Communication is key, as well as:
* Documenting and updating policies and procedures
* Conveying policies, procedures and goals to decision-makers and consumer-facing employees
* Training and awareness programs for staff and management
* Individual accountability for compliance
What should organizations consider during the “Evolve” phase of info management program development?
Once an information management program is established, there must be a process for review and update. Failure to do so can result in a company falling out of compliance with its public privacy promises or failing to meet other organizational goals.
Key actions include:
* Affirmation and monitoring
o Do policies and practices still comply with law, conform with company needs and support incident response programs?
- Adaptation
o What changes are necessary to comply with new laws, current company goals and industry practices?
What are the four primary roles of the privacy professional?
Researching laws, guidelines, common practices and tools;
Monitoring current events and changing guidelines to provide guidance to the organization;
Educating the organization about privacy laws, organizational policies, risks and recommended practices;
Designing and recommending policies and procedures for the organization
When designing and administering an privacy program, what types of risk should an organization consider?
Legal Risks - noncompliance with laws or contracts
Reputational Risks - damaging trust in the brand
Operational Risks- affecting efficiency, inhibiting innovative uses of personal data
Investment Risks- hampering org from receiving ROI in info, IT, info processing programs
How should organizations manage User Preferences when it comes to personal data?
Users should have the choice to opt in before data is used or collected and opt out of information being sold or shared with third parties. Users should also have access to personal information held about them as well as the ability to challenge accuracy of the data.
What are the steps to develop an Incident Response program?
Preparation- train, prepare
Identification- ID an incident
Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
Eradication Finding the root cause of the incident and removing affected systems from the production environment
Recovery Permitting affected systems back into the production environment and ensuring no threat remains
Lessons Learned: document, learn from it
Which members of an organization need to complete privacy training?
Everyone who handles personal information, including those who make decisions regarding it, such as leadership, should be trained in privacy.
What questions should privacy professionals ask to determine Accountability?
- Where, how and for what length of time should the data be stored?
- How sensitive is the information?
- Will the information be transferred to or from other countries, and if so, how will it be transferred?
- Who determines the rules that apply to the information?
- How will the information be processed, and how will these processes be maintained?
What is a privacy notice?
A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.
IAPP states that notices are external and policies are internal?
What are key considerations when it comes to vendor management?
Vendor agreements should contain clear data ownership language
i. Data Ownership Provisions:
1. Customer retains uninhibited data ownership
2. Vendor’s right to use information is limited to activities performed on behalf of the customer
3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge
4. Vendor must delete information at the end of the contract
What should organizations consider when choosing a vendor to process personal information on their behalf?
an organization should evaluate the vendor against specific standards, including vendor reputation and past history;
prior security incidents;
financial condition and insurance;
information security controls, including business continuity;
point of transfer;
disposal of information;
employee training and user awareness;
vendor incident response;
and privacy impact assessments.
What are six mechanisms under the GDPR that allow organizations to transfer personal data across borders? What must be in place first?
- Adequacy Decisions
- Ad hoc contracts
- Standard contractual clauses
- Binding corporate rules
- Codes of conduct and/or self-certification mechanisms
- Derogations
An organization must first have a legal basis for processing personal data before it can transfer the data
Describe the brief timeline of US/EU adequacy decisions.
U.S. Safe Harbor - adequate in 2000, invalidated in 2015 because of Schrems
Privacy Shield- set up in 2016 and formally approved, struck down in 2020 by Schrems 2.
EU-U.S. Data Privacy Framework- current working model, found adequate in 2023
Why was the Safe Harbor agreement found inadequate after Schrems I ?
The CJEU finds Safe Harbor to lack protection of fundamental rights “essentially equivalent” to that in the EU. In particular, it says that national security, public interest and law enforcement have been placed above the Safe Harbor principles
Why was the EU-US privacy shield found inadequate after Schrems II?
In a subsequent ruling of Data Protection Commission v. Facebook Ireland, Schrems, the Court of Justice of the European Union invalidated the European Commission’s adequacy determination for the EU-U.S. Privacy Shield, citing that:
- The U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter on Fundamental Rights
- EU data subjects lack actionable judicial redress and don’t have the right to an effective remedy in the U.S., as required by Article 47 of the EU Charter
The CJEU decision also included findings regarding the need for case-by-case assessments of the sufficiency of foreign protections when using standard contractual clauses.
What are Binding Corporate Rules (BCRs) under the GDPR?
BCRs are legally binding internal corporate privacy rules for transferring personal information within a corporate group. They are typically used by corporations that operate in multiple jurisdictions.
Under the GDPR, BCRs require approval from a supervisory authority. At a minimum, BCRs must include structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply to general data protection principles, complaint procedures and compliance mechanisms.
What are Standard Contractual Clauses (SCCs) under the GDPR?
A standard contractual clause, also known as a model clause (language written into a contract), may be a way for organizations to facilitate international data transfers. These were discussed in Schrems II.
Name the other approved transfer mechanisms besides SCCs and BCRs?
Adequacy Decisions
Ad hoc contracts
Codes of conduct and/or self-certification mechanisms
Derogations
Note that regardless of which mechanism is employed for international data transfers, an organization must first have a legal basis for processing personal data before it can transfer the data.
How did Schrems II affect the legality of SCCs?
In the wake of “Schrems II,” the legality of SCCs was upheld. However, to align the SCCs with the GDPR, meet changing needs and address the specific issues raised by Schrems II, the European Commission has adopted revised SCCs which are modular in nature. Companies will need to use these for all NEW data transfer contracts beginning in late September 2021 and incorporate them into EXISTING data transfer contracts beginning in late December 2022. Companies must still conduct case-by-case assessments (commonly referred to as a “transfer impact assessment” or “TIA”) on the laws in the recipient country to ensure essential equivalence to EU law for personal data being transferred under SCCs or BCRs. If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers.
