Privacy Governance Flashcards
What are three key considerations for developing a privacy strategy? What are example tasks in each category?
- Business Alignment
-Make a business case for privacy & obtain a budget - Data governance of personal information
-Design an approach to handle PII throughout the data lifecycle - Inquiry/Complaint handling procedures
-Train individuals on how to handle complaints
What are five high-level topics to consider when developing a privacy program’s scope and charter?
- Global and local laws, regulations and standards
- Cultural expectations and perspectives, including risk acceptance
- Business-sector requirements
- Types of personal information the organization collects/stores and how it is used
- Regulatory challenges
What are questions to ask when determining where a privacy program should fit within the organizational structure?
Consider which department has the most influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the strongest supporter of privacy.
What is privacy governance?
Privacy governance refers to five components guiding a privacy function toward compliance with privacy laws and regulations and enabling them to support the organization’s broader business goals
o Creating a privacy vision and mission statement
o Defining program scope
o Selecting a privacy framework
o Developing a privacy strategy
o Structuring the privacy team
What are the five primary components of privacy governance?
o Creating a privacy vision and mission statement
o Defining program scope
o Selecting a privacy framework
o Developing a privacy strategy
o Structuring the privacy team
What is a mission statement? How does it differ from a vision statement?
A mission statement should define what you do to protect individuals’ privacy in a tangible way. It should be easy to understand and actionable by the organization.
*what we do, who we do it for, and how we do it different or better
A vision statement is a values statement regarding what the organization hopes to achieve.
*description of what we believe or want to achieve
What distinguishes a privacy strategy from a privacy framework?
A privacy strategy can be thought of as the “why”: Why is privacy important to our organization?
A privacy framework can be considered the “what”: What form or structure will our privacy program take?
List the phases of the privacy policy life cycle:
o Drafting inward-facing policies that are practical, simple and easy to understand
o Getting approval from decision-makers and stakeholders
o Disseminating and socializing policies to all employees
o Training employees and enforcing policies
o Reviewing and revising policies regularly
What are the three categories of existing privacy program frameworks that a team can draw from? Name examples in each category.
Principles & Standards: The FIPs, OECD guidelines, APEC privacy framework, ISO
Laws/Regulations/Programs: PIPEDA (canada), GDPR (eu), HIPAA
Privacy Program Management Solutions: Privacy by Design, NIST, WebTrust, vendor tools
What is a Centralized governance model, and what are the advantages/disadvantages?
In a centralized approach, one team or person is responsible for privacy-related affairs. This model works best in organizations that use single-channel functions with planning and decision-making completed by one group
Advantages: Streamlined processes and procedures
Disadvantages: Individual employees cannot make decisions
What is a Localized/decentralized governance model, and what are the advantages/disadvantages?
In a local or decentralized approach, decision-making is delegated to lower levels of the organization. This model widens the span of control and allows decisions and information to flow from bottom to top
Advantages: Bottom-to-top flow of information
Disadvantages: Lack of centralized process can create duplication of efforts
What is a Hybrid governance model, and what are the advantages/disadvantages?
The hybrid model combines centralized and local or decentralized governance. It is most common when a large organization assigns an individual or team responsibility for privacy-related affairs for the rest of the organization. Local entities support the central governing body
Advantages: Offers the resources of a larger, centralized organization
Disadvantages: Decentralized decision-making provides less big-picture vision
Who is required to appoint a Data Protection Officer?
Organizations that fall under the scope of the GDPR, whose core activities involve processing personal data on a large scale, or who consistently process highly sensitive data, must appoint a DPO.
Further, the Article 29 Working Party recommended that most organizations err on the side of caution by appointing a DPO, whether or not strictly obligated to by law. Voluntarily appointed DPOs will also be subject to GDPR compliance.
What are example skills a DPO will need?
o Experience assessing risk and best practice mitigation
o Knowledge of relevant laws and regulations
o Interpersonal flexibility; effective communication with business functions
o Project management and ability to manage own professional development
o Ability to fulfill the role autonomously
o Ability to handle requests/complaints and train others to help data subjects
o Credibility/no conflicts of interest
What is a RACI matrix? What is it for?
a RACI matrix documents who is Responsible, Accountable, Consulted, and Informed
to document the ownership of internal stakeholders’ assets and responsibilities.
