Privacy Operational Life Cycle: Chapter 4 Assess

Question 1

Data governance

Answer 1

planning, oversight, and control over management

Question 2

Data governance levels

Answer 2

Strategic: data steering committee, c-level
Managerial: data owners, functional leads
Operational: data stewards, SMEs

Question 3

Data governance includes

Answer 3

Data architecture
Data modeling and design
Data storage and operations
Data security
Data integration and interoperability
Documents and content
Reference and master data
Data warehousing and business intelligence
Metadata
Data quality

Question 4

Article 30 (GDPR)

Answer 4

Records must include:
- Name and contact details of the controller or processor, DPO, and/or data protection rep
- Name and contact of details of any Joint Controllers
- Purpose for the processing (for controllers)
- Description of categories of personal data and subjects (controllers) or processing (processors)
- Categories of recipients (for controllers)
- International transfers to third countries or multinational orgs
- Where applicable, Safeguards in place for exceptional transfers
- Where possible, retention periods for various categories of personal data (for controllers)
- General description of technical and org security measures.

Must be disclosed to a data authority upon request
Company of 250 employees or more if occasional and not sensitive

Question 5

Data inventory should include

Answer 5

What is the context and purpose of the repo?
Who is the owner?
Which legal entity?
How much data (personal and sensitive)?
Format (physical or electronic, structured or unstructured)
How is it used?
Data retention
Type of elements and data subjects
Where is it stored?
Where is it accessed?
International transfers
Third party disclosure or sharing?
Transfer mechanisms

Question 6

Privacy assessments

Answer 6

Measure compliance with laws

Question 7

PIA

Answer 7

Analysis of privacy risk with processing PI
Suggest or provide remedial action for risk
Facilitate PbD

Effective if:
- done during ideation or scoping phase
- done when new or revised standards, policies, or laws
- done when org creates new privacy risks through changes

Question 8

PIAs and US laws

Answer 8

Required by:
E-Government Act of 2002
Virginia

Question 9

ISO 29134: guidelines for PIAs and reporting

Answer 9

1. identify information flows with PII
2. Analyze the use case
3. determine relevant privacy safeguards
4. Assess privacy risk steps
5. prepare to treat privacy risk, controls 27002 or 29151

Question 10

DPIA

Answer 10

GDPR required for high risk, identifies and reduces risk

Question 11

Article 35

Answer 11

DPIA required when:
1. systematic and extensive evaluation of personal aspects when automated processing, profiling when decisions produce legal effects
2. processing on a large scale of special categories or criminal info
3. systematic monitoring of publicly accessible area on a large scale

Question 12

DPIA minimum requirements

Answer 12

Description of processing, including purpose and legitimate interest

The necessity of the processing, proportionality, risks

Measures to address the risk

Question 13

When to contact a Supervisory Authority

Answer 13

Illegitimate access to data leading to a threat of life, layoff or financial jeopardy

Inability to reduce the number of people accessing data

Question 14

Assessing vendors

Answer 14

Reputation
Financial condition & insurance
Infosec controls
Point of transfer
Disposal of info
Employee training and awareness
Vendor incident response
Audit rights
Policies and procedures
DPO

Question 15

Mergers

Question 16

Article 29 Working Party (WP29)

Answer 16

Concrete examples for DPIAs
- Evaluation or scoring
- Automated decision making
- Systematic monitoring
- Sensitive or highly personal data
- Data processed on large scale
- Matching or combining data sets
- Vulnerable subjects
- Innovative use of technology
- Preventing data subjects from exercising their rights