Privacy Operational Lifecycle - Section III.A. - Assess Your Organization Flashcards

1
Q

Should a privacy assessment rely upon subjective data or objective data?

A

Both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a data assessment?

A

A generic term used to refer to processes such as
- creating a data inventory,
- conducting a data flow analysis and
- classifying categories of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or False: An organization should regularly update its data inventory.

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When choosing a third-party vendor, a data controller should consider what three factors?

A

(1) The vendor’s reputation;
(2) The vendor’s financial condition; and
(3) The security controls and related procedures that the vendor has implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False: The “assess” step of the Privacy Operational Life Cycle should involve activities tailored to the specific needs of an organization.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

From a privacy perspective, what is the most important consideration for organization’s choosing a cloud computing vendor?

A

The data residency of where the cloud vendor processes data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some common categories of classifications for data when creating a data classification schema?

A

(1) Confidential;
(2) Proprietary;
(3) Sensitive;
(4) Restricted; and
(5) Public.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who is subject to the “records of processing activities” requirements under the GDPR?

A

Both data controllers and data processors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are three privacy-related concerns facing a company that is divesting itself of a line of business?

A

(1) Information will be improperly left behind, causing ongoing compliance obligations;
(2) Information will be improperly transferred to the acquiring company;
(3) The privacy infrastructure of the organization may need to be untangled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What law in the United States requires that government entities conduct a privacy impact assessment if a privacy threshold analysis indicates that one is needed?

A

The E-Government Act of 2002.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a privacy impact assessment?

A

An analysis of how information is handled to determine legal compliance obligations, the risks to the information, and to examine protections or alternative means of processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What reasons make it necessary to constantly review and reevaluate a privacy program as part of the privacy operational life cycle?

A

Changing market conditions, changing legal requirements, and changes within an organization (e.g., the launch of a new product).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When does the GDPR mandate that an organization conduct a data protection impact assessment?

A

Where a type of processing, in particular a type using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What article of the GDPR contains onerous requirements to maintain records of processing activity?

A

Article 30.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some common terms in a data vendor agreement?

A

(1) Confidentiality provisions;
(2) Security protections.
(3) Audit rights;
(4) “No further use” provisions;
(5) Subcontractor terms;
(6) Information sharing terms;
(7) Breach notification requirements; and
(8) Consumer consent terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are two privacy-related concerns facing an organization that is acquiring another company?

A

(1) It may be subject to additional compliance obligations; and (2) It will subject itself to privacy-related contractual terms of the company being acquired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does the term “data loss prevention” refer to?

A

Data loss prevention is the term given to the strategies implemented to avoid the unauthorized access or misuse of sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the International Organization for Standardization recommend organizations do once they have completed a privacy impact assessment?

A

Make the PIA publicly available and include an easy-to-understand summary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Prior to completing a merger or acquisition, what must an organization do from a privacy compliance perspective?

A

Undertake due diligence to learn the privacy compliance obligations of the organization being merged or acquired.

20
Q

What is a data flow map?

A

A map of how data flows through an organization that tracks data through its lifecycle.

20
Q

Why is a complete data inventory important for an organization?

A

(1) It helps determine what laws the organization is subject to; and
(2) It allows an organization to leverage that information to serve business goals.

21
Q

What law in Canada requires government agencies to conduct privacy impact assessments to determine whether government programs are in compliance with applicable privacy laws?

A

The Canadian Privacy Act.

21
Q

A complete data inventory includes data that is collected from external sources and [blank].

A

Data created internally (e.g., employee records).

22
Q

What is a common practice used to evaluate a third-party data vendor’s reputation?

A

Calling references provided by the vendor.

23
Q

If a data controller determines that it is not necessary to perform a DPIA, what must it do?

A

Document the reasons for coming to that conclusion.

24
Q

What is Scope of Europe?

A

A non-profit organization that developed a code of conduct to be used by cloud service providers.

25
Q

What four requirements must be included in a data protection impact assessment DPIA?

A

(1) A description of the processing and the purpose for it;
(2) Assessment of the necessity and proportionality of the processing;
(3) An assessment of the risks to data subjects; and
(4) The measures to address the risks.

26
Q

What is a gap analysis?

A

The process of comparing actual performance with the potential or desired performance, such as compliance with applicable laws.

27
Q

What is another name for a privacy threshold analysis?

A

An “initial privacy assessment” or “express privacy impact assessment.”

28
Q

What is the primary function by which data controllers oversee their data processors?

A

Data vendor contracts.

29
Q

What is the “respond” step of the Privacy Operational Life Cycle?

A

The step aimed at reducing risk and increasing compliance by proactively responding to data subject requests, privacy incidents, and other events.

30
Q

What happens if a cloud computing vendor ends up determining some of the “essential elements” of processing?

A

They become a data controller (at least under the GDPR), and they are thereby subject to new and heightened compliance obligations.

31
Q

The term “data location” can refer to what two things?

A

(1) What particular databases or files contain the data; and
(2) The physical location of the servers holding those files.

32
Q

What is the Privacy Operational Life Cycle?

A

A model that “continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to

Measure (Assess)
Improve (Protect)
Evaluate (Sustain)
Support (Respond)

then start again.”

Measure (Assess) - Assesses any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and ojective-based privacy program frameworks
Improve (Protect) - Implements best practices for security and Privacy by Design concepts to protect personal information from cradle to grave
Evaluate (Sustain) - The step of implementing the management, auditing, and other aspects of the management framework adopted by an org.
Support (Respond) - The step aimed at reducing risk and increasing compliance by proactively responding to data subject requests, privacy incidents, and other events.

33
Q

All third-party data vendor agreements should include what type of clause?

A

A confidentiality clause indicating that they will not share the controller’s data with third parties without consent.

34
Q

What is Cloud Computing?

A

The provision of software and other information technology services over the internet.

35
Q

What makes a data protection impact assessment (DPIA) different from a privacy impact assessment (PIA)?

A

In many ways, a DPIA is similar to a PIA. A DPIA, however, is a term specifically utilized by the GDPR, which sets forth defined requirements and is triggered upon the occurrence of certain events.

36
Q

What is a privacy assessment?

A

A holistic review of an organization’s entire privacy risk profile designed to analyze an organization’s compliance with the entirety of its privacy program.

37
Q

What is a data inventory?

A

A complete listing of what information is processed by an organization.

38
Q

True or False: The only legal purpose for maintaining a data inventory is to be in compliance with specific laws.

A

False. Maintaining a data inventory offers other legal benefits, such as potentially lessening an administrative penalty in the event of a data breach.

39
Q

True or False: The DPO is always the role within an organization that conducts a privacy assessment.

A

False. A privacy assessment may be conducted by numerous parties, including the DPO, audit function, or a specific business function, an external privacy consultant, or an outside attorney.

40
Q

What are two specific types of privacy analyses that may be required to be performed under the GDPR?

A

A transfer impact assessment and a legitimate interest assessment.

41
Q

What is the “sustain” step of the Privacy Operational Life Cycle?

A

The step of implementing the management, auditing, and other aspects of the management framework adopted by an organization.

42
Q

What provision in a data vendor contract allows a data controller to investigate whether a data processor is in compliance with applicable law?

A

An audit rights provision.

43
Q

What is a “record of authority”?

A

Another name used to refer to a data inventory.

44
Q

The Article 29 Working Party has identified nine considerations that should be accounted for in determining whether a DPIA is necessary; how many must be present before a DPIA is required?

A

Even one can result in a DPIA being required, but the general rule is that if at least two are present a DPIA is required.

45
Q

What are the primary steps of the Privacy Operational Life Cycle?

A

(1) Assess (Measure)
(2) Protect (Improve)
(3) Sustain (Evaluate)
(4) Respond (Support)

Privacy program management is the structured approach to combing several projects into a framework and life cycle to protect personal information and individuals’ rights.

The privacy operational life cycle provices the means to assess, protect, sustain and respond to prositive and negative effects of influencing factors on the program.

Phase 1: Assess
* Provides steps, checklists and processes for assessing a privacy program
* Involves comparing the program to industry best practices, corporate privacy policies, applicable
laws and regulations, and the organization’s privacy framework
Phase 2: Protect
* Provides information security practices and principles to protect personal information
* Embeds privacy principles and information security management practices within the
organization to address, define and establish privacy practices
Phase 3: Sustain
* Provides monitoring, auditing and communication aspects of the management framework
* Ensures “business as usual” by monitoring throughout multiple functions in the organization for
identifying, mitigating and reporting risk
Phase 4: Respond
* Seeks to reduce organizational risk and bolster compliance
* Involves the respond principles of information requests, legal compliance, incident response
planning and incident handling
* Requires organizations to be accountable for data they collect and how they use it