Privacy Operational Lifecycle - Section III.A. - Assess Your Organization Flashcards
Should a privacy assessment rely upon subjective data or objective data?
Both.
What is a data assessment?
A generic term used to refer to processes such as
- creating a data inventory,
- conducting a data flow analysis and
- classifying categories of data.
True or False: An organization should regularly update its data inventory.
Yes
When choosing a third-party vendor, a data controller should consider what three factors?
(1) The vendor’s reputation;
(2) The vendor’s financial condition; and
(3) The security controls and related procedures that the vendor has implemented.
True or False: The “assess” step of the Privacy Operational Life Cycle should involve activities tailored to the specific needs of an organization.
True
From a privacy perspective, what is the most important consideration for organization’s choosing a cloud computing vendor?
The data residency of where the cloud vendor processes data.
What are some common categories of classifications for data when creating a data classification schema?
(1) Confidential;
(2) Proprietary;
(3) Sensitive;
(4) Restricted; and
(5) Public.
Who is subject to the “records of processing activities” requirements under the GDPR?
Both data controllers and data processors.
What are three privacy-related concerns facing a company that is divesting itself of a line of business?
(1) Information will be improperly left behind, causing ongoing compliance obligations;
(2) Information will be improperly transferred to the acquiring company;
(3) The privacy infrastructure of the organization may need to be untangled.
What law in the United States requires that government entities conduct a privacy impact assessment if a privacy threshold analysis indicates that one is needed?
The E-Government Act of 2002.
What is a privacy impact assessment?
An analysis of how information is handled to determine legal compliance obligations, the risks to the information, and to examine protections or alternative means of processing.
What reasons make it necessary to constantly review and reevaluate a privacy program as part of the privacy operational life cycle?
Changing market conditions, changing legal requirements, and changes within an organization (e.g., the launch of a new product).
When does the GDPR mandate that an organization conduct a data protection impact assessment?
Where a type of processing, in particular a type using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.
What article of the GDPR contains onerous requirements to maintain records of processing activity?
Article 30.
What are some common terms in a data vendor agreement?
(1) Confidentiality provisions;
(2) Security protections.
(3) Audit rights;
(4) “No further use” provisions;
(5) Subcontractor terms;
(6) Information sharing terms;
(7) Breach notification requirements; and
(8) Consumer consent terms.
What are two privacy-related concerns facing an organization that is acquiring another company?
(1) It may be subject to additional compliance obligations; and (2) It will subject itself to privacy-related contractual terms of the company being acquired.
What does the term “data loss prevention” refer to?
Data loss prevention is the term given to the strategies implemented to avoid the unauthorized access or misuse of sensitive data.
What does the International Organization for Standardization recommend organizations do once they have completed a privacy impact assessment?
Make the PIA publicly available and include an easy-to-understand summary.