Privacy Operational Lifecycle - Section III.A. - Assess Your Organization

Question 1

Should a privacy assessment rely upon subjective data or objective data?

Answer 1

Both.

Question 2

What is a data assessment?

Answer 2

A generic term used to refer to processes such as
- creating a data inventory,
- conducting a data flow analysis and
- classifying categories of data.

Question 3

True or False: An organization should regularly update its data inventory.

Answer 3

Yes

Question 4

When choosing a third-party vendor, a data controller should consider what three factors?

Answer 4

(1) The vendor’s reputation;
(2) The vendor’s financial condition; and
(3) The security controls and related procedures that the vendor has implemented.

Question 5

True or False: The “assess” step of the Privacy Operational Life Cycle should involve activities tailored to the specific needs of an organization.

Answer 5

True

Question 6

From a privacy perspective, what is the most important consideration for organization’s choosing a cloud computing vendor?

Answer 6

The data residency of where the cloud vendor processes data.

Question 7

What are some common categories of classifications for data when creating a data classification schema?

Answer 7

(1) Confidential;
(2) Proprietary;
(3) Sensitive;
(4) Restricted; and
(5) Public.

Question 8

Who is subject to the “records of processing activities” requirements under the GDPR?

Answer 8

Both data controllers and data processors.

Question 9

What are three privacy-related concerns facing a company that is divesting itself of a line of business?

Answer 9

(1) Information will be improperly left behind, causing ongoing compliance obligations;
(2) Information will be improperly transferred to the acquiring company;
(3) The privacy infrastructure of the organization may need to be untangled.

Question 10

What law in the United States requires that government entities conduct a privacy impact assessment if a privacy threshold analysis indicates that one is needed?

Answer 10

The E-Government Act of 2002.

Question 11

What is a privacy impact assessment?

Answer 11

An analysis of how information is handled to determine legal compliance obligations, the risks to the information, and to examine protections or alternative means of processing.

Question 12

What reasons make it necessary to constantly review and reevaluate a privacy program as part of the privacy operational life cycle?

Answer 12

Changing market conditions, changing legal requirements, and changes within an organization (e.g., the launch of a new product).

Question 13

When does the GDPR mandate that an organization conduct a data protection impact assessment?

Answer 13

Where a type of processing, in particular a type using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.

Question 14

What article of the GDPR contains onerous requirements to maintain records of processing activity?

Answer 14

Article 30.

Question 15

What are some common terms in a data vendor agreement?

Answer 15

(1) Confidentiality provisions;
(2) Security protections.
(3) Audit rights;
(4) “No further use” provisions;
(5) Subcontractor terms;
(6) Information sharing terms;
(7) Breach notification requirements; and
(8) Consumer consent terms.

Question 16

What are two privacy-related concerns facing an organization that is acquiring another company?

Answer 16

(1) It may be subject to additional compliance obligations; and (2) It will subject itself to privacy-related contractual terms of the company being acquired.

Question 17

What does the term “data loss prevention” refer to?

Answer 17

Data loss prevention is the term given to the strategies implemented to avoid the unauthorized access or misuse of sensitive data.

Question 18

What does the International Organization for Standardization recommend organizations do once they have completed a privacy impact assessment?

Answer 18

Make the PIA publicly available and include an easy-to-understand summary.

Question 19

Prior to completing a merger or acquisition, what must an organization do from a privacy compliance perspective?

Answer 19

Undertake due diligence to learn the privacy compliance obligations of the organization being merged or acquired.

Question 20

What is a data flow map?

Answer 20

A map of how data flows through an organization that tracks data through its lifecycle.

Question 20

Why is a complete data inventory important for an organization?

Answer 20

(1) It helps determine what laws the organization is subject to; and
(2) It allows an organization to leverage that information to serve business goals.

Question 21

What law in Canada requires government agencies to conduct privacy impact assessments to determine whether government programs are in compliance with applicable privacy laws?

Answer 21

The Canadian Privacy Act.

Question 21

A complete data inventory includes data that is collected from external sources and [blank].

Answer 21

Data created internally (e.g., employee records).

Question 22

What is a common practice used to evaluate a third-party data vendor’s reputation?

Answer 22

Calling references provided by the vendor.

Question 23

If a data controller determines that it is not necessary to perform a DPIA, what must it do?

Answer 23

Document the reasons for coming to that conclusion.

Question 24

What is Scope of Europe?

Answer 24

A non-profit organization that developed a code of conduct to be used by cloud service providers.

Question 25

What four requirements must be included in a data protection impact assessment DPIA?

Answer 25

(1) A description of the processing and the purpose for it;
(2) Assessment of the necessity and proportionality of the processing;
(3) An assessment of the risks to data subjects; and
(4) The measures to address the risks.

Question 26

What is a gap analysis?

Answer 26

The process of comparing actual performance with the potential or desired performance, such as compliance with applicable laws.

Question 27

What is another name for a privacy threshold analysis?

Answer 27

An “initial privacy assessment” or “express privacy impact assessment.”

Question 28

What is the primary function by which data controllers oversee their data processors?

Answer 28

Data vendor contracts.

Question 29

What is the “respond” step of the Privacy Operational Life Cycle?

Answer 29

The step aimed at reducing risk and increasing compliance by proactively responding to data subject requests, privacy incidents, and other events.

Question 30

What happens if a cloud computing vendor ends up determining some of the “essential elements” of processing?

Answer 30

They become a data controller (at least under the GDPR), and they are thereby subject to new and heightened compliance obligations.

Question 31

The term “data location” can refer to what two things?

Answer 31

(1) What particular databases or files contain the data; and
(2) The physical location of the servers holding those files.

Question 32

What is the Privacy Operational Life Cycle?

Answer 32

A model that “continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to

Measure (Assess)
Improve (Protect)
Evaluate (Sustain)
Support (Respond)

then start again.”

Measure (Assess) - Assesses any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and ojective-based privacy program frameworks
Improve (Protect) - Implements best practices for security and Privacy by Design concepts to protect personal information from cradle to grave
Evaluate (Sustain) - The step of implementing the management, auditing, and other aspects of the management framework adopted by an org.
Support (Respond) - The step aimed at reducing risk and increasing compliance by proactively responding to data subject requests, privacy incidents, and other events.

Question 33

All third-party data vendor agreements should include what type of clause?

Answer 33

A confidentiality clause indicating that they will not share the controller’s data with third parties without consent.

Question 34

What is Cloud Computing?

Answer 34

The provision of software and other information technology services over the internet.

Question 35

What makes a data protection impact assessment (DPIA) different from a privacy impact assessment (PIA)?

Answer 35

In many ways, a DPIA is similar to a PIA. A DPIA, however, is a term specifically utilized by the GDPR, which sets forth defined requirements and is triggered upon the occurrence of certain events.

Question 36

What is a privacy assessment?

Answer 36

A holistic review of an organization’s entire privacy risk profile designed to analyze an organization’s compliance with the entirety of its privacy program.

Question 37

What is a data inventory?

Answer 37

A complete listing of what information is processed by an organization.

Question 38

True or False: The only legal purpose for maintaining a data inventory is to be in compliance with specific laws.

Answer 38

False. Maintaining a data inventory offers other legal benefits, such as potentially lessening an administrative penalty in the event of a data breach.

Question 39

True or False: The DPO is always the role within an organization that conducts a privacy assessment.

Answer 39

False. A privacy assessment may be conducted by numerous parties, including the DPO, audit function, or a specific business function, an external privacy consultant, or an outside attorney.

Question 40

What are two specific types of privacy analyses that may be required to be performed under the GDPR?

Answer 40

A transfer impact assessment and a legitimate interest assessment.

Question 41

What is the “sustain” step of the Privacy Operational Life Cycle?

Answer 41

The step of implementing the management, auditing, and other aspects of the management framework adopted by an organization.

Question 42

What provision in a data vendor contract allows a data controller to investigate whether a data processor is in compliance with applicable law?

Answer 42

An audit rights provision.

Question 43

What is a “record of authority”?

Answer 43

Another name used to refer to a data inventory.

Question 44

The Article 29 Working Party has identified nine considerations that should be accounted for in determining whether a DPIA is necessary; how many must be present before a DPIA is required?

Answer 44

Even one can result in a DPIA being required, but the general rule is that if at least two are present a DPIA is required.

Question 45

What are the primary steps of the Privacy Operational Life Cycle?

Answer 45

(1) Assess (Measure)
(2) Protect (Improve)
(3) Sustain (Evaluate)
(4) Respond (Support)

Privacy program management is the structured approach to combing several projects into a framework and life cycle to protect personal information and individuals’ rights.

The privacy operational life cycle provices the means to assess, protect, sustain and respond to prositive and negative effects of influencing factors on the program.

Phase 1: Assess
* Provides steps, checklists and processes for assessing a privacy program
* Involves comparing the program to industry best practices, corporate privacy policies, applicable
laws and regulations, and the organization’s privacy framework
Phase 2: Protect
* Provides information security practices and principles to protect personal information
* Embeds privacy principles and information security management practices within the
organization to address, define and establish privacy practices
Phase 3: Sustain
* Provides monitoring, auditing and communication aspects of the management framework
* Ensures “business as usual” by monitoring throughout multiple functions in the organization for
identifying, mitigating and reporting risk
Phase 4: Respond
* Seeks to reduce organizational risk and bolster compliance
* Involves the respond principles of information requests, legal compliance, incident response
planning and incident handling
* Requires organizations to be accountable for data they collect and how they use it