Privacy Operational Lifecycle - Section III.C. - Sustain the Privacy Program

Question 1

What are two primary motivations for organizations to implement a privacy training or awareness program?

Answer 1

(1) It may be required by law; or
(2) It can result in significant cost savings.

Question 2

What is the goal of privacy training and how, if at all, is it different from the goals of privacy awareness?

Answer 2

To correct bad practices and reinforce good practices through communication; both privacy training and privacy awareness programs share this same goal.

Question 3

What is environment monitoring?

Answer 3

The internal and external monitoring an organization undertakes to protect against vulnerabilities.

Question 4

True or False: Environment monitoring refers only to monitoring access provided to outsiders.

Answer 4

False. Environment monitoring is not solely focused on outsiders; insiders should also be monitored to avoid intellectual property theft or other cybersecurity threats.

Question 5

What is an audit trail?

Answer 5

A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity.

Question 6

What are two important pre-requisites to conducting an effective privacy audit?

Answer 6

(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.

Question 7

How many categories of risk-level are set forth in the AI Act?

Answer 7

There are four levels of risk:
Minimal risk,
Limited risk,
High risk, and
Unacceptable risk.

Question 8

When is an organization most likely to conduct a first-party audit?

Answer 8

When self-certifying as part of a self-regulatory program.

Question 9

What is privacy training and how is it different from privacy awareness?

Answer 9

Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control, and incident reporting. It is a formal undertaking.

Question 10

What are the three primary types of privacy-related monitoring that organizations can undertake?

Answer 10

(1) Environment monitoring;
(2) Legal and regulatory monitoring; and
(3) Compliance monitoring.

Question 11

According to NIST SP 800-50, what are the three primary steps in building a training and awareness program?

Answer 11

(1) Designing the program;
(2) Developing the awareness and training material; and
(3) Implementing the program.

Question 12

What is the relationship of environment monitoring and legal/regulatory monitoring with compliance monitoring?

Answer 12

Environment monitoring and regulatory monitoring can be thought of, at times, as part of a more comprehensive compliance monitoring program.

Question 13

What is an audit of a privacy program?

Answer 13

The ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes.

Question 14

When is an organization most likely to conduct a third-party audit?

Answer 14

When requested by a supervisory authority or when confidence in the outcome is paramount.

Question 15

True or False: A privacy audit is intended only to identify risks associated with the use of personal information, not provide recommendations about how to limit risk.

Answer 15

False. An audit will identify risks associated with an organization’s use of personal information, along with recommendations that can limit those risks.

Question 16

In what ways can employee training and awareness act as a cost savings mechanism?

Answer 16

(1) It lowers the frequency with which privacy incidents occur; and
(2) It lowers the costs of actually responding to a privacy incident if one does occur.

Question 17

When is an organization most likely to conduct a second-party audit?

Answer 17

When necessary to ensure compliance by a third-party vendor, or as required by contract or applicable law (such as the GDPR).

Question 18

What are the five steps in the audit life cycle?

Answer 18

(1) Planning;
(2) Preparation;
(3) Conducting the audit;
(4) Reporting; and
(5) Follow up.

Question 19

What are four common approaches toward compliance monitoring?

Answer 19

(1) Self-monitoring;
(2) Audit management;
(3) Security/system management; and
(4) Risk management.

Question 20

What are the top three privacy risks posed by the use of artificial intelligence?

Answer 20

(1) Harmful bias;
(2) Bad governance; and
(3) A lack of legal clarity

Question 21

What is legal and regulatory monitoring?

Answer 21

The monitoring of applicable laws and regulations that an organization is subject to in order to track changes that occur.

Question 22

What are two important pre-requisites to conducting an effective privacy audit?

Answer 22

(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.

Question 23

True or False: A privacy audit is always conducted on a privacy program as a whole, not its individual parts.

Answer 23

False. Many aspects of a privacy program may be subject to a privacy audit, in addition to the program as a whole.

Question 24

What is a common alternative to a full audit that organizations use in order to self-assess a privacy program?

Answer 24

Requiring departments throughout an organization to attest to their compliance with an organization’s privacy program.

Question 25

What separates a privacy audit from a privacy assessment?

Answer 25

A privacy audit is evidence-based and looks to metrics and other measurements, while most privacy assessments rely on more anecdotal or subjective information.

Question 26

What is the goal of conducting a privacy audit?

Answer 26

To measure an organization’s data protection practices against legal and regulatory obligations, industry best practices, and compliance with an organization’s own privacy policies.