Privacy Operational Lifecycle - Section III.C. - Sustain the Privacy Program Flashcards
What are two primary motivations for organizations to implement a privacy training or awareness program?
(1) It may be required by law; or
(2) It can result in significant cost savings.
What is the goal of privacy training and how, if at all, is it different from the goals of privacy awareness?
To correct bad practices and reinforce good practices through communication; both privacy training and privacy awareness programs share this same goal.
What is environment monitoring?
The internal and external monitoring an organization undertakes to protect against vulnerabilities.
True or False: Environment monitoring refers only to monitoring access provided to outsiders.
False. Environment monitoring is not solely focused on outsiders; insiders should also be monitored to avoid intellectual property theft or other cybersecurity threats.
What is an audit trail?
A chain of electronic activity or sequence of paperwork used to monitor, track, record, or validate an activity.
What are two important pre-requisites to conducting an effective privacy audit?
(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.
How many categories of risk-level are set forth in the AI Act?
There are four levels of risk:
Minimal risk,
Limited risk,
High risk, and
Unacceptable risk.
When is an organization most likely to conduct a first-party audit?
When self-certifying as part of a self-regulatory program.
What is privacy training and how is it different from privacy awareness?
Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control, and incident reporting. It is a formal undertaking.
What are the three primary types of privacy-related monitoring that organizations can undertake?
(1) Environment monitoring;
(2) Legal and regulatory monitoring; and
(3) Compliance monitoring.
According to NIST SP 800-50, what are the three primary steps in building a training and awareness program?
(1) Designing the program;
(2) Developing the awareness and training material; and
(3) Implementing the program.
What is the relationship of environment monitoring and legal/regulatory monitoring with compliance monitoring?
Environment monitoring and regulatory monitoring can be thought of, at times, as part of a more comprehensive compliance monitoring program.
What is an audit of a privacy program?
The ongoing process of evaluating the effectiveness of controls throughout the organization’s operations, systems, and processes.
When is an organization most likely to conduct a third-party audit?
When requested by a supervisory authority or when confidence in the outcome is paramount.
True or False: A privacy audit is intended only to identify risks associated with the use of personal information, not provide recommendations about how to limit risk.
False. An audit will identify risks associated with an organization’s use of personal information, along with recommendations that can limit those risks.
In what ways can employee training and awareness act as a cost savings mechanism?
(1) It lowers the frequency with which privacy incidents occur; and
(2) It lowers the costs of actually responding to a privacy incident if one does occur.
When is an organization most likely to conduct a second-party audit?
When necessary to ensure compliance by a third-party vendor, or as required by contract or applicable law (such as the GDPR).
What are the five steps in the audit life cycle?
(1) Planning;
(2) Preparation;
(3) Conducting the audit;
(4) Reporting; and
(5) Follow up.
What are four common approaches toward compliance monitoring?
(1) Self-monitoring;
(2) Audit management;
(3) Security/system management; and
(4) Risk management.
What are the top three privacy risks posed by the use of artificial intelligence?
(1) Harmful bias;
(2) Bad governance; and
(3) A lack of legal clarity
What is legal and regulatory monitoring?
The monitoring of applicable laws and regulations that an organization is subject to in order to track changes that occur.
What are two important pre-requisites to conducting an effective privacy audit?
(1) Organizational policies must be clear; and
(2) Evidence of compliance must be available in accordance with the accountability principle.
True or False: A privacy audit is always conducted on a privacy program as a whole, not its individual parts.
False. Many aspects of a privacy program may be subject to a privacy audit, in addition to the program as a whole.
What is a common alternative to a full audit that organizations use in order to self-assess a privacy program?
Requiring departments throughout an organization to attest to their compliance with an organization’s privacy program.
What separates a privacy audit from a privacy assessment?
A privacy audit is evidence-based and looks to metrics and other measurements, while most privacy assessments rely on more anecdotal or subjective information.
What is the goal of conducting a privacy audit?
To measure an organization’s data protection practices against legal and regulatory obligations, industry best practices, and compliance with an organization’s own privacy policies.
