Privacy Program Framework - Section II.A. - Developing a Privacy Program Framework Flashcards
Privacy Vision
Who are we as an organization in terms of our beliefs about privacy?
A concise, clear statement that serves as an org’s guiding principle regarding its approach to privacy issues.
Privacy Strategy
Why is privacy important to us as an organization?
An org’s approach to communicating and obtaining internal support for the privacy program.
Privacy Framework
What structure, policies, and procedures should we implement to achieve our privacy goals and aspirations?
An org’s roadmap to guide the privacy professional through privay management and privacy-relevant decision making.
Privacy framework is intended to organize a company’s approach to its compliance obligations and other privacy goals
Advantages of a Privacy Program Framework?
instead of addressing privacy issues on an ad hoc basis.
- Reduce Risk
- Help to avoid and appropriatly respond to privacy incidents
- Provide a means of measuring the “success” of the privacy program (i.e. determine whether the privacy program is meeting its intended goals)
Privacy Program Framwork Categories
1) Prinicples & Standards
2) Laws, Regulations, and Self-Regulatory Programs
3) Privacy Program Management solutions
2) FIPs are widely used to develop laws and regulations
8 OECD Principles
Most widely followed set of FIPs (Fair Information Principles)
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Openness
- Security Safeguard
- Individual Participation
- Accountability
NIST Privacy Framework identifies:
1) “Core” activities that org’s can utilize as part of a privacy program
2) “Profiles” of each core activity
3) “Tiers” that org’s can aim to achieve based on the unique facts of an org
The NIST has released a document entitled “CIPM Crosswalk” that maps the various components of the NIST Privacy Framework with the IAPP’s CIPM Body of Knowledge
What question does a privacy program attempt to answer?
What structure, policies, and procedures should we implement to achieve our privacy goals and aspirations?
What is the primary difference between privacy program management tools and enterprise privacy management tools?
Privacy program management tools are designed specifically for use by the privacy team,
while enterprise privacy management tools are designed to be used throughout an organization.
True or False: One common element of a privacy policy is the identification of what functional aspects of the organization and what assets of the organization are impacted by the privacy policy.
True. One common element of most privacy policies is identification of the policy’s scope.
True or False: A privacy policy contains specific, detailed guidelines and procedures that must be followed throughout an organization.
False. A privacy policy should be thought of as a high-level document that serves as the basis for developing more specific guidelines, standards, and procedures, which focus on implementing privacy at the functional level.
What is a privacy policy?
An internal document that dictates how an organization governs its privacy function and handles personal information.
What are some examples of privacy program management solutions that can be used in creating an organization’s privacy framework?
NIST publications,
ENISA guidance,
ISACA’s COBIT 5 framework, and
Privacy by Design principles.
What is the NIST’s Privacy Framework?
A voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individual privacy.
What are some benefits of implementing a privacy framework rather than taking an ad hoc approach to privacy issues?
A privacy program framework will reduce risk; help an organization avoid and appropriately respond to privacy incidents; and provide a means of measuring the “success” of the privacy program.