process oriented strategies

Question 1

4 focuses of process oriented strategies

Answer 1

(1) enforcing policies and processes,
(2) demonstrating compliance,
(3) informing the individual, and
(4) providing user control.

Question 2

Create policies

Answer 2

Organizations should create internal privacy policies that best describe how the
organization wishes to manage—and plans to protect—personal information; this includes ensuring
that company employees are adhering to these policies. Processes should include specific strategies
and tactics for data protection, such as hash functions, truncation, tokenization, or cryptography,
as well as contextual policies that explain the reason or purpose for privacy practices

Question 3

Maintain policies

Answer 3

Organizations should maintain established policies and processes to ensure consistency
of privacy practices throughout the organization. An example of an inconsistent policy would be if
an organization had very strong controls in place to protect customer credit card numbers but did
not have established policies for protecting their own employees’ data. Another example would be
if the organization had a strong policy regarding protecting customer credit card data for one
stakeholder, but less stringent policies for a different stakeholder.

Question 4

Uphold (policies)

Answer 4

Organizations should uphold privacy and data protection policies as guiding principles
across the organization, treating personal information as an asset and privacy as a primary goal.
Upholding privacy and data protection policies—through employee training, process auditing, and
policy compliance enforcement—helps to demonstrate that the organization values, and is
dedicated to protecting, personal information in all forms and contexts.

Question 5

log (demonstrating compliance)

Answer 5

Track all processing of data and review the information for anything that may present a risk.
Any deviations from standard processing procedures, whether due to design, chance, or malicious
actions, should be logged. Logs should be periodically reviewed so that post-activity sanctions,
process changes or technology changes can be imposed

Question 6

audit (demonstrating compliance)

Answer 6

Perform audits regularly to ensure that logging and organizational activities are following
established processes. Auditing provides visibility and an understanding of risks and ensures that
both formal and informal processes are identified, managed and followed.

Question 7

report (demonstrating compliance)

Answer 7

Periodically collect information on tests, audits, and logs, and report feedback to those
personnel who are responsible for policy and process implementation within the organization. This
allows organizations to look at their privacy activities holistically and to use that information to
improve privacy practices and processes.

Question 8

key steps to demonstrating compliance

Answer 8

log, audit, report

Question 9

key steps to informing the individual

Answer 9

supply, notify, explain

Question 10

key steps to user consent

Answer 10

consent, choice, amend, delete

Question 11

key steps to policy enforcement

Answer 11

create, maintain, uphold