Study Cards Flashcards
Privacy program management is the structured approach of
combining several projects into a framework and life cycle to protect PI and individuals’ rights.
The privacy operational life cycle involves four phases:
assess, protect, sustain and respond.
The assess phase involves comparing the program to
industry best practices, corporate privacy policies, applicable laws and regulations and the organization’s privacy framework.
The protect phase embeds privacy principles and information security management practices to
address, define and establish privacy practices.
The sustain phase provides
monitoring, auditing and communication aspects of the management framework.
The respond phase involves the principles of
information requests, legal compliance, incident response planning and incident handling, as well as accountability for data collected.
Privacy program managers and teams are responsible for
compliance, accountability and alignment with organizational strategy.
Accountability is the most important aspect of privacy program management. Privacy program managers are accountable for
safekeeping and responsible use of personal information.
While _ with applicable laws and regulations is a key motivator for having a privacy program, it is not the only purpose of a program.
compliance
Other important reasons to institute a privacy program are
meeting expectations of business clients and partners, and safeguarding data against attacks and threats.
A successful privacy program integrates __ into functional areas across the organization.
privacy requirements and representation
Examples of organizational areas that typically have specific privacy concerns include:
HR, marketing and business development, finance, information security, IT, and legal and compliance functions.
What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?
Information security
Privacy governance refers to
components guiding a privacy function toward compliance with laws and regulations, and enabling them to support the organization’s broader business goals
Privacy governance supports the organization’s broader business goals, which are:
- Creating a privacy vision and mission statement
- Defining program scope
- Selecting a privacy framework
- Developing a privacy strategy
- Structuring the privacy team
There is no standard organizational structure for privacy across organizations. When determining where privacy will sit in the organization, you may wish to consider
which department has the most influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the strongest supporter of privacy.
While strategies provide the why (why privacy is important), privacy program frameworks provide the what (what form the program will take), in the form of
implementation roadmaps that guide teams and prompt for the details to determine privacy-relevant decisions for the organization.
Common privacy program frameworks include principles and standards such as __, OECD guidelines, GAPP, CSA, the APEC Privacy Framework, ETSI, and ISO; laws, regulations and programs such as PIPEDA and APPs, __, HIPAA, CNIL, and BCRs; and privacy program management solutions such as __, NIST, and WebTrust.
FIPs; GDPR; PbD
The privacy policy life cycle phases involve:
- Drafting inward-facing policies that are practical, simple and easy to understand
- Getting approval from decision-makers and stakeholders
- Disseminating and socializing policies to all employees
- Training employees and enforcing policies
- Reviewing and revising policies regularly
The privacy governance models are
centralized, localized/decentralized, or hybrid (a combination of both).
In the centralized model,
one team or person is responsible for privacy-related affairs.
In the local/decentralized model, decision-making is delegated to
lower levels of the organization, allowing decisions and information to flow from bottom to top.
The hybrid model combines the centralized and local models and is
most common when a large organization makes an individual or team responsible for privacy-related affairs for the rest of the organization.
The DPO position is a professional role with many responsibilities. Examples of the skills a DPO needs include:
- Experience assessing risk and best practice mitigation
- Knowledge of relevant laws and regulations
- Interpersonal flexibility; effective communication with business functions
- Project management and ability to manage own professional development
- Ability to fulfill the role autonomously
- Ability to handle requests/complaints and train others to help data subjects
- Credibility/no conflicts of interest
Getting buy-in for a privacy strategy may mean changing an organization’s mindset. Recommendations include __; __; and __
building relationships and finding advocates;
pitching privacy;
creating steering groups of stakeholders.
Once your privacy program has been established, you must
create awareness of the program both internally and externally.
Some organizations use a RACI matrix, a tool used to embed responsibilities and identify:
Who is Responsible
Who is Accountable
Who needs to be Consulted
Who needs to be Informed
Key functional areas help create and enforce the privacy program on an ongoing basis. Examples of these areas include:
marketing, learning and development, communications, IT and procurement.
Auditing and analyzing a governance structure’s performance is essential to its success. The __ and __ functions review and analyze operations across all departments and communicate their results.
internal audit (IA) and risk management
__ typically reports to an audit committee, helping to ensure it remains unbiased.
Internal audit
__ ensures business and regulatory requirements are met through detailed analysis.
Risk management
Some organizations use __ to help achieve compliance. Solutions may relate to areas such as assessment management, data mapping, deidentification and incident response.
privacy tech vendors
Privacy technology is experiencing rapid growth. Reasons for this include the emergence of
comprehensive data protection laws and privacy regulations along with strict requirements and significant fines for noncompliance under many privacy laws, such as the GDPR. Another factor is __
growing consumer awareness of data breaches and increasing demands that organizations protect their information.
The chief privacy officer for a telecommunications company wants to revise its privacy mission statement. What steps would be involved in this process? Select all that apply.
1. Evaluating the intended objective
2. Acquiring knowledge on privacy approaches
3. Gaining executive sponsor approval
4. Communicating the organization’s privacy stance to all stakeholders
5. Monitoring compliance with the company’s privacy policies
All except 5
In differentiating between a privacy strategy and a privacy framework, how can strategy be defined?
1. As the why
2. As the what
As the why
True or false? A law or regulation may constitute a privacy framework.
True
What type of privacy governance model is defined by a one-team or one-person approach?
Localized/decentralized
Centralized
Hybrid
Centralized
True or false? The privacy team should always comprise more than one person.
False
Which business function ensures business and regulatory requirements are met through detailed market, credit, trade and counterparty analysis?
Internal audit
Procurement
Learning and development
Risk management
Risk management
What is the most important aspect of privacy program management?
Vendor management
Audits
Data mapping
Accountability
Accountability
True or false? Regulatory compliance is often the primary motivation for organizations to develop a privacy program.
True
A privacy program should integrate privacy requirements and representation into which of the following functional areas? Select all that apply.
Human resources
Marketing and business development
Finance
Information security
IT
Legal and compliance
All are correct
Customer service employees for a health insurance company are granted access to subscribers’ sensitive PI to help with questions about coverage and billing. What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?
Human resources
IT
Information security
Legal
Information security
Which of the following is NOT a phase of the privacy operational life cycle?
Sustain
Respond
Consider
Assess
Consider
Under GDPR, data subjects can:
Withdraw consent
Request a copy of their personal data or have it deleted
“Freeze” processing of their personal data
Object to automated decision-making
Under GDPR, organizations must:
Implement PbD and privacy by default
Provide notice to process personal data
Provide notification of breaches (sometimes)
Conduct DPIAs (sometimes)
Consult regulators before processing (sometimes)
Follow rules for processing children’s data
Ensure compliance of data transfers
Take responsibility for vendor processing
Maintain appropriate data security
Keep records and demonstrate compliance
Appoint a DPO
Under GDPR, regulators may:
Ask for records of compliance (register of processing activities, DPIAs, documentation, risk-analysis)
Impose temporary data processing bans, & require data breach notification
Order erasure of personal data
Suspend international data flows
Enforce penalties up to €20 million or 4 percent total annual revenue
Under LGPD, data subjects can:
Confirm the existence of processing
Access their data
Correct incomplete, inaccurate or out-of-date data
Anonymize, block or delete unnecessary or excessive data or data processing in violation of the law
Export data to another service or product provider
Delete personal data processed pursuant to consent
Obtain information about entities with which data is shared
Obtain information about denying consent
Review decisions made solely based on automated processing
Oppose non-consent-based processing when in violation of the law
Under LGPD, organizations must:
Implement privacy-by-design and -default processes
Develop incident response and remediation plans
Maintain appropriate data security
Notify data subjects and regulators of data breaches
Follow special rules for directly processing children’s data
Provide notice of intention to process PI
Appoint a data protection officer (for controllers)
Take responsibility for processing activities of third-party vendors
Create personal data protection impact report (RIPD)
Ensure adequacy or appropriate safeguards for data transfers
Keep records (in most circumstances) and demonstrate compliance
Comply with international data transfer requirements
Under LGPD, regulators may:
Ask for records of compliance
Apply sanctions, e.g., warnings and corrective measures, publicizing the infraction, suspension or prohibition of processing activities
Enforce penalties up to 2 percent of a company’s annual revenue in Brazil to a maximum of 50 million reais per infraction
The privacy team needs to work with regulators to understand:
- Fines and penalties for noncompliance
- The scope and authority of regulators and oversight agencies
- Recent or upcoming changes in privacy law
These changes affect privacy-related legal obligations:
New processes
Acquisitions
Outsourcing agreements
Divestitures
Discontinued products and services
New products and services
Different regions’ laws may be similar to, or vastly different from, one another, so some organizations __
create a roadmap or crosswalk to determine where legal requirements overlap.
Fair Information Practices (FIPs) appear in various forms and applications. The __
are perhaps the most widely recognized framework for FIPs, defining purpose specification,
openness, individual participation, collection limitation, use limitation, security safeguards, data quality and accountability
OECD Guidelines
Under the California Consumer Privacy Act, consumers have:
- The right to know what PI a business collects about them and how it is used and shared;
- The right to delete PI collected from them (with some exceptions);
- The right to opt out of the sale of their PI; and
- The right to non-discrimination for exercising their rights under the CCPA.
Under the CCPA, businesses must:
- Provide a CCPA-compliant privacy policy or certain notices to consumers per the CCPA/CPRA privacy policy requirements [compliant privacy notice]
- Provide disclosures to consumers, such as categories of PI collected, purpose for collection, description of consumers’ rights [disclose their rights and how categories of data are used]
- Provide methods for submitting requests to know and to delete, and have a process to verify the identity of consumers attempting to exercise their rights [way to know and delete, verify ID]
- Respond to consumer requests in a timely manner
- Provide two or more methods for submitting requests to opt out, including a clear and conspicuous “Do Not Sell My Personal Information” link on the website to make it easy for consumers to [opt out] of the sale of their PI
The CPRA amends and expands upon the CCPA in several ways, including:
Requiring the establishment of an enforcement agency, the California Privacy Protection Agency
Can opt out of PI sales and sharing
Can correct inaccurate PI that a business has about them
The right to limit use and disclosure of sensitive PI.
International data transfers can be complex because you need to
comply with relevant laws across jurisdictions, and there must be a legal basis for transferring the data.
Several mechanisms allow organizations to transfer data internationally, including:
*adequacy decisions, *appropriate safeguards (standard contractual clauses, codes of conduct or self-certification mechanisms, ad hoc contractual clauses, international agreements and binding corporate rules); and *derogations.
Which are common elements of privacy-related legislation across jurisdictions? Select all that apply.
Requirements for ensuring individual rights
Security obligations
Processor obligations
FIPs
All answers are correct except Processor obligations
Privacy and data protection regulators have the right to impose penalties for
noncompliance, including fines.
True
False
True
What can controllers and processors do to avoid incurring penalties from regulators for noncompliance with the GDPR? Select all that apply.
Know which regulators oversee which processing activities within the organization
Ensure regulators receive notification of data breaches under some circumstances
Know when legal obligations change due to changes in the organization
Conduct data protection impact assessments whenever personal data is being processed
All answers are correct except Conduct data protection impact assessments whenever personal data is being processed
Using a valid mechanism for transferring PI internationally, such as binding corporate rules, allows for the legal processing of that data.
True
False
False
Which international data transfer mechanism is used to demonstrate to regulators and consumers that a company adheres to certain information privacy standards?
Binding corporate rules
Standard contractual clauses
Adequacy decisions
Codes of conduct
Codes of conduct
A general good practice is to adjust the privacy program to the most stringent legal requirements to which personal data processing is subject.
True
False
True
A __ is a complete record of all the PI your organization stores, uses and processes.
data inventory, or data map
_ can be used as a precursor to regulatory compliance and risk analysis; to assess data, systems and processes; and to inform data assessments, priorities, data life cycle management and data classification.
Data inventories
It should demonstrate data flows and classification, create a record of the authority of systems processing personal information and analyze data types/uses
To create a comprehensive inventory of all PI being processed, an organization should determine
who creates the data inventory, which departments hold/use PI, and what questions should be asked.
__ may be organized around the data life cycle, considering the collection, usage, storage, archiving and destruction of PI.
Intake questions
Conducting a __ helps determine what compliance efforts are in place, areas that need improvement, and where additional controls must be developed.
gap analysis
It involves identifying gaps between standards and laws an organization is subject to and the organization’s current compliance efforts. Many laws overlap, so be sure to involve your Legal team in the process.
A __ measures an organization’s compliance with laws, regulations, adopted standards and internal policies/procedures. It may involve the use of subjective standards (such as employee interviews) and/or objective standards (such as information system logs).
privacy assessment
A __ is an analysis that assesses privacy risks associated with processing PI in relation to a project, product or service. Requirements around them may be mandated by industry, organizational policy, and laws and regulations.
privacy impact assessment
Triggers for conducting a __ include preparing for the deployment of a project, product or service that involves the collection of PI; new or revised industry standards, organizational policies, or laws and regulations; and organizational changes to methods in which PI is handled.
PIA
A __ has specific triggers and requirements under the GDPR and LGPD. They are intended to help incorporate privacy considerations into organizational planning and demonstrate GDPR compliance
data protection privacy impact assessment, DPIA
Triggers for conducting __ include processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35) and the use of new technologies
DPIAs
DPIAs should include:
a description of the processing, including its purpose, and including, where applicable, the legitimate interest being pursued;
the necessity of the processing, its proportionality and the risks that it poses to data subjects;
and measures to address the risks identified.
__ is a self-assessment tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities. Once the privacy responsibilities of each department are documented, the departments may be asked specific questions about each responsibility
Attestation
Mergers, acquisitions and divestitures should include a privacy checkpoint that evaluates:
new compliance requirements;
existing client agreements;
new resources, technologies and processes;
and applicable laws and standards.
Vendor assessment is the evaluation of a vendor for
privacy and information security policies,
access controls,
where the personal information will be held,
and who has access to it
These and other checklists can be used to
assess vendor risk
Privacy or security questionnaires, and privacy impact assessments
Any technology that is new to an organization, even those that are ubiquitous elsewhere, requires
an assessment
Assessing cloud computing vendors before procuring them can be challenging. Specific areas to focus on during a selection assessment of a cloud service provider include
certifications and standards, technologies, service road map, data management, information security, subcontractors and service dependencies, and data policies and protection.
Which of the following is a common function of a data inventory? Select all that apply.
Assesses data, systems and processes
Informs data assessments
Informs data classification
Measures compliance with laws, regulations, standards and internal policies
All answers are correct except Measures compliance with laws, regulations, standards and internal policies
Which of the following elements may be found in a data inventory? Select all that apply.
Data flows
Classification of data
Record of authority of organizational systems
Types and uses of data
All are correct
Data inventories are almost always created and maintained by the legal function within an organization.
True
False
False
Which of the following is a potential tool for keeping a data inventory up to date? Select all that apply.
A privacy impact assessment
GRC software
Spreadsheets and manual processes
An internally developed system
All answers are correct except A privacy impact assessment
Which of the following is an assessment that measures how closely an organization’s practices align with its legal obligations and stated practices?
Privacy assessment
Privacy impact assessment
Data protection impact assessment
Physical assessment
Privacy assessment
A privacy impact assessment can help facilitate privacy by design.
True
False
True
Ideally, when should a PIA be conducted? Select all that apply
Prior to deployment of a project, product or service that involves the collection of PI
Directly following the deployment of a project, product or service to ensure that privacy considerations have been addressed
When there are new or revised industry standards, organizational policies, or laws and regulations
When the organization makes changes to methods in which PI is handled that create new privacy risks
All answers are correct except Directly following the deployment of a project, product or service to
ensure that privacy considerations have been addressed.
Which of the following are methods for assessing vendors? Select all that apply.
Privacy and security questionnaires
Privacy impact assessments
Checklists
Audits
All answers are correct except Audits.
__’s main focus is the control of information, while __ focuses on the information itself and the people represented by the information.
security; privacy
Information security builds on __ to identify risk, take measures to mitigate risk, and track and evaluate risk.
risk management practices