Study Cards Flashcards
Privacy program management is the structured approach of
combining several projects into a framework and life cycle to protect PI and individuals’ rights.
The privacy operational life cycle involves four phases:
assess, protect, sustain and respond.
The assess phase involves comparing the program to
industry best practices, corporate privacy policies, applicable laws and regulations and the organization’s privacy framework.
The protect phase embeds privacy principles and information security management practices to
address, define and establish privacy practices.
The sustain phase provides
monitoring, auditing and communication aspects of the management framework.
The respond phase involves the principles of
information requests, legal compliance, incident response planning and incident handling, as well as accountability for data collected.
Privacy program managers and teams are responsible for
compliance, accountability and alignment with organizational strategy.
Accountability is the most important aspect of privacy program management. Privacy program managers are accountable for
safekeeping and responsible use of personal information.
While _ with applicable laws and regulations is a key motivator for having a privacy program, it is not the only purpose of a program.
compliance
Other important reasons to institute a privacy program are
meeting expectations of business clients and partners, and safeguarding data against attacks and threats.
A successful privacy program integrates __ into functional areas across the organization.
privacy requirements and representation
Examples of organizational areas that typically have specific privacy concerns include:
HR, marketing and business development, finance, information security, IT, and legal and compliance functions.
What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?
Information security
Privacy governance refers to
components guiding a privacy function toward compliance with laws and regulations, and enabling them to support the organization’s broader business goals
Privacy governance supports the organization’s broader business goals, which are:
- Creating a privacy vision and mission statement
- Defining program scope
- Selecting a privacy framework
- Developing a privacy strategy
- Structuring the privacy team
There is no standard organizational structure for privacy across organizations. When determining where privacy will sit in the organization, you may wish to consider
which department has the most influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the strongest supporter of privacy.
While strategies provide the why (why privacy is important), privacy program frameworks provide the what (what form the program will take), in the form of
implementation roadmaps that guide teams and prompt for the details to determine privacy-relevant decisions for the organization.
Common privacy program frameworks include principles and standards such as __, OECD guidelines, GAPP, CSA, the APEC Privacy Framework, ETSI, and ISO; laws, regulations and programs such as PIPEDA and APPs, __, HIPAA, CNIL, and BCRs; and privacy program management solutions such as __, NIST, and WebTrust.
FIPs; GDPR; PbD
The privacy policy life cycle phases involve:
- Drafting inward-facing policies that are practical, simple and easy to understand
- Getting approval from decision-makers and stakeholders
- Disseminating and socializing policies to all employees
- Training employees and enforcing policies
- Reviewing and revising policies regularly
The privacy governance models are
centralized, localized/decentralized, or hybrid (a combination of both).
In the centralized model,
one team or person is responsible for privacy-related affairs.
In the local/decentralized model, decision-making is delegated to
lower levels of the organization, allowing decisions and information to flow from bottom to top.
The hybrid model combines the centralized and local models and is
most common when a large organization makes an individual or team responsible for privacy-related affairs for the rest of the organization.
The DPO position is a professional role with many responsibilities. Examples of the skills a DPO needs include:
- Experience assessing risk and best practice mitigation
- Knowledge of relevant laws and regulations
- Interpersonal flexibility; effective communication with business functions
- Project management and ability to manage own professional development
- Ability to fulfill the role autonomously
- Ability to handle requests/complaints and train others to help data subjects
- Credibility/no conflicts of interest
Getting buy-in for a privacy strategy may mean changing an organization’s mindset. Recommendations include __; __; and __
building relationships and finding advocates;
pitching privacy;
creating steering groups of stakeholders.
Once your privacy program has been established, you must
create awareness of the program both internally and externally.
Some organizations use a RACI matrix, a tool used to embed responsibilities and identify:
Who is Responsible
Who is Accountable
Who needs to be Consulted
Who needs to be Informed
Key functional areas help create and enforce the privacy program on an ongoing basis. Examples of these areas include:
marketing, learning and development, communications, IT and procurement.
Auditing and analyzing a governance structure’s performance is essential to its success. The __ and __ functions review and analyze operations across all departments and communicate their results.
internal audit (IA) and risk management
__ typically reports to an audit committee, helping to ensure it remains unbiased.
Internal audit
__ ensures business and regulatory requirements are met through detailed analysis.
Risk management
Some organizations use __ to help achieve compliance. Solutions may relate to areas such as assessment management, data mapping, deidentification and incident response.
privacy tech vendors
Privacy technology is experiencing rapid growth. Reasons for this include the emergence of
comprehensive data protection laws and privacy regulations along with strict requirements and significant fines for noncompliance under many privacy laws, such as the GDPR. Another factor is __
growing consumer awareness of data breaches and increasing demands that organizations protect their information.
The chief privacy officer for a telecommunications company wants to revise its privacy mission statement. What steps would be involved in this process? Select all that apply.
1. Evaluating the intended objective
2. Acquiring knowledge on privacy approaches
3. Gaining executive sponsor approval
4. Communicating the organization’s privacy stance to all stakeholders
5. Monitoring compliance with the company’s privacy policies
All except 5
In differentiating between a privacy strategy and a privacy framework, how can strategy be defined?
1. As the why
2. As the what
As the why
True or false? A law or regulation may constitute a privacy framework.
True
What type of privacy governance model is defined by a one-team or one-person approach?
Localized/decentralized
Centralized
Hybrid
Centralized
True or false? The privacy team should always comprise more than one person.
False
Which business function ensures business and regulatory requirements are met through detailed market, credit, trade and counterparty analysis?
Internal audit
Procurement
Learning and development
Risk management
Risk management
What is the most important aspect of privacy program management?
Vendor management
Audits
Data mapping
Accountability
Accountability
True or false? Regulatory compliance is often the primary motivation for organizations to develop a privacy program.
True
A privacy program should integrate privacy requirements and representation into which of the following functional areas? Select all that apply.
Human resources
Marketing and business development
Finance
Information security
IT
Legal and compliance
All are correct
Customer service employees for a health insurance company are granted access to subscribers’ sensitive PI to help with questions about coverage and billing. What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?
Human resources
IT
Information security
Legal
Information security
Which of the following is NOT a phase of the privacy operational life cycle?
Sustain
Respond
Consider
Assess
Consider
Under GDPR, data subjects can:
Withdraw consent
Request a copy of their personal data or have it deleted
“Freeze” processing of their personal data
Object to automated decision-making
Under GDPR, organizations must:
Implement PbD and privacy by default
Provide notice to process personal data
Provide notification of breaches (sometimes)
Conduct DPIAs (sometimes)
Consult regulators before processing (sometimes)
Follow rules for processing children’s data
Ensure compliance of data transfers
Take responsibility for vendor processing
Maintain appropriate data security
Keep records and demonstrate compliance
Appoint a DPO
Under GDPR, regulators may:
Ask for records of compliance (register of processing activities, DPIAs, documentation, risk-analysis)
Impose temporary data processing bans, & require data breach notification
Order erasure of personal data
Suspend international data flows
Enforce penalties up to €20 million or 4 percent total annual revenue
Under LGPD, data subjects can:
Confirm the existence of processing
Access their data
Correct incomplete, inaccurate or out-of-date data
Anonymize, block or delete unnecessary or excessive data or data processing in violation of the law
Export data to another service or product provider
Delete personal data processed pursuant to consent
Obtain information about entities with which data is shared
Obtain information about denying consent
Review decisions made solely based on automated processing
Oppose non-consent-based processing when in violation of the law
Under LGPD, organizations must:
Implement privacy-by-design and -default processes
Develop incident response and remediation plans
Maintain appropriate data security
Notify data subjects and regulators of data breaches
Follow special rules for directly processing children’s data
Provide notice of intention to process PI
Appoint a data protection officer (for controllers)
Take responsibility for processing activities of third-party vendors
Create personal data protection impact report (RIPD)
Ensure adequacy or appropriate safeguards for data transfers
Keep records (in most circumstances) and demonstrate compliance
Comply with international data transfer requirements
Under LGPD, regulators may:
Ask for records of compliance
Apply sanctions, e.g., warnings and corrective measures, publicizing the infraction, suspension or prohibition of processing activities
Enforce penalties up to 2 percent of a company’s annual revenue in Brazil to a maximum of 50 million reais per infraction
The privacy team needs to work with regulators to understand:
- Fines and penalties for noncompliance
- The scope and authority of regulators and oversight agencies
- Recent or upcoming changes in privacy law
These changes affect privacy-related legal obligations:
New processes
Acquisitions
Outsourcing agreements
Divestitures
Discontinued products and services
New products and services
Different regions’ laws may be similar to, or vastly different from, one another, so some organizations __
create a roadmap or crosswalk to determine where legal requirements overlap.
Fair Information Practices (FIPs) appear in various forms and applications. The __
are perhaps the most widely recognized framework for FIPs, defining purpose specification,
openness, individual participation, collection limitation, use limitation, security safeguards, data quality and accountability
OECD Guidelines
Under the California Consumer Privacy Act, consumers have:
- The right to know what PI a business collects about them and how it is used and shared;
- The right to delete PI collected from them (with some exceptions);
- The right to opt out of the sale of their PI; and
- The right to non-discrimination for exercising their rights under the CCPA.
Under the CCPA, businesses must:
- Provide a CCPA-compliant privacy policy or certain notices to consumers per the CCPA/CPRA privacy policy requirements [compliant privacy notice]
- Provide disclosures to consumers, such as categories of PI collected, purpose for collection, description of consumers’ rights [disclose their rights and how categories of data are used]
- Provide methods for submitting requests to know and to delete, and have a process to verify the identity of consumers attempting to exercise their rights [way to know and delete, verify ID]
- Respond to consumer requests in a timely manner
- Provide two or more methods for submitting requests to opt out, including a clear and conspicuous “Do Not Sell My Personal Information” link on the website to make it easy for consumers to [opt out] of the sale of their PI
The CPRA amends and expands upon the CCPA in several ways, including:
Requiring the establishment of an enforcement agency, the California Privacy Protection Agency
Can opt out of PI sales and sharing
Can correct inaccurate PI that a business has about them
The right to limit use and disclosure of sensitive PI.
International data transfers can be complex because you need to
comply with relevant laws across jurisdictions, and there must be a legal basis for transferring the data.
Several mechanisms allow organizations to transfer data internationally, including:
*adequacy decisions, *appropriate safeguards (standard contractual clauses, codes of conduct or self-certification mechanisms, ad hoc contractual clauses, international agreements and binding corporate rules); and *derogations.
Which are common elements of privacy-related legislation across jurisdictions? Select all that apply.
Requirements for ensuring individual rights
Security obligations
Processor obligations
FIPs
All answers are correct except Processor obligations
Privacy and data protection regulators have the right to impose penalties for
noncompliance, including fines.
True
False
True
What can controllers and processors do to avoid incurring penalties from regulators for noncompliance with the GDPR? Select all that apply.
Know which regulators oversee which processing activities within the organization
Ensure regulators receive notification of data breaches under some circumstances
Know when legal obligations change due to changes in the organization
Conduct data protection impact assessments whenever personal data is being processed
All answers are correct except Conduct data protection impact assessments whenever personal data is being processed
Using a valid mechanism for transferring PI internationally, such as binding corporate rules, allows for the legal processing of that data.
True
False
False
Which international data transfer mechanism is used to demonstrate to regulators and consumers that a company adheres to certain information privacy standards?
Binding corporate rules
Standard contractual clauses
Adequacy decisions
Codes of conduct
Codes of conduct
A general good practice is to adjust the privacy program to the most stringent legal requirements to which personal data processing is subject.
True
False
True
A __ is a complete record of all the PI your organization stores, uses and processes.
data inventory, or data map
_ can be used as a precursor to regulatory compliance and risk analysis; to assess data, systems and processes; and to inform data assessments, priorities, data life cycle management and data classification.
Data inventories
It should demonstrate data flows and classification, create a record of the authority of systems processing personal information and analyze data types/uses
To create a comprehensive inventory of all PI being processed, an organization should determine
who creates the data inventory, which departments hold/use PI, and what questions should be asked.
__ may be organized around the data life cycle, considering the collection, usage, storage, archiving and destruction of PI.
Intake questions
Conducting a __ helps determine what compliance efforts are in place, areas that need improvement, and where additional controls must be developed.
gap analysis
It involves identifying gaps between standards and laws an organization is subject to and the organization’s current compliance efforts. Many laws overlap, so be sure to involve your Legal team in the process.
A __ measures an organization’s compliance with laws, regulations, adopted standards and internal policies/procedures. It may involve the use of subjective standards (such as employee interviews) and/or objective standards (such as information system logs).
privacy assessment
A __ is an analysis that assesses privacy risks associated with processing PI in relation to a project, product or service. Requirements around them may be mandated by industry, organizational policy, and laws and regulations.
privacy impact assessment
Triggers for conducting a __ include preparing for the deployment of a project, product or service that involves the collection of PI; new or revised industry standards, organizational policies, or laws and regulations; and organizational changes to methods in which PI is handled.
PIA
A __ has specific triggers and requirements under the GDPR and LGPD. They are intended to help incorporate privacy considerations into organizational planning and demonstrate GDPR compliance
data protection privacy impact assessment, DPIA
Triggers for conducting __ include processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35) and the use of new technologies
DPIAs
DPIAs should include:
a description of the processing, including its purpose, and including, where applicable, the legitimate interest being pursued;
the necessity of the processing, its proportionality and the risks that it poses to data subjects;
and measures to address the risks identified.
__ is a self-assessment tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities. Once the privacy responsibilities of each department are documented, the departments may be asked specific questions about each responsibility
Attestation
Mergers, acquisitions and divestitures should include a privacy checkpoint that evaluates:
new compliance requirements;
existing client agreements;
new resources, technologies and processes;
and applicable laws and standards.
Vendor assessment is the evaluation of a vendor for
privacy and information security policies,
access controls,
where the personal information will be held,
and who has access to it
These and other checklists can be used to
assess vendor risk
Privacy or security questionnaires, and privacy impact assessments
Any technology that is new to an organization, even those that are ubiquitous elsewhere, requires
an assessment
Assessing cloud computing vendors before procuring them can be challenging. Specific areas to focus on during a selection assessment of a cloud service provider include
certifications and standards, technologies, service road map, data management, information security, subcontractors and service dependencies, and data policies and protection.
Which of the following is a common function of a data inventory? Select all that apply.
Assesses data, systems and processes
Informs data assessments
Informs data classification
Measures compliance with laws, regulations, standards and internal policies
All answers are correct except Measures compliance with laws, regulations, standards and internal policies
Which of the following elements may be found in a data inventory? Select all that apply.
Data flows
Classification of data
Record of authority of organizational systems
Types and uses of data
All are correct
Data inventories are almost always created and maintained by the legal function within an organization.
True
False
False
Which of the following is a potential tool for keeping a data inventory up to date? Select all that apply.
A privacy impact assessment
GRC software
Spreadsheets and manual processes
An internally developed system
All answers are correct except A privacy impact assessment
Which of the following is an assessment that measures how closely an organization’s practices align with its legal obligations and stated practices?
Privacy assessment
Privacy impact assessment
Data protection impact assessment
Physical assessment
Privacy assessment
A privacy impact assessment can help facilitate privacy by design.
True
False
True
Ideally, when should a PIA be conducted? Select all that apply
Prior to deployment of a project, product or service that involves the collection of PI
Directly following the deployment of a project, product or service to ensure that privacy considerations have been addressed
When there are new or revised industry standards, organizational policies, or laws and regulations
When the organization makes changes to methods in which PI is handled that create new privacy risks
All answers are correct except Directly following the deployment of a project, product or service to
ensure that privacy considerations have been addressed.
Which of the following are methods for assessing vendors? Select all that apply.
Privacy and security questionnaires
Privacy impact assessments
Checklists
Audits
All answers are correct except Audits.
__’s main focus is the control of information, while __ focuses on the information itself and the people represented by the information.
security; privacy
Information security builds on __ to identify risk, take measures to mitigate risk, and track and evaluate risk.
risk management practices
The existence of __ does not mean that data is not secure
risk
Information security provides different kinds of controls to manage risk. Controls can be
administrative, physical or technical controls.
Controls are also divided into different categories based on their objective: __ controls to prevent an incident from occurring; __ controls to identify and characterize an incident that has occurred or is in progress; and __ controls to limit the extent of any damage caused by
an incident.
preventive; detective; corrective
ISO/IEC 27701 is considered the first mainstream global privacy management standard. It defines processes and
provides guidance for protecting PI on an ongoing basis
and specifies the requirements for establishing, implementing, maintaining and improving a privacy-specific information security management system.
__ are non-technical privacy control measures established by management (for example, policies and procedures). They may derive from laws and regulations, self-regulatory regimes, industry practices, and corporate ethics and policies. Policies dictate them, which, in turn, establish what mechanism or process must be implemented to ensure the control is enabled.
Administrative controls
__ govern who has the right to access specific information and may involve approaches from administrative, physical and technical control categories.
Access controls
__ for managing user access can help ensure that only those who absolutely need access to certain information have it. These controls rely on basic security principles like need-to-know or -access and segregation of duties. They also involve __ management, which uses strategies such as unique user IDs and password management
Role-based controls and guidelines; user access
__ offer ways to protect personal information. Examples are obfuscation, data minimization, common security practices and privacy-enhancing technologies.
Technical privacy controls
__ embeds privacy into the design of technology, systems and practices to help ensure the existence of privacy from the outset.
Privacy by design (PbD)
Privacy by design is based on seven foundational principles:
1. Proactive, not reactive; preventative, not remedial
2. Privacy as the default
3. Privacy embedded into design
- Full functionality—positive-sum, not zero-sum
- End-to-end security—life cycle protection
- Visibility and transparency
- Respect for user privacy
__ is called out in __, with requirements and consequences for noncompliance. Its goal is to build information privacy into the design process and protect privacy by default.
Data protection by design and default; GDPR
Several __ can be used individually or in combination to analyze risk. Models include
compliance;
Fair Information Practice Principles (FIPPs)-based;
and Factor Analysis of Information Risk (FAIR).
privacy risk models and frameworks
__ include Risk Management Framework; Cybersecurity Framework; Privacy Framework; and NICE Framework.
NIST (National Institute of Standards and Technology) frameworks, at the Department of Commerce
Two major groups of privacy design strategies for applying PbD are __ and __.
[1] strategies are based on an organization’s commitment to processing PI in a privacy-friendly way;
[2] strategies focus on technical ways to process data that maximize privacy.
process-oriented and data-oriented
Security focuses on information and the people represented by that information.
True
False
False
Which of the following is an example of a process-oriented privacy design strategy?
Demonstrating compliance with policies and processes
Separating the processing of data, either logically or physically
Abstracting data to limit the amount of detail in the data
Hiding data in ways that make it unconnectable or unobservable to others
Demonstrating compliance with policies and processes
What type of security control may rely on segregation of duties?
Cryptography
Physical and environmental security
Access control
Systems acquisition, development and maintenance
Access control
A scorecard of risk factors may assist an organization in doing what?
Evaluating security controls
Writing information security policies
Identifying risk
Determining the business purpose for processing personal information
Evaluating security controls
A key difference between the U.S. and EU concepts of invasion of privacy is based on whether the invasion caused actual harm to the individual.
True
False
True
Which of the following is an administrative control?
Responding to data subject access requests within one week of reception
Automatically aggregating personal information to render it anonymous
Using a vendor to encrypt outgoing email messages
Using a platform to mask sensitive information from users who do not need it
Responding to data subject access requests within one week of reception
Data processing principles, such as those found in the GDPR, may be used to successfully implement privacy by design.
True
False
True
A __ is an external communication made to an individual, customer or data subject that
describes how the organization collects, uses, shares, retains and discloses their PI.
In contrast, a __ is generally an internal document that is addressed to employees, stating how PI is going to be handled.
privacy notice; privacy policy
An organization’s privacy policy should be:
clear and easy to understand, accessible to all employees, comprehensive yet concise, action-oriented, and measurable and testable.
Common types of __ include those for acceptable use, information security, procurement, HR, and data retention and destruction.
privacy policies
Common goals of internal information security policies include
protecting against unauthorized access;
providing stakeholders with information efficiently, while maintaining confidentiality, integrity and availability;
promoting compliance with laws, regulations, standards and other organizational policies;
promoting data quality.
Vendors should be held to the same privacy standards as the organization they serve. When engaging vendors, remember to:
create a policy that outlines selection and logistics; identify vendors and their legal obligations; evaluate risk, policies and server locations; develop a thorough contract; and monitor vendors’ practices and performance
Vendors that provide cloud computing services may pose distinct privacy challenges. Therefore, a cloud computing acceptable use policy should:
maintain compliance; require that agreements be approved by leadership; maintain data privacy and security; and mitigate risks of using cloud-based services
HR handles diverse employee personal information and typically has policies to guide processing.
Concerns can be addressed through several types of HR policies, including those related to
communications, hiring and reviews, and financial information.
__ should support the idea that PI should only be retained for as long as necessary to perform its stated purpose. Triggers and methods should be documented and followed consistently, and align with laws, regulations and standards.
Data retention and destruction policies
Approaches for enabling employees to integrate privacy policies into daily tasks include:
aligning policies with existing business procedures such as HR functions, procurement and contract management, and risk management;
training employees using tools like classes or simulations;
and raising awareness through activities like Data Privacy Day and lunch-and-learn sessions.
Once you have created and launched privacy-related policies, __.
ensure they are regularly audited and enforced.
Policies should be testable and evidence should be readily available. Enforcement should include clear and consistent consequences. Consider whether an independent internal auditor may aid your organization’s ongoing auditing process.
A marketing team works with their legal department to create an external communication to customers that describes how their personal information is going to be handled. What is this communication?
A privacy notice
A privacy policy
An information security policy
A data retention and destruction policy
A privacy notice
How may an organization enable employees to integrate privacy policies into their daily tasks? Select all that apply.
Align policies with existing business procedures
Raise awareness
Train employees
Audit and enforce privacy policies
All responses are correct except Audit and enforce privacy policies
What is the purpose of an acceptable use policy?
Providing instructions to employees, students, guests, etc. for easily accessing the organization’s network or internet connection
Stipulating rules and constraints for people within and outside the organization who access the network or internet connection
Evaluating risks associated with using vendors for processing personal information
Stipulating events that may trigger the necessary processing of personal information outside the organization’s originally stated purpose
Stipulating rules and constraints for people within and outside the organization who access the network or internet connection
Which of the following are some of the common purposes of internal information security policies?
Select all that apply.
Protecting against unauthorized access
Providing stakeholders with information efficiently, while maintaining confidentiality, integrity and availability
Promoting data quality
Specifying detailed steps for HR hiring practices
All responses are correct except Specifying detailed steps for HR hiring practices
Laws and regulations may include data retention requirements.
True
False
True
A _ provides data that helps to answer specific questions about business operations.
metric
An organization should develop generic _ _ to reflect data privacy compliance, datadriven decisions and the overall impact of the privacy program.
privacy metrics
Metrics have primary, secondary, and tertiary audiences. Differences between the audiences are based on
interest level, influence, ownership and responsibility of privacy within the business objectives.
Typical members of a _ audience include the legal and privacy officers, senior leadership, CIOs, CSOs, PMs, information system owners and CISOs.
primary
_ audience members include the CFO, training organizations, HR, IGs and HIPAA security officials.
secondary
The _ audience includes external watchdog groups, sponsors and stockholders.
tertiary
A metric owner is responsible for managing the metric throughout its life cycle. Responsibilities include:
knowing what is critical about the metric and how it fits into business objectives
monitoring performance with the metric
updating process documentation (including the metric’s definition)
performing regular reviews
and incorporating improvements into the process.
Four common ways to analyze privacy program metrics are:
trend analysis, return on investment (or ROI), business resiliency and program maturity.
_ _ provides quantitative measurement for the costs, benefits, strengths and weaknesses of an organization’s privacy controls in order to maximize the benefits of investments that prevent loss.
ROI analysis
Organizations can monitor privacy programs to track
compliance and risk,
organizational alignment with regulatory and legislative changes,
and vulnerabilities in the internal and external environments.
Tracking compliance and risk involves reviewing the _ of personal information throughout its life cycle.
collection, use, and retention
_ is often done using publications and/or external vendors.
Tracking regulatory and legislative changes
Tracking environmental vulnerabilities involves
monitoring internal and external threats, including building access, data access and authentication, and lack of awareness or training
Forms of privacy program performance monitoring include:
- Active scanning tools, such as data loss prevention (DLP) network
- Audit activities
- Breach monitoring, detection and notification
- Complaint monitoring
- Data retention/records management strategies
- Dashboards
- Control-based monitoring
- HR practices, such as hiring and termination;
- Monitoring data
- Monitoring building access/use
- Monitoring internal and external conditions
- Regulation-based monitoring
Audit involves:
monitoring and measuring privacy practices to comply with laws, regulations, consent orders and industry practices.
Audits should answer two questions:
1) Do the privacy operations do what they were designed to do? 2) Are data privacy controls correctly managed?
Privacy program audits typically fall into one of three categories:
first party, second party or third party.
First-party audits are performed by internal employees. They are self-assessments used to
evaluate risk management culture;
identify privacy risk factors;
and evaluate control design and implementation.
_, often known as “supplier audits,” typically involve the organization auditing existing suppliers or subcontractors.
Second-party audits
Third-party audits are required under consent decree or by a regulator. They are conducted by independent outside sources. They provide a formal record of
what was audited and when,
insight into areas that comply/do not comply,
details to support findings
and suggested corrective actions.
External watchdog groups, sponsors and stockholders typically make up which audience for privacy program metrics?
Primary
Secondary
Tertiary
None of the above
Tertiary
Which of the following is NOT typically a responsibility of a privacy metric owner?
Tracking the costs of analyzing data for the metric on an organization’s profit and loss statement
Ensuring improvements are incorporated and maintained in the process
Scheduling regular reviews to determine if the metric is still required, capable of meeting goals and providing value to the organization
Understanding how the metric fits into the organization’s business objectives
Tracking the costs of analyzing data for the metric on an organization’s profit and loss statement
A privacy officer is trying to make the case to his CFO to invest more of the budget into incident prevention and preparedness. He wants to show that the likely financial gain of this investment is greater than the direct costs to the organization. Which category of metrics would be most useful to him?
Business resiliency
Program maturity
Return on investment (ROI)
Trend analysis
Return on investment (ROI)
A privacy audit should reveal whether the privacy operations do what they were designed
to do and whether privacy controls are correctly managed.
True
False
True
Employing dashboards, active scanning tools, and data retention and records management strategies are all ways to do what?
Monitor privacy program performance
Ensure an organization minimizes the processing of personal data
Increase information security
Provide resolutions to privacy-related complaints
Monitor privacy program performance
Which category of audits may align to an ISO standard, NIST special publication or other industry framework?
First-party audits
Supplier audits
Third-party audits
Data protection commissioner audits
Third-party audits
Which of the following is a valid reason for an organization to conduct a privacy audit?
It has expanded its industry base
It has made staffing cutbacks and shifted its business priorities
There has been a confirmed security incident
All of the above
All of the above
The privacy officer for a corporation is analyzing trends on a series of privacy program metrics. She notices a conspicuous absence of privacy incidents in the past two years and wants to include this in her reporting. This information is known as a(n):
Time series
Uncertainty variable
Irregular component
Cyclical component
Irregular component
Potential consequences of inadequate privacy training and awareness programs include:
noncompliance with laws and regulations
personal information being handled in ways that differ from organizational policy
and reputational harm or damage to relationships with customers.
_ communicates an organization’s privacy message, policies and processes, and motivates individuals to retain and follow that information. It incorporates measurable outputs and outcomes via attendance and assessment metrics. In contrast, _ activities reinforce lessons learned in training through diverse methods.
Training , awareness
Method and delivery options for privacy training programs include:
in-person or virtual instruction;
self-led e-learning modules;
simulations;
and just-in-time information.
Method and delivery options for awareness efforts include:
newsletters with privacy topics; email reminders; company intranet announcements; posters, signage and stickers; blog posts; internal messages when the organization has a data breach; meetings; Data Privacy Day; and Privacy Awareness Week.
Privacy training should include
anyone who handles personal information on behalf of the organization.
To ensure ongoing awareness, the privacy team and other relevant departments can take the following operational actions:
develop and use internal and external communication plans;
communicate information about the organization’s privacy program;
ensure policy flexibility for incorporating changes to compliance requirements;
and identify, catalog and maintain documents requiring updates as privacy requirements change.
The following high-level steps may be used to create a privacy training program:
- Ensure a privacy policy exists and is up to date
- Ensure employees are trained on the policy
- Ensure training records exist
- Use metrics to measure results
- Update the training based on feedback and changes to compliance obligations
- Reinforce learning with awareness activities
Considerations for creating a successful training program include:
partnering with the training department/HR; making it fun and customized to participants; using motivators like digital badges; ensure all new employees are trained; ensuring repeat training is provided as needed; and soliciting feedback.
Establishing a privacy training program can help your organization think about privacy and meet obligations to protect personal information in ways such as:
- Establishing a common understanding of privacy
- Reducing human error
- Considering privacy up front
- Improving customer interactions
- Expanding the privacy office’s eyes and ears
- Changing conversations
Some common mistakes privacy professionals can make regarding privacy training and awareness include:
- Not covering the basics
- Not giving employees proper rules for handling and processing personal data, e.g., acceptable use policies (AUP)
- Assuming everyone is as conscientious about privacy issues and current topics as privacy professionals are
- Thinking one communication channel is sufficient; some concepts must be explained in
multiple ways and repeated several times - Not effectively using a past incident as a learning opportunity
What should privacy training and awareness programs do? Select all that apply.
Communicate privacy policies
Communicate processes and procedures, such as for data usage and retention, access
control and incident reporting
Motivate and incentivize participants to follow privacy policies and procedures
Use measures, such as attendance and assessments
All responses are correct
An organization should be responsible to train whom on privacy? Select all that apply.
A member of the customer service team
A receptionist
A customer
A driver responsible for business waste disposal
All except a customer
Which of the following qualifies as an awareness method?
A company intranet announcement
A series of self-led e-learning modules
Just-in-time information presented online or via a manual, tip sheet or infographic
A company intranet announcement
Which strategy could be used to motivate a team and help them remember the training materials?
A competitive simulation game that tests knowledge and skills gained from the training
A dashboard that shows members of the team who have completed the training
Metrics showing results (e.g., finding increased compliance with a data destruction policy
after training)
A competitive simulation game that tests knowledge and skills gained from the training
A _ is the privacy information that you make available or provide to individuals when
you collect information about them.
privacy notice
Privacy notices have multiple purposes, including
compliance;
processing personal information fairly and transparently;
making information accessible regarding how personal information is used;
meeting individuals’ expectations;
and building trust and confidence.
A privacy notice typically explains:
- Who the organization is
- What information it collects
- How it will use the information
- With whom it will share the information
- Whether information is collected directly or indirectly
- What are likely future uses of the information
Strategies to keep privacy notices accessible to customers or external stakeholders include using a _ (short notice with key information and links); _ (appears at the time of data input and provides additional information); _ (shows different processing types using a clear design and icon/symbol key); and _ (easily navigated summary of privacy information and metrics).
layered approach
just-in-time notice
icons/symbols
privacy dashboards
Privacy notices inform individuals of an organization’s privacy practices, but do not _. Consent is required by law in many, but not all, cases and may not be the only reliable basis for processing personal information.
solicit or imply consent
An organization’s procedures around withdrawal of consent may address
when and how consent may be withdrawn,
rules for communicating with individuals,
methods for withdrawing consent,
and documentation of requests and actions taken.
There are several areas to consider when tailoring privacy notices to children and ensuring parental consent for children under the age threshold:
- Compliance: some laws specify rules for providing privacy notice to children and obtaining parental consent
- Language and delivery: present privacy in ways children can understand
- Age: laws and regulations may establish an age threshold for consent
- Purpose of processing: some purposes may trigger certain rules, like prohibiting the tracking of children for behavioral advertising
Laws and regulations may require an organization to allow individuals the ability to _ —and information about its processing—upon request. Information must be provided completely, in a timely manner, without charge, and in the same form the request was made. There may be limits to this right, like protections for the rights and freedoms of others.
access and correct their personal information
Many countries have data privacy laws stipulating how organizations in their jurisdiction must respond to data subject requests. Given the requirements of various global privacy laws, it is critical for organizations to _
have robust policies related to data subject rights and be able to respond in a timely manner
_ affect organizations within and outside the EU, given the broad scope of the GDPR.
EU-specific data subject rights
Data portability is a right under the GDPR that applies in cases of processing based on consent or contractual necessity. It means that
personal data must be transferrable from an organization in a format that is structured, commonly used and machine-readable.
Under the GDPR, individuals have the right to _ in certain circumstances—for example, if they withdraw consent.
request erasure of their personal data
Erasure entails both _. Controllers must also ensure third parties erase personal data.
ceasing processing and deleting data
Erasure has been broadened to include _, which applies when personal data has been made public by the organization.
the right to be forgotten
Internal procedures for handling privacy-related complaints should define and enable
mechanisms for:
- Differentiating between sources and types of complaints
- Designating proper recipients
- Implementing a centralized intake process
- Tracking the process
- Reporting and documenting resolutions
- Redress
Departments and roles designated with receiving complaints should be _ through dedicated phone numbers, email addresses and/or physical addresses.
easy to reach
A privacy notice typically explains what? Select all that apply.
How personal information will be destroyed
How personal information will be stored
With whom personal information will be shared
What information will be collected
With whom personal information will be shared; what information will be collected
The chief privacy officer of a technology company has revised its privacy notice for users who download the company’s applications onto their smartphones. The notice needs to be easily accessible to users so they can refer to it when desired. What is an appropriate solution to this design challenge?
Layered approach
Privacy dashboard
Icons/symbols
Just-in-time notice
Privacy dashboard
What may an organization’s procedures address regarding requests for withdrawal of consent? Select
all that apply.
When and how consent may be withdrawn
Rules for communicating with individuals
Methods for withdrawing consent
Documentation of requests and actions taken
All of them
Upon request from an individual, an organization must always provide access to their personal information and information about the processing performed upon it.
True
False
False
Under the EU’s General Data Protection Regulation, erasure entails not only deleting
personal data but also informing regulators once the personal data has been deleted.
True
False
False
Internal procedures for handling privacy-related complaints should implement a centralized intake process.
True
False
True
A _ compromises the confidentiality, integrity or availability of data and may not require notification. A _ results in the confirmed disclosure of data to an unauthorized party and requires external notification.
incident; breach
Only the _ or _ should declare a breach.
privacy office; legal office
Data breaches risks to organizations include:
loss of revenue, legal and regulatory costs, loss of business, loss of consumer trust, impact on business relationships and damage to public perception
Data breaches risks to individuals include:
emotional distress, identity theft, personal reputational harm and financial damage
The top cause of data breaches is _, which may involve malware, hacking or phishing attempts. Other common causes are device loss or theft and unintended disclosure of information.
malicious or criminal attacks
An organization must determine _ associated with collected data and _ affected individuals
who is liable for harm; who should notify
While prevention focuses on ways to stop an incident or breach from occurring, _ focuses on measures for optimally responding to one.
preparedness
_ are vital in preparing for an incident. All employees should have a basic understanding of security procedures and how to report a suspected incident.
Training and awareness
A common incident preparedness training activity is _, a structured, readinesstesting simulation involving members of multiple departments
the tabletop exercise
_ is a key step in incident preparation. The organization must determine who will lead the plan creation, gather information, and develop processes and procedures.
Creating a formal incident response plan
There is no _, and an organization must consider how it will classify an event as a privacy incident or a breach.
one definitive way to detect a breach
Some breach response tasks may happen in parallel. It can be helpful to think about them in these categories:
securing your operations, notifying appropriate parties and fixing vulnerabilities
Securing operations involves _ immediately to prevent further loss.
mobilizing the breach response team
After ensuring a breach is contained, organizations should begin _
analyzing vulnerabilities and addressing third parties that might have been involved
Internally, response teams must _ to executives, so they know they are as informed as possible.
manage expectations around communications
When communicating news of a breach, it is important to coordinate efforts across steps and keep messages consistent in all communications. Messaging should be consistent for several reasons, including
to help avoid issues with legal liability and a loss of trust and consumer confidence.
Internal and external announcements should be delivered
around the same time to avoid leaks, align messaging and demonstrate transparency.
At minimum, internal communications to employees about a breach should convey the following:
information that may affect how they do their jobs; what to keep confidential or internal; and the designated press contact.
Where there is _, notification may not be desirable. Factors to consider include
no legal obligation to notify;
the nature of the data elements breached, number of individuals affected and whether the breach is likely to lead to harm.
Breach investigation is a subset of breach response and occurs once _.
breach investigators conclude that sensitive information has been compromised
Breach investigators can:
capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
Breach reporting obligations for legal compliance vary by jurisdiction, but tend to adhere to certain principles, including
preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting.
The major categories of costs for a data breach are
legal, first-party, remediation and intangible costs.
Legal costs
- _
First-party costs
o _
Remediation costs
* _
Intangible costs
> _
- Punitive costs;
o Legal counsel
o Crisis management/PR
o Forensic investigators
o Call center support
o Equipment replacement and security enhancements
o Insurance
o Card replacement
o Employee training; - Victim notification
- Remediation offers and oversight
- Victim damages;
> Lost revenue and stock value
> Customer retention
> Opportunity costs
Cyber liability insurance may be a viable funding source for helping to offset breach response and recovery costs, such as:
Forensic investigations
Outside counsel fees
Crisis management services
PR experts
Breach notification
Call center costs
Credit monitoring
Fraud resolution services
One way to learn from a breach is to _
conduct a breach or incident response review.
Q’s for determining a breach and identifying affected data
- Was there indeed a data breach? If so, what data was exposed?
- Has the original vulnerability at the third-party vendor been resolved?
- What type(s) of data was impacted?
- Where was the data located?
- How much data was affected?
Q’s for notifying stakeholders
- Which stakeholders must be notified?
- Who else must be notified: regulators, media, AtlantiPulse customers?
- What recourse may AtlantiPulse, through One Earth, need to offer affected parties?
Q’s for following a process
- Do One Earth and AtlantiPulse have incident management processes in place?
- Is there a decision tree for notifications and actions in the event of a data breach?
Q’s for Identifying vendor issues
- Was there privacy-related language in the contract with which the vendor did not comply?
- Did One Earth adequately assess AtlantiPulse’s third-party vendors during the acquisition?
- Do all existing AtlantiPulse third-party contracts include consistent privacy-related language? If not, how does One Earth bring these contracts into compliance with privacy language required by One Earth’s global privacy policy?
- Does One Earth need to terminate this vendor because of the data breach?
All breaches are incidents, but not all incidents are breaches.
True
False
True
Which of the following is a potential risk to an organization, rather than an individual, in the event of a data breach?
Regulatory fines
Emotional distress due to the release of confidential information
Personal reputational harm
Financial damage from misuse of credit/debit cards
Regulatory fines
Employee training for incident preparedness can help which of the following? Select all that apply.
Exposing gaps in applications, plans and procedures before an incident occurs
Reducing financial liability and regulatory exposure
Lowering breach-related costs, including legal counsel and consumer notification
Cultivating greater overall security for customers, partners and employees
All responses are correct
Which of the following are critical duties of an organization’s legal team in planning and responding to an incident? Select all that apply.
Limiting liability and economic consequences
Advising on response requirements
Serving as an information conduit to employees
Establishing and maintaining a consistent message
Limiting liability and economic consequences; advising on response requirements
The process of responding to a breach comprises tasks that may happen in parallel.
True
False
True
Why might an organization choose not to notify affected individuals of a data breach? Select all that
apply.
There is no legal obligation
The breach impacts a small percentage of those whose data the organization holds
The affected information is unusable or unlikely to cause harm
Notification may result in fines imposed on the organization
All responses are correct except Notification may result in fines imposed on the organization
Though breach reporting obligations vary by jurisdiction, they tend to adhere to which of the following sets of principles?
Preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting
Preventing harm, limiting access, storage limitations and mandatory disclosure
Preventing harm, protecting the public, accountability and transparency
Preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting
Legal counsel, call center support, employee training, crisis management and PR, and forensic investigators are all examples of what?
First-party costs associated with a data breach
External costs associated with a data breach
Breach prevention measures
Elements a privacy officer must oversee during breach response
First-party costs associated with a data breach
When communicating about a breach, an organization should make internal announcements well in advance of external announcements.
True
False
False
