Terms

Question 1

Accountability

Answer 1

• appropriate technical and organizational measures are in place to protect personal data

FIP

Question 2

Active Scanning Tools

Answer 2

DLP (data loss prevention) network, storage, scans and privacy tools
to identify security and privacy risks

Monitor for compliance with internal policies and procedures, block email or file transfers

Question 3

AICPA

Answer 3

American Institute of Certified Public Accountants

WebTrust

CICA - canadian

Question 4

Anonymization

Answer 4

data is altered so it can no longer be traced back to the individual

Suppression (remove some info)
Generalization (makes some values more broad)
Noise addition ( switches identifying values from one set with another)

Question 5

POLC

Answer 5

Assess, Protect, Sustain, Respond

Question 6

POLC Assess

Answer 6

First phase

provides the steps, checklists and processes to assess any gaps in the priv program compared to industry best practices, corporate privacy policies, applicable privacy laws and objective-based privacy program frameworks

Question 7

POLC Protect

Answer 7

Second phase

provides the DLC, information security practices, and PbD to ‘protect’ PI

Question 8

POLC Sustain

Answer 8

Third phase

privacy management through the monitoring, auditing and communication aspects of the management framework

Question 9

POLC Respond

Answer 9

Fourth phase

info requests
legal compliance
incident-response planning
incident handling

aim is to reduce organizational risk and bolster regulatory compliance

Question 10

Audit Life Cycle

Answer 10

Plan Preparation Conducting Reporting Follow up

Question 11

BCR

Answer 11

Binding Corporate Rules

faciliate cross border transfers of PI between various entities of a corporate group

Question 12

SCC

Answer 12

Standard Contractual Clauses

cross border transfers of PI between different corporations

Question 13

Business Case

Answer 13

Starting point for assessing the needs of the privacy organization

Defines the program needs and ways to meet specific business goals (compliance with laws, regs, ind frameworks, customer requirements)

Question 14

BCDR

Answer 14

Business Continuity and Disaster Recovery plan

risk mitigation plan to prep an org for crises and ensure critical business functions continue. Focus is to recover from disaster

Question 15

Centralized governance

Answer 15

one team or person is responsible for privacy-related affairs. everyone flows through this point

Question 16

Choice

Answer 16

Consent must be freely given and data subjects must have genuine choice to provide PI or not

GDPR requires free choice

Question 17

CIA Triad

Answer 17

Confidentiality, Integrity, Availability

Question 18

FIP

Answer 18

Access & amendment
Accountability
Authority
Minimization
Quality and integrity
Individual Participation
Purpose specification and use limitation
Security
Transparency

Question 19

Data Breach

Answer 19

unauthorized acquisition of data that compromises the security, confidentiality or integrity of PI

Question 20

Data Controller

Answer 20

person, public authority, agency or body that determines the purposes and means of the processing of personal data

Question 21

Data inventory

Answer 21

record of authority

identifies personal data as it moves across various systems

how data is shared, organized and it’s location

Question 22

DLM

Answer 22

Data Life Cycle Management (ILM)

policy-based approach to managing the flow of information through a life cycle from creation to final disposition

Enterprise objectives
minimalism
simplicity of procedures and training
adequacy of infrastructure
infomation security
authenticity and accuracy of records
retrievability
distribution controls
auditability
consistency of policies
enforcement

Question 23

DPIA

Answer 23

Data Protection Impact Asssessment

assess and identify the privacy and data protection impacts of products they offer and services they provide

Identify impact and risks and prevent or minimize the risk

GDPR requirement when there is a high risk to the rights and freedoms of persons

Question 24

Decentralized governance

Answer 24

local governance

delegation of decision-making to the lower levels of the org. Fewer tiers in the org structure, wider span of control, bottom-to-top flow

Question 25

HIPAA

Answer 25

Patients have to opt-in before info can be shared with other orgs, except for treatment, payment and healthcare operations

Question 26

Hybrid governance

Answer 26

combo of local and centralized governance strategies

large, global orgs

Assign main individual responsibility and local entities then fulfill and support the policies and directives from the central governing body

Question 27

Information Life Cycle

Answer 27

Collection to deletion

collection processing use disclosure retention destruction

Question 28

Metric Life Cycle

Answer 28

processes and methods to sustain a metric to match needs of organization

1 ID intended audience
2 Define data sources
3 Select privacy metrics
4 Collect and refine of systems/application collection points
5 analysis of the data/metrics to provide value and provide a feedback quality mechanism

Question 29

Metrics

Answer 29

facilitate decision-making and accountability thru collection, analysis and reporting of data

measurable, meaningful, clearly defined, indicate progress and answer specific question

Question 30

NIST

Answer 30

Core
Profiles
Tiers

Question 31

PbD

Answer 31

Proactive not reactive
Privacy by default
Embedded in design
Full Functionality + sum
End to End Security
Visible and transparent
Users privacy rights respected

Question 32

Privacy Champ

Answer 32

an executive who serves as the privacy program sponsor and advocates for privacy program as an org concept

Question 33

PMM

Answer 33

Privacy Maturity Model

Ad Hoc Repeatable Defined Managed Optimized

ad hoc - informal
repeatable - not fully documented, doesnt cover all aspects
defined - fully documented, covers all aspects
managed - reviews are conducted to assess effectiveness
optimized - review and feedback are used to ensure CI towards optimization

Question 34

PTA

Answer 34

Privacy Threshold Analysis
a tool used to determine if a PIA should be conducted

Question 35

PETs

Answer 35

Privacy enhancing tech

developed to be used for the transmission, storage and use of privacy data

Question 36

Strategic Management

Answer 36

the first high-level task necessary to implement proactive privacy management.

Three sub tasks:
1 define the org’s privacy vision and mission statement
2 develop privacy strategy
3 structure privacy team

Question 37

Vendor management

Answer 37

Assessment of a third-party vendor for the vendor’s privacy and information security policies, access controls, where the personal information will be held and who has access to it. Privacy/security questionnaires, privacy impact assessments and other checklists can be used to assess this risk.

Question 38

Audit Phases

Answer 38

Plan
Prepare
Audit
Report
Follow up

Question 39

Types of Audits

Answer 39

1st Party - internal
2nd - supplier
3rd - external (usually for NIST cert, etc)

Question 40

Types of Monitoring

Answer 40

compliance
regulation
environment
training data

Question 41

Main benefit and objective for privacy program framework?

Answer 41

helps a business maintain privacy and data governance and prevent data breaches while complying with regulations

Question 42

Consider __ when determining the scope of a privacy program

Answer 42

the personal data collected and processed by an organization

Question 43

Black Box effect

Answer 43

it is not always possible to explain why an AI model has generated a particular output or decision