1. Introduction

Question 1

What is privacy program management?

Answer 1

A structured approach of combining several projects into one framework and life cycle to protect personal information and the rights of individuals.

Question 2

What can an organization with an integrated privacy management program hope to achieve?

Answer 2

A properly structured and maintained privacy program will enable:

1. compliance with legal regulatory requirements
2. meet the expectations of clients or customers
3. prevent and mitigate privacy risks

Question 3

What is program management?

Answer 3

Is the process of managing multiple projects across the organization to improve performance.

Question 4

What can be achieved through program management?

Answer 4

1. Oversight and status of projects to ensure goals of the program are met
2. Holistic view of multiple projects and change management
3. Valued metrics across the program

Question 5

What is a framework?

Answer 5

The skeletal structure needed to support program management.

Question 6

How is a privacy framework created?

Answer 6

By analyzing

1. The applicable laws, regulations

AND

2. Best practices that are tailored specifically for the goals of each organization.

Question 7

What is a life cycle?

Answer 7

The series of stages that something passes through during its existence.

(PPM - privacy governance life cycle of assets, protect, sustain, and respond)

Question 8

What are the components of a privacy framework and life cycle?

Answer 8

1. Consideration of privacy laws and regulations
2. incorporation of program management principles
3. Implementation of concepts such as:

• Privacy by design (PbD); and
• Privacy by default

Question 9

Is privacy the same as secrecy?

Answer 9

NO and should not be confused with data classification models used by governments which may rate information as sensitive, secret, or top secret.

Question 10

What does a structured privacy program exhibit?

Answer 10

An organization’s thoughtful and intentional plan to protect personal information and the rights of individuals.

Question 11

What does a privacy governance life cycle provide?

Answer 11

The methods to

• assess
• protect
• sustain; and
• respond

to the positive and negative effects of all influencing factors.

Question 12

What does a “privacy program framework” provide?

Answer 12

Provides

• inquiry topics

AND

• direction (e.g., problem definition, purpose, literature review, methodology, data collection, and analysis)

to ensure quality through a repeatable programmatic steps, thereby reducing errors or gaps in knowledge or experience.

Question 13

Who owns the privacy program framework?

Answer 13

The framework is usually owned by the privacy team or privacy professional (e.g., data protection officer) and ownership as well as management is shared with other stakeholders throughout the organization, including employees, executive leadership, management, and external entities, such as partners, vendors and customers.

Question 14

What are the four principles of the privacy operational life cycle?

Answer 14

1. Assess - provide the steps, checklists, and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws and regulations, and the framework developed for the organization.
2. Protect - provides the data life cycle, information security practices, and PbD principles to protect personal information.

Embeds privacy principles and information security management practices within the organization to address, define, and establish privacy practices.

3. Sustain - provides privacy management through the monitoring, auditing, and communication aspects of the management framework.

Monitoring throughout several functions in the organization, to include audit, risk and security practices, ensures “business as usual” for identification, and reporting.

4. Respond - includes the respond principles of information requests, legal compliance, incident response planning, and incident handling.

Aims to reduce organizational risk and bolster compliance of regulations.

Question 15

What should organizations be prepared for?

Answer 15

Be prepared to respond to customers, partners, vendors, employees, regulators, shareholders, or other legal entities.

The requests can take a broad form from simple questions over requests for data corrections to more in-depth legal disclosures about individuals.

Question 16

What are the responsibilities of a Privacy Program Manager?

Answer 16

1. Align the various parts of the privacy program to business objectives so as not be in contention.
2. Support business as a valued partner (not see it as a blocker)

Question 17

What are the goals of a privacy program manager?

Answer 17

1. Define the privacy obligations for the organization
2. Identify and mitigate privacy risks
3. Create, revise, and implement policies and procedures that effect positive practices and together comprise a privacy program
4. Raise the data IQ of the organization to drive and embed a privacy-oriented culture

Question 18

What are the goals of a privacy program?

Answer 18

1. Demonstrate an effective and auditable framework to enable legislative compliance
2. Promote trust and confidence in the data entrusted by individuals
3. Highlight that the organization takes its data privacy obligations seriously
4. Respond effectively to privacy breaches and data subject requests
5. Continually monitor, maintain, and improve the maturity of the privacy program

Question 19

What are the specific responsibilities of privacy program manager?

Answer 19

1. Policies, privacy notices, procedures, and governance
2. Privacy-related awareness and training
3. Incident response and privacy investigations
4. Regulator complaints
5. Data subject requests
6. Communications
7. Privacy controls
8. Privacy issues with existing products and services
9. Privacy-related monitoring
10. Privacy impact assessments
11. Development of privacy staff
12. Privacy-related data committees
13. PbD in product development
14. Privacy-related vendor management
15. Privacy audits
16. Privacy metrics
17. Cross-border data transfers
18. Preparation for legislative and regulatory change
19. Privacy-related subscriptions
20. Privacy-related travel
21. Redress and consumer outreach
22. Privacy -specific or -enhancing software
23. Privacy related certification seals
24. Cross-functional collaboration (legal, IT, cybersecurity, ethics etc.)
25. Internal and external reporting

Question 20

What is accountability?

Answer 20

Accountable organizations have the proper policies and procedures to promote best practices in handling personal information and, generally, can demonstrate they have capacity to comply with applicable laws.

They promote trust and transparency to provide individuals with confidence in their abilities to protect their personal information and respect their data rights.

Question 21

What are the legal requirements of accountability?

Answer 21

It is not only about saying the organization is taking action, but also being able to prove it is.

The organization is accountable for the actions it takes or does not take to protect personal data.

When organizations collect and process information about people they are responsible for it. They need to take ownership of it and take care of it throughout the data life cycle.

Question 22

What should an organization do regarding it’s data practices?

Answer 22

If an organization has a data protection policy in place, the organization should comply with that policy and document any deviations and actions taken for any failures in complying with the policy.

Question 23

Does the accountability principle impose obligations on an organization?

Answer 23

YES. Accountability, may impose obligations to take ownership and demonstrate how an organization is compliant.

Privacy program managers may be accountable for the safekeeping and responsible use of personal information - not just to investors and regulators, but also to everyday consumers and their fellow employees.

Question 24

Why does an organization need a privacy program?

Answer 24

Accountability. Showing proper respect for individuals’ personal information shows that the organization is reputable.

Question 25

What can a privacy program do for an organization?

Answer 25

1. Enhance the brand and public trust 2. Meet regulatory obligations 3. Encourage ethical data processing practices 4. Enable global operations, such as mergers and acquisitions 5. Prevent and mitigate the effects of data breaches 6. Provide a competitive differentiator 7. Increase the value and quality of data 8. Reduce the risk of employee and consumer class-action lawsuits 9. Encourage good corporate citizenship 10. Meet expectations of consumers and business clients 11. Integrate data ethics into organizations decision making

Question 26

What should privacy look like across the organization?

Answer 26

Many functions should directly support the various activities required by the privacy program. Among these activities are the adoption of privacy policies and procedures, development of privacy training and communications, development of privacy- and security-enhancing controls, contract development with and management of third parties that process the personal information of the organization, and the assessment of compliance with regulations and established control mechanisms.

Question 27

How should privacy policies and procedures be created and enforced?

Answer 27

They should be created and enforced at a functional level, (i.e., by the central privacy team). Policies imposing general obligations on employees may also reside with other functions such as ethics, legal, and compliance, therefore, it is important to align with other policy owners and reference other policies as applicable.

Question 28

How should privacy be governed across the organization?

Answer 28

Most groups within the organization should have some policies to address the appropriate use and protection of personal information specific to their own functions areas; these policies will need to be produced in close consultation with the privacy office. *Difference between having appropriate policies in place and using appropriate controls.

Question 29

What are some examples of different functions involved in creating procedures related to privacy?

Answer 29

1. Learning and development - policies and procedures to be translated into teachable content and contextualized into tangible operations and processes. (Privacy team must approve the training output and closely monitor completion rates) 2. Communication team - assist with publishing content, and reinforce good privacy practices in line with the company's branding, objectives, and tone of voice. Can also advise on the best methods of communication to boost higher commitment. 3. Information security team - every security-enhancing technology that information security deploys - from encryption to perimeter security controls and data los prevention tools - helps the privacy program meet its requirements for implementing security controls to protect personal information. 4. IT team - can enhance the effectiveness of the privacy program by adding processes and controls that support privacy principles. It should carry PbD by implementing privacy principles into the realm of technology development by limiting the data fields built into a tool to application to only those actually required to preform a process or action, or by building in functions that enable the user to easily delete data according to a retention schedule. 5. IA - assesses whether controls are in place to protect personal information and whether people and processes across the organizations are abiding by these controls. 6. Procurement - ensures that contracts are in place with third-party service providers that process personal information on behalf of the organization and that proper contractual language is imposed. 7. HR - ensures employee information is handled in accordance with privacy policies and procedures. 8. Ethics & Compliance - manages whistleblowing and complaints relating to how an individual's personal data may have been handled 9. Marketing and advertising - creates awareness on how to handle customer personal data for marketing and media purposes. 10. Business development and strategy - helps understand how good data protection can drive more business 11. Finance - ensures Payment Card Industry (PCI), Sarbanes-Oxley (SOX) and other financial regulations are collaborated on with the privacy office 12. Legal - keeps current on privacy regulations and requirements that affect the organization 13. Risk - ensures data protection risks are includes in the organizations Enterprise Risk Management framework 14. Data governance - develops a data governance framework that supports data privacy requirements 15. Product research and development - performs privacy impact assessments as well as privacy by design and default consulting in new product development

Question 30

How can the privacy program's strengths and weaknesses be revealed?

Answer 30

Through questionnaire results, which in itself is a positive result, contributing to an overall strengthening of internal awareness of the program.