4. Operations: Data Assessment

Question 1

What function do data assessments fulfill?

Answer 1

1. Inventory, manage, and track PI
2. Determine the impact organizational systems and processes will have on privacy

Question 2

What are the different types and functions of data assessments?

Answer 2

1. Privacy Impact Assessment (PIA) - enterprise risk management function
2. Data Protection Impact Assessment (DPIA) - compliance function
3. Data Mapping Assessment (Data Inventory) - internal audit function

Question 3

What is data?

Answer 3

A strategic asset, the lifeblood of organizations.

Question 4

What is the role of data governance?

Answer 4

It can:
1. Improve client value
2. Increase profitability
3. Manage risk
4. Deliver transformative initiates

Question 5

What is data governance defined as by the Data Managment Association (DAMA)?

Answer 5

The planning, oversight, and control over management of data and the use of data and data-related sources.

Question 6

What does a data governance framework provide?

Answer 6

A holistic approach to collecting, managing, securing, and storing data.

Question 7

What should data governance cover?

Answer 7

DAMA envisions data management as a wheel with data governance as a hub for:
1. Data Architecture - overall structure of data & data-related resources
2. Data Modeling and Design - analysis, design, building, testing, and maintenace
3. Data Storage and Operations - structured physical data assess storage deployment and management
4. Data Security - privacy, confidentiality and appropriate access
5. Data Integration and Interoperability - Aquisition, extraction, transformation, movement, delivery, replication, federation, virtualization, and operational support
6. Documents and Content - storing, protecting, indexing and enabling access to data found in unstructured sources and making this data available for integration
7. Reference and Master Data - Shared data management to reduce redundance
8. Data Warehousing and Business Intelligence - analytical data management and processing
9. Metadata - Collection, categorization, maintenance, integration, control, and management
10. Data Quality - definition, monitoring, data maintenance integrity, and data quality

Question 8

What are the common data governance roles?

Answer 8

1. Strategic: data steering committee formed by C-level individuals
2. Managerial: data owners responsible for data domain or asset
3. Operational: data stewards - subject matter experts accountable for the day-to-day management of data

Question 9

What is a data inventory of data map?

Answer 9

1. Identifies data as it moves across various systems
2. Indicates how data is shared
3. Identifies inconsistent data versions
4. Enables identification and mitigation of data disparities
5. Serves to identify the most and least valuable data
6. Reveal how data is accessed, used, and stored.

Question 10

What are the benefits of a data inventory?

Answer 10

1. Identifies risks
2. Reduces penalty - demonstrates that the company has an established system of recording and organizing the data inventory
3. Resource allocation - prioritize resources, efforts, risk assessments, and current policy in response to incidents

Question 11

Who is responsible for the data inventory?

Answer 11

Privacy function and/or IT

Question 12

What is the GDPR requirement under Article 30?

Answer 12

Maintain detailed records of processing activities. Records must include:
1. Name and contact detail of processor/controller/DPO
2. Name and contact of any joint controllers
3. Purpose for processing
4. Categories of PI and data subjects
5. Categories of recipients
6. International data transfers
7. Safeguards for exceptional transfers
8. Retention periods for the various categories of PI
9. Description of the technical and organizational security measures

Question 13

Is it required to disclose the detailed record processing to the data protection authority?

Answer 13

Yes, unless the controller or processor employs fewer than 250 people, the processing is occasional, does not include sensitive data, and is not likely to result in a risk for the rights and freedoms of the individual.

Question 14

What is one starting point to a data processing inventory project?

Answer 14

1. Identifying and interviewing all known data owners.

(Data custodians may be separate from data owners)

2. Reach out to IT to obtain list of database administrators who should have schemas of the databases of varying kinds.
3. Teams responsible for backups and business continuity should know what data is retained and what should be restored.
4. The software team should have a list of all software used in the organization.
5. The compliance team should have would have details of the personal data.
6. Administrators that answer data subject access requests would also have information about personal data sources.

Question 15

Does nonpersonal data need to be identified in a data inventory?

Answer 15

Anonymous data outside the scope of the GDPR does need to be identified.

Implementing a new process means that revised or new applications or systems must thoroughly document the personal data they are processing, this will keep the data inventory from becoming outdated.

Question 16

What additional data should be included in a data inventory?

Answer 16

1. Security
2. Data retention periods
3. Who has access to the data
4. To whom is data disclosed
5. Legal basis for processing the data.

Question 17

What is a privacy assessment?

Answer 17

A compliance measurement.

Question 18

What do privacy assessments measure?

Answer 18

An organization’s compliance with laws, regulations, adopted standards, and internal policies and procedures.

Question 19

What is the scope of a privacy assessment?

Answer 19

It may include:
1. Education and awareness
2. Monitoring and reporting to the regulatory environment
3. Data systems and process assessments
4. Risk assessments
5. Incident response
6. Contracts
7. Remediation
8. Program assurance including audits

Question 20

Who conducts a privacy assessment?

Answer 20

It may be conducted internally through the audit function, DPO, a business function or externally by a third party.

Question 21

Why is a privacy assessment conducted?

Answer 21

In response to a security or privacy event or at the request of an enforcment authority.

Question 22

What is a privacy impact assessment (PIA)?

Answer 22

An analysis of the privacy risk associated with processing personal information in relation to a project, product or service.

Question 23

What should a PIA accomplish?

Answer 23

Should suggest or provide remedial actions or mitigations necessary to avoid or minimize risks.

Question 24

How are the PIA requirements determined?

Answer 24

They emanate from industry codes, organizational policy, laws, regulations, or supervisory authority.

Question 25

What can PIA help facilitate?

Answer 25

Privacy by Design (PbD) - building privacy directly into technology, systems, and practices at the design phase.

Question 26

When should a PIA be completed?

Answer 26

Early:

1. During the ideation stage or scoping of a project, product or service that involves the collection of PI
2. New or revised industry standards, organizational policies, or laws or regulations.
3. When the organization create new privacy risks through changes to methods by which PI is handled.

Question 27

What business processes might trigger a PIA?

Answer 27

1. Re-identification
2. Conversion of paper record to electronic format
3. Significant merging, matching, and manipulation of multiple databases
4. Application of user-authentication technology to publicly accessible system
5. System management changes involving new technologies
6. Retiring of systems
7. Incorporation of PI obtained from commercial or public sources into existing databases
8. Interagency exchanges or uses of PI
9. Alteration of business processes (new collection, use, and disclosure of PI)
10. Alteration of the character of PI
11. Implementation of projects using third-party service providers

Question 28

What is an express PIA?

Answer 28

A small questionnaire that assesses the need for a full and more comprehensive PIA.

Question 29

Is a PIA required in the US?

Answer 29

Under the E-Government Act (2002), PIAs are required of government agencies when developing or procuring IT systems containing PII of the public or initiation the collection of PII.

The requirement is preceded by a privacy threshold analysis.

Question 30

What does a PIA entail under the Privacy Act in the US?

Answer 30

Information collected or maintained, sources of that information, uses and possible disclosures, and possible threats to the information.

Question 31

Under the Privacy Act in the US, what are the reasons for initiating a PIA?

Answer 31

1. Collection of new information (compelled or voluntary)
2. Conversion of records (paper to electronic)
3. Conversion of information (anonymous to identifiable)
4. System management changes (significant new uses or application of new technologies)
5. Merging, matching, or other manipulation of databases
6. Incorporation of PII obtained commercially or from public sources into databases
7. New interagency exchanges of PII
8. Alteration of a business process (new collection, use, or disclosure)
9. Alteration of the character of PII
10. Implementation of projects using third-party service providers.

Question 32

What US state law requires data protection assessments?

Answer 32

Virginia’s Consumer Data Protection Act (CDPA).

Question 33

Should a PIA continue after implementation?

Answer 33

Yes.

Question 34

What are the two phases of a PIA?

Answer 34

Preforming and follow-up.

Question 35

What are the preforming phase steps of a PIA?

Answer 35

1. Identifying PI flows
2. Analyzing the implications of the use case
3. Determining the relevant privacy safeguarding-requirements
4. Assessing privacy risks using steps of risk identification, analysis and evaluation
5. Preparing to treat privacy risk

Question 36

What are the follow-up phase steps of a PIA?

Answer 36

1. Preparing and publishing the PIA report
2. Implementing the privacy risk treatment plan.
3. Reviewing the PIA and reflecting changes to the process

Question 37

What sections should be included in a PIA?

Answer 37

1. Scope of assessment
2. Privacy requirements
3. Risk assessment (discussion of risk sources, threats and likelihood, consequences and level of impact, risk evaluation, and compliance analysis)
4. Risk treatment plan
5. Conclusions and decisions

Summary should be made public.

Question 38

What is a Data Protection Impact Assessment (DPIA)?

Answer 38

It is an important tool for negating risk and demonstrating compliance with the GDPR.

(DPIA is required for processing that is likely to result in a high risk to individuals)

Question 39

What are to consequences for not completing a DPIA?

Answer 39

• Failure to complete a DPIA
• Carrying out a DPIA incorrectly
• Failure to consult the competent supervisory authority …

… can result in GDPR fines of up to 10 M euros OR up to 2% of total global revenue for the financial year, whichever is higher.

Question 40

When is a DPIA required?

Answer 40

Processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

Question 41

If a DPIA is not carried out, what are controllers required to do?

Answer 41

Justify and document the reasons for not carrying out a DPIA and include the views of the DPO.

Question 42

What are the minimum features set out by the GDPR for a DPIA?

Answer 42

1. Description of the processing, including its purpose and the legitimate interest being pursued
2. The necessity of processing, its proportionality, and the risks that it poses to data subjects
3. Measures to address the risks identified

Question 43

What are the steps of a generic process for carrying out a DPIA?

Answer 43

1. Description of the envisaged process
2. Assessment of the necessity and proportionality
3. Measures already envisaged
4. Assessment of the risks to the rights and freedoms
5. Measures envisaged to address the risks
6. Documentation
7. Monitoring and review

Question 44

When must a supervisory authority be contacted regarding a DPIA?

Answer 44

When the data controller cannot find sufficient measures to reduce the risks to an acceptable level.

Question 45

What is AI?

Answer 45

An umbrella term for a range of algorithm-based technologies that solve complex tasks by carrying out functions that previously required human thinking.

Decisions can be fully automated or have some form of human intervention

Question 46

Why is privacy commonly identified as one of the main pitfalls of AI?

Answer 46

AI commonly clashes with privacy principles:

1. Lawfulness, fairness, and transparency
2. Data minimization and purpose limitation
3. Integrity and confidentiality (security)

Question 47

What should and AI system assessment include?

Answer 47

1. Proven ability of the system to fulfill a specific and legitimate purpose
2. Algorithmic inaccuracies or database bias (detriment to data subjects)
3. Redress mechanisms against AI system decisions
4. Consideration given to vulnerable groups and situations (power asymmetries)
5. The elimination of socially contracted biases from datasets used to train AI
6. Assurances that AI systems do not represent themselves as humans to data subjects
7. Assessment of PI continued in training data
8. Reduction of the likelihood of training data being tracked back to specific individuals

Question 48

What should an IA redress mechanism address and show?

Answer 48

1. Entity accountable for the decision
2. Explicable, reproducible, traceable, and auditable decision-making process

Question 49

What is the function of regular self-assessments?

Answer 49

Demonstrate a a responsible privacy management culture.

Question 50

What are the systems security categories described in the NIST 800-60

*National Institute of Standards and Technology

Answer 50

1. Task - data clarification
2. Owner
3. Questions
4. Evidence - spreadsheet with data inventory, categories, and classsification

Question 51

What are the controls that can preserve information integrity?

Answer 51

1. Confidentiality - access to information is limited authorized parties
2. Integrity - assurance that the data is authentic and complete
3. Availability - knowledge that the data is accessible, as needed, by those that are authorized to use it

Question 52

How is information security achieved?

Answer 52

Through the implementation of controls that are monitored and reviewed

Question 53

What are security controls?

Answer 53

Mechanisms that prevent, detect, and correct a security incident.

Question 54

What are the three types of security controls?

Answer 54

1. physical - protects personnel, equipment, and data
2. administrative
3. technical

Question 55

What are some examples of physical controls?

Answer 55

1. Locks on physical document storage
2. Protection of premises
3. Electronic and paper waste disposal

Question 56

Why is vendor assessment important?

Answer 56

Under many privacy laws, organizations are liable for the data-processing activities conducted on their behalf by vendors.

Question 57

How should vendors be eveluated?

Answer 57

Against specific organizational standards and vendor selection processes:
- questionnaires
- PIAs
- checklists

Question 58

What are the good practice standards when selecting vendors?

Answer 58

1. Reputation
2. Financial condition and insurance
3. Information security controls
4. Point of transfer
5. Disposal of information
6. Employee training and user awareness
7. Vendor incident response
8. Audit rights
9. Policies and procedures
10. DPO

Question 59

When it comes to vendors, what elements should be included in contractual language?

Answer 59

1. Specifics regarding the type of PI to which vendor will have access at remote locations
2. Vendor plans to protect PI
3. Vendor responsibilities in the event of a data breach
4. Disposal of data upon contract termination
5. Limitations on the use of data that ensure it will be used only for specified purposes
6. Rights of audit and investigation
7. Liability for data breach

Question 60

What is the purpose of a vendor contract?

Answer 60

Ensure compliance with the organization’s privacy program.

Question 61

What does the term cloud computing refer to?

Answer 61

Provision of information technology services over the internet.

Services can include software, server infrastructure, hosting, and operating system platforms.

Has numerous applications: personal webmail, corporate data storage, etc.

Question 62

What are the cloud computing service models?

Answer 62

1. Infrastructure as a service - supplier provides remote access to and use of physical computing resources, the user is responsible for implementing and maintaining operating platforms and applications
2. Platform as a service - supplier provides access to and use of operating platforms and hardware and the user remains responsible for implementing and maintaining applications
3. Software as a service - supplier provides the infrastructure, platform and application

Question 63

What are the recommendations put forward by the Cloud Computing Forum to assess cloud computing vendors?

Answer 63

1. Certifications and standards - ISO 27001 or the UK’s government’s Cyber Essentials Scheme
2. Technologies - re-coding, customization, migration services
3. Service road maps - innovation over time
4. Data management - data storage jurisdiction
5. Information security - internal security audits
6. Subcontractors and service dependencies
7. Data policies and protection

Question 64

Does the GDPR contain vendor assessment requirements?

Answer 64

Yes, article 28 contains specific provisions for the controller-processor relationship:

1. Security requirements
2. Sufficient guarantees (sufficient GDPR complaint
3. Data right protections and proof of processor’s competence)
4. Processor vetting by the supplier (assessment or certificate validation)
5. Audit
6. Duty to assist controller with achieving compliance and reduction of risk
7. Assisting controller with the handling of personal data breach notification requirements

Question 65

What is required of the controller if it cannot establish proof of the processor’s competence?

Answer 65

Walk away, otherwise it will be in automatic breach of GDPR Article 28.

Question 66

What are the vendor assessment requirements under the California Consumer Privacy Act (CCPA)?

Answer 66

1. Written contracts with specific criteria if liability is shifted to vendor for any violations caused by the vendor.
2. If the vendor is a service provider, the contract must limit processing to the business purpose.
3. If the vendor is defined as a person, the contract should prohibit the vendor from selling, retaining, using, or disclosing the PI outside the direct business relationship.

Question 67

Is the identification of third parties required under the CCPA?

Answer 67

Third parties with whom the business shares PI must be identified.

Categories of third parties with whom business shares PI must be disclosed to customers upon request.

Question 68

What is defined in Section 1798.140 (w) of the CPPA?

Answer 68

Not all vendors are considered to be third parties, and third parties are not the same as service providers.

Third parties have separate uses for the data that a business shares with them.

Question 69

What is defined in Section 1798.140 (a) and (h) of the CPPA?

Answer 69

That a vendor’s anonymization and aggregation practices meet CCPA requirements.

Question 70

What privacy checkpoints should be considered for mergers and acquisitions?

Answer 70

1. Applicable new compliance requirements
2. Sector-specific laws
3. Standards
4. Comprehensive laws and regulations
5. Existing client agreements
6. New resources, technologies, and processes

Question 71

What should be considered when data is transferred to a different or additional controller during a merger or acquisition?

Answer 71

1. Data sharing must part of the due diligenece
2. Follow the data sharing code
3. Establish what data is transferred
4. Identify the purpose for which data was initially obtained
5. Establish lawful basis for which data was originally obtained
6. Establish lawful basis for sharing data
7. Compliance with data processing principles
8. Document data sharing
9. Technical advice (security risks - loss, corruption, or degradation of the data)
10. Data subject notice