Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Tojasej > 2. Framework: Privacy Governance > Flashcards

2. Framework: Privacy Governance Flashcards

1
Q

What does the terms ‘privacy governance’ refer to?

A

Refers to the components that:

  1. Guide a privacy function toward compliance

AND

  1. Enable it to support business objectives and goals.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the components of organizational privacy governance?

A
  1. Vision and mission statement;
  2. Scope;
  3. Framework;
  4. Strategy; and
  5. Team structure.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can the privacy program scope be identified?

A

Through the identification of the following:

  1. PI information collected and processed; and
  2. Applicable privacy and data protection laws and regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why should an organization identify the PI collected and processed?

A

Maintaining written documentation about personal information, including information about how an organization (1) processes the data, and (2) the recipients of the data is formalized through Article 30 of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What questions should be asked to define the scope of a privacy program?

A
  1. Who collects, uses, and maintains PI ? (Organizations are also required to understand the roles and obligations of service providers)
  2. What types of PI are collected, and what is the purpose of the collection?
  3. Where is the data stored? (Applications and systems, as well as countries)
  4. To whom is the data transferred?
  5. Who has access to the data both internally and externally? (Ex., third-parties)
  6. When (ex., during transaction and hiring process) and how (ex. through an online form) is the data collected?
  7. How long is the data retained, and how is it deleted?
  8. What security controls are in place to protect the data?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is considered to be best practice when doing business in a jurisdiction with no data protection regulations?

A

Best practice is to institute the organization’s requirements, policies, and procedures to the highest level achievable instead of reducing them to the level of the country in which business is being conducted.

In a nutshell, use the most restrictive policies as it also reduces privacy related risks for the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some scope challenges?

A

Domestic privacy programs may need to monitor state and/or regional laws as well as industry-specific laws, while global programs need to be cognizant of cultural norms, differences, and approaches to privacy protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some examples of privacy protection regulation approaches around the globe?

A
  1. US: Sectoral and state specific laws (Laws address specific industry sector and/or apply to the residents of a specific state)
  2. EU, UK, Canada: Comprehensive laws (Laws govern the collection, use, and dissemination of PI and an official oversight agency).
  3. Australia: Co-regulatory model (Industry develops enforcement standards that are overseen by a privacy agency).
  4. US, Japan, Singapore: Self-regulated model (Companies use a code of practice by a group of companies known as industry bodies, ex., Online Privacy Alliance, TrustArc, WebTrust)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the privacy challenges faced by organizations operating in the US?

A

Organizations must determine whether they are subject to a law or industry standard. (Ex., Financial institutions are subject to the Gramm-Leach-Bliley Act (GLBA); health providers are subject to HIPAA and merchants handling cardholder information must follow the Payment Card Industry Data Security Standard)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Do US states have data breach notification laws?

A

Yes, all 50 states have data breach notification laws.

If an organization processes the PI of any resident of a state, to the extent that nonencrypted data has been compromised, compliance regulations may include notifying the residents of the state, as well as government bodies and state attorneys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a successful approach to scoping an organization’s privacy program?

A
  1. Understanding of the end-to-end personal information data life cycle.
  2. Consideration of the legal, cultural, and personal expectations.
  3. Customized privacy approach.
  4. Awareness of privacy challenges, including the interpretation of laws and regulations as well as enforcement activities and processes.
  5. Monitoring of all legal compliance factors for both local and global markets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a privacy strategy?

A

Privacy strategy is an organization’s approach to communicating and supporting the privacy program and its vision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the benefits of implementing a privacy strategy?

A
  1. Management’s growing awareness of the importance of protecting PI and the financial impacts of mismanagement

AND

  1. Awareness that everyone has a role in PI protection and every individual within an organization contributes to the success of the privacy program.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a challenge when it comes to building a privacy program and supporting strategy?

A

Gaining consensus from member’s of the organization’s management on privacy as a business imperative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who is best suited as a privacy program sponsor?

A

Someone who understands the importance of privacy and will act as an advocate for the program.

Effective sponsors typically have experience with the organization, the respect of colleagues, and access to or ownership of the budget.

Frequently, sponsors function as risk compliance executives (Ex., chief information security officers, chief compliance officers, or general counsels.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In larger organizations, who is included in the executive privacy team?

A
  1. Senior risk executive;
  2. Senior compliance executive;
  3. Senior HR executive;
  4. Senior legal executive;
  5. Senior information executive;
  6. Senior physical security/business continuity executive;
  7. Senior marketing executive;
  8. Senior representative of the business.
17
Q

What are the best practices to develop internal stakeholder privacy partnerships?

A
  1. Become aware how others treat and view PI;
  2. Understand their use of the data in a business context;
  3. Assist with building privacy requirements into their ongoing projects to help reduce risk;
  4. Offering to help staff meet their objectives while offering solutions to reduce risk of personal information exposure;
  5. Inviting staff to be a part of privacy advocate group to further privacy best practices.
18
Q

What is the benefit of an internal stakeholder privacy workshop?

A

It levels the privacy playing field by (1) defining privacy for the organization, (2) explaining the market expectations, (3) answering questions, and (4) reducing confusion.

19
Q

What is a key role of internal privacy stakeholder steering committee?

A

Ensure clear ownership of assets and responsibilities.

20
Q

What can an effective privacy program achieve?

A
  1. Material compliance with the various privacy laws and regulations in-scope for the organization;
  2. Competitive advantage by reflecting the value the organization places on the protection of PI; and
  3. Support business commitment and objectives to stakeholders, customers, partners, and vendors.
21
Q

What are the privacy questions most frameworks answer?

A
  1. Are the privacy risks properly defined and identified?
  2. Has the privacy program been properly implemented into all key workstreams (particularly for an organization with global presence)?
  3. Has the organization assigned responsibility and accountability for managing a privacy program?
  4. Does the organization understand any gaps in privacy management?
  5. Does the organization monitor privacy management?
  6. Are employees properly trained, and does the organization have a privacy awareness program?
  7. Does the organization follow industry best practices for data inventories, risk assessments, and privacy impact assessments?
  8. Does the organization have an incident response plan?
  9. Does the organization communicate privacy-related matters and update that material as needed?
  10. Does the organization use a common language to address and manage cybersecurity risk based on business and organizational needs?
22
Q

What frameworks can be used as a foundation to build a privacy program?

A
  1. Principles and standards
  2. Laws, regulations, and programs
23
Q

What are some examples of privacy principles and standrds?

A
  1. Fair Information Practices
  2. OECD Guidelines on the Protection of Privacy and Transborder Flows of personal Data
  3. Generally Accepted Privacy Principles (GAPP)
  4. Canadian Standards Association (CSA) Privacy Code
  5. Asia-Pacific Economic Cooperation (APEC) Privacy Framework
  6. European Telecommunications Standard Institute (ETSI)
  7. National Institute of Standards and Technology (NIST) Privacy framework
24
Q

What type of approach does a framework use?

A

Uses a risk-based, customizable approach to identifying and managing privacy risk and considers the following components:

  1. Core: set of privacy protection activities
  2. Profiles: various factors such as risk appetite, desired future state, resources, etc.
  3. Tiers: level of operational maturity that is achievable for a given profile
25
Q

What is PbD?

A

Privacy (data protection) by design - is an approach to privacy program development and systems engineering based on 7 foundational principles:

  1. Protective not reactive; preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full-functionality - positive-sum, not zero-sum
  5. End-to-end security - full life cycle protection
  6. Visibility and transparency - keep it open
  7. Respect for user privacy - user centric

PbD was adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.

26
Q

What are some examples of laws, regulations, and programs?

A
  1. PIPEDA (generic privacy principles implemented through national law)
  2. GDPR (data protection with far reaching effects plus national laws)
  3. EU -US Privacy Shield (established cross-border data transfer mechanisms and replaces the previous Safe Harbor Framework)
  4. Binding corporate rules (BCRs) (legally binding internal corporate rules; Article 47 of the GDPR lists requirements for BCRs)
  5. HIPAA (US national standard for electronic health care transactions; patients must opt in before their information can be shared with other organizations with the following exceptions: treatment, payment, and health care operations)
  6. Local data protection authorities (DPAs) (e.g., Commission Nationale de l’Informatique et des Libertes (CNIL), France)
27
Q

What do privacy tech vendors support?

A
  1. Due diligence and risk assessments
  2. Consent management
  3. Data subject access requests
  4. Data mapping
  5. Incident response
  6. Website scanning/cookie compliance
28
Q

What are some enterprise management services?

A
  1. Activity monitoring
  2. Data discovery
  3. Deidentification/pseudonimization
  4. Enterprise communications
29
Q

What are GRC tools?

A

Governace, risk, and compliance tools (GRC) is an umbrella term whose scope touches the privacy office, HR, IT, compliance, and C-suite.

CRC tools are used to:

  1. Create and distribute policies and controls and map them to regulations and internal compliance requirements
  2. Assess whether controls are in place and working, and fix them if they are not
  3. Ease risk assessment and mitigation
30
Q

Based on what framework should privacy teams be structured?

A

Governance models: centralized, local, and hybrid

31
Q

When establishing a privacy model what elements should be considered?

A
  1. Organizational structure as related to strategy
  2. Operations
  3. Management of responsibilities and reporting
32
Q

What are some privacy roles?

A
  1. Chief Privacy Officer
  2. Privacy director/manager
  3. Privacy analysts
  4. Business line privacy leaders
  5. Privacy legal counsel
  6. First responders
  7. Data protection officer (DPO)
  8. Privacy engineers
  9. Privacy technologists
33
Q

When is a DPO required under the GDPR?

A

Subject to some exceptions, a DPO is required by:

  1. Public authorities an bodies (except for courts acting in judicial capacity)
  2. Where an organization’s core activities consists of processing operations that require “regular and systematic monitoring of data subjects on a large scale” (e.g., online behavior tracking)
  3. Where the organization’s “core” activities consists of processing “special” categories of data or data relating to criminal convictions and offenses on a large scale.

(South Korea and Germany require organizations to appoint DPOs)

Tojasej (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions