1
Q
What is program management?
A
Overseeing multiple projects that make up a program to meet strategic goals.
2
Q
What does program management provide?
A
A holistic view of a discrete program within an organization.
3
Q
What are the 4 objectives of program management?
A
- Meet strategic goals
- Manage change
- Measure performance
- Improve performance
Examples: digital transformation, employee development, health and wellness, sustainability, R&D, customer experience.
4
Q
What is a framework in program management?
A
Guidance and processes for managing related projects aligned with strategic goals.
5
Q
What is privacy program management?
A
An organized approach to protecting PII and the rights of individuals.
6
Q
What are the goals of a privacy program?
A
- Provide auditable framework
- Comply with legal requirements
- Build trust
- Mitigate risk
7
Q
What is governance?
A
A system of rules, practices, and processes to direct a program and balance stakeholder interests.
8
Q
Who is a privacy professional?
A
A member of a privacy team responsible for implementing the privacy program framework.
9
Q
What is Privacy by Design (PbD)?
A
A proactive approach to embedding privacy in IT systems and processes, starting at the design stage.
10
Q
Who developed the concept of Privacy by Design?
A
Ann Cavoukian
11
Q
What is the mnemonic for the 7 PbD principles?
A
Robot Pigs Devour Enormous Purple Eggplant Tacos
7 principles: Respect for users, Proactive/preventative, Default settings, Embedded in design, Positive-sum, End-to-end security, Transparent
12
Q
List the 7 principles of Privacy by Design.
A
- Respect for users
- Proactive/preventative
- Default settings
- Embedded in design
- Positive-sum
- End-to-end security
- Transparent
Mnemonic: Robot Pigs Devour Enormous Purple Eggplant Tacos
13
Q
What is Privacy by Default?
A
A concept ensuring strictest privacy settings are applied automatically to personal data.
14
Q
How does Privacy by Default relate to PbD?
A
It complements PbD by enforcing strong privacy settings without user intervention.
15
Q
What are the 4 stages of the Privacy Governance Life Cycle?
A
- Assess
- Protect
- Sustain
- Respond
16
Q
What does the Privacy Governance Life Cycle provide?
A
Reusable processes to handle PII throughout its life cycle.
17
Q
What is the goal of the Assess stage?
A
Determine program gaps using models and frameworks.
18
Q
What frameworks can be used during Assess?
A
- AICPA/CICA Maturity Model
- GAPP
- Privacy by Design
19
Q
What is the goal of the Protect stage?
A
Safeguard personal data.
20
Q
What activities occur in the Protect stage?
A
- Implement life cycle practices
- Security
- PbD principles
21
Q
What is the goal of the Sustain stage?
A
Maintain and improve program performance.
22
Q
What activities occur in the Sustain stage?
A
- Monitor
- Audit
- Collaborate
- Evaluate systems
- Ensure compliance
23
Q
What is the goal of the Respond stage?
A
- Reduce risk
- Increase compliance
24
Q
What are key activities in the Respond stage?
A
- Handle information requests
- Legal compliance
- Incident response
25
What **laws-related goal** does a privacy program help meet?
Compliance with **applicable laws** and **regulations**.
26
What are the **business motivators** for a privacy program?
* Consumer trust
* Company reputation
27
How does a privacy program **build transparency**?
* Promoting respect for individuals
* Allowing demonstration of compliance
28
How does privacy **support compliance**?
Ensures **adherence to laws** and **mitigates legal risk**.
29
What is a **policy**?
A **high-level guideline** outlining principles, values, rules, and the 'why' behind decisions.
30
What is a **process**?
A series of interrelated tasks **defining 'what' needs to be done** to produce a specific outcome.
31
What is a **procedure**?
**Step-by-step instructions** explaining 'how' to perform a task or process.
32
What is **privacy governance**?
A governance system **specifically for managing a privacy program**.
33
Why is **defining program scope** important?
It clarifies **what the privacy program covers** and guides resource allocation.
34
What does **developing a framework involve**?
Selecting tools, processes, and best practices to **support privacy objectives**.
35
What is the **U.S. approach** to privacy law?
Sectoral
## Footnote
I.e., laws apply to specific sectors.
Examples: healthcare, finance, education, telemarketing.
36
Which **regulators** are involved in **U.S. sectoral** privacy laws?
* Department of Education
* Health and Human Services
* Federal Trade Commission
* Federal Communications Commission
37
What **law** governs privacy in **finance and banking**?
Gramm-Leach-Bliley Act
| (GLBA)
38
What **law** governs **healthcare privacy**?
Health Insurance Portability and Accountability Act
| (HIPAA)
39
Who are HIPAA's '**covered entities**'?
Healthcare providers, insurance plans, clearinghouses.
40
What **law** governs **children's online privacy**?
Children's Online Privacy Protection Act
| (COPPA)
41
What **age group** does **COPPA** protect?
Children **under 13**.
42
**Who** regulates COPPA?
Federal Trade Commission
| (FTC)
43
What governs **payment card processing security**?
Payment Card Industry Data Security Standards
| (**PCI-DSS**)
44
Is PCI-DSS a law?
No, it is **an industry standard** adopted into legal requirements.
45
Does the U.S. have a federal data breach law?
No, **all 50 states have their own**.
46
**When** do state breach notification laws **apply**?
When **unencrypted PII** is compromised.
47
**Who must be notified** under U.S. breach laws?
* Individuals impacted
* Government bodies
* State attorneys general
48
What **category of data** is protected in the healthcare sector?
* Protected health information (PHI)
* Special categories of data
49
What are key privacy concerns **in finance**?
* Data confidentiality
* Anti-money laundering (AML) laws
50
What privacy aspects are important in **telecommunications**?
* Metadata
* Geolocation
* Law enforcement cooperation
51
What does **government privacy law** address?
* Public records
* Court documents
* Communications
52
What **institutions** are covered under education privacy?
* Public/private schools
* Universities
* Student-serving medical clinics
53
What is covered under **video privacy laws**?
Rental and streaming records.
54
What is regulated under **marketing privacy laws**?
Online advertising.
55
What privacy issues are in the **energy sector**?
Smart grid and smart home technology.
56
What does **HR privacy** cover?
* Recruiting
* Hiring
* Onboarding
* Remote work
57
Who **regulates** HIPAA?
HHS' Office of Civil Rights
| (OCR)
58
What is the **HITECH** Act?
Health Information Technology for Economic and Clinical Health Act
59
What does HITECH **cover**?
**Electronic health records** (EHR) and secure IT.
60
Who **regulates** HITECH?
HHS and OCR
61
What is the **FCRA**?
Fair Credit Reporting Act
62
What does FCRA **cover**?
**Consumer reporting agencies**, credit/consumer reports.
63
Who regulates FCRA?
* FTC
* Consumer Financial Protection Bureau (CFPB)
64
What is **FACTA**?
Fair and Accurate Credit Transactions Act
65
What does FACTA **cover**?
**Consumer protections** and identity theft.
66
Who **regulates** FACTA?
* FTC
* Federal Reserve
* Federal Deposit Insurance Commission (FDIC)
* Office of the Comptroller of the Currency (OCC)
* National Credit Union Administration (NCUA)
67
What does GLBA **cover**?
* Nonpublic personal information
* Limits on sharing
68
Who **regulates** GLBA?
* FTC
* Banking agencies
69
What is the **TCPA**?
Telephone Consumer Protection Act
70
What does the TCPA **cover**?
Limits on
* Auto-dialing
* Prerecorded messages
* Texts
* Faxes
71
Who **regulates** the TCPA?
* FTC
* FCC
* State Attorneys General
72
What is the **Do Not Call** (DNC) Registry?
A telemarketing opt-out list
73
Who **regulates** the DNC Registry?
Federal Trade Commission
| (FTC)
74
What is the **Privacy Act of 1974**?
A law protecting PII **held by federal agencies** in systems of records.
75
Who **regulates** the Privacy Act of 1974?
Department of Justice
| (DOJ)
76
What is the **ECPA**?
Electronic Communications Privacy Act
77
What does the ECPA **cover**?
* Wiretapping
* Eavesdropping
* Unauthorized access to electronic communications
78
Who **regulates** the ECPA?
States and law enforcement.
79
What is **FERPA**?
Family Education Rights and Privacy Act
80
What does FERPA **cover**?
PII in:
* Education records
* Directory information
81
Who **regulates** FERPA?
Department of Education
82
What is the **CAN-SPAM Act**?
Controlling the Assault of Non-Solicited Pornography and Marketing Act
83
What does CAN-SPAM **cover**?
**Unsolicited** commercial email.
84
Who **regulates** CAN-SPAM?
Federal Trade Commission
| (FTC)
85
What is the **VPPA**?
Video Privacy Protection Act
86
What does the VPPA **cover**?
PII in video rental records.
87
Who can **enforce** the VPPA?
**Individuals** via private right of action.
88
What is the **FTC Act**?
Federal Trade Commission Act
89
What does the FTC Act **authorize**?
Investigation and enforcement against **unfair or deceptive acts or practices**.
90
What is the **DPPA**?
Drivers Privacy Protection Act
91
What does the DPPA **cover**?
PII held by **Departments of Motor Vehicles**.
92
Who **regulates** the DPPA?
State Attorneys General
93
What is **COPPA**?
Children's Online Privacy Protection Act
94
What does COPPA **cover**?
Children's PII
95
Who **regulates** COPPA?
Federal Trade Commission
| (FTC)
96
What are **key consumer rights** under the CCPA?
| California Consumer Privacy Act
* Request records/data
* Request erasure
* Opt-out of sale
97
What are **exceptions** to consumer rights under CCPA?
* Transaction completion
* Research
* Free speech
* Internal analytics
98
What are key **organization requirements** under **CCPA**?
* Receive/verify/respond to requests
* Allow opt-outs
* Provide privacy notice
99
What is the **timeline** for responding to data subject requests under **CCPA**?
45 days
100
What must **the link** providing opt-outs **state/read**?
Do Not Sell My Personal Information
101
Under what circumstances may an organization **sell children's data**?
Requires express consent:
* From child if 16+, OR
* From parent if 13-16
102
Who **enforces** the CCPA?
California Attorney General and CPPA
| (CPPA: California Privacy Protection Agency)
103
What **law amended** the CCPA?
California Privacy Rights Act
| (CPRA)
104
What **new consumer rights** were **added** under CPRA?
* Right to correct data
* Limit use of sensitive PI
* Opt-out of sharing
105
What is '**sensitive personal information**' under CPRA?
A new defined category of PI that **has greater protections**.
106
What change was made to the **business threshold**?
| From CCPA to CPRA
Increased from **50,000 to 100,000+** consumers, households, or devices.
107
What is the **new regulatory agency** created under CPRA?
California Privacy Protection Agency
| (CPPA)
108
What **new obligations** does CPRA impose on businesses?
* Contractual terms with third parties
* Privacy by design
109
What **enforcement changes** were introduced by CPRA?
**Higher penalties** for violations involving minors.
110
What **data retention requirements** are included in CPRA?
Businesses **must disclose retention periods** and only retain data as needed.
111
What are **2 key global privacy** law **frameworks**?
* OECD Guidelines
* APEC Privacy Framework
112
List the **common privacy principles** in OECD and APEC frameworks.
* Accountability
* Collection limitation
* Data quality
* Individual participation
* Purpose specification
* Use limitation
* Safeguards
* Openness/transparency
## Footnote
Mnemonic: Angry Cats Destroy Innocent Pillows Upsetting Standing Owners.
113
What is the **mnemonic** for OECD/APEC principles?
Angry Cats Destroy Innocent Pillows Upsetting Standing Owners
114
What is a **standard**?
Established **guidelines or specifications** to ensure quality, safety, interoperability.
115
Name 3 key **standard development bodies**.
* ISO
* IEC
* IEEE
116
What is **ISO/IEC 27701**?
**Security techniques** for privacy information management.
117
What is **ISO/IEC 29134**?
Guidelines for **privacy impact assessment**.
118
What is the **GDPR**?
The EU/EEA's **comprehensive data protection law** providing individuals control over personal data.
## Footnote
GDPR: General Data Protection Regulation
119
What is the **global significance** of the GDPR?
It is considered a **global standard** for data protection.
120
When did the GDPR become **enforceable**?
May 2018
121
What **data processing** is covered by GDPR?
* Automated processing, or
* Part of a filing system
122
What activities are **excluded** from GDPR?
* Purely personal/domestic use, and
* Certain law enforcement activities
123
Who does GDPR apply to **outside the EU**?
Organizations offering goods/services to or monitoring **individuals in the EU**.
124
What is a **data controller** under GDPR?
An entity that **determines the purpose and means** of processing personal data.
125
What is a **data processor** under GDPR?
An entity that **processes data on behalf of** a data controller.
126
What are **key consumer rights** under the GDPR?
* Right to be informed
* Access
* Rectification
* Erasure
* Restrict process
* Data portability
* Object to processing
* Right not to be subject to automated decision-making, profiling
## Footnote
Mnemonic: I always remember every right data owners acquire.
127
What is **ADM** in the GDPR context?
Automated Decision-Making
128
What are **key organizational requirements** under GDPR?
* Implement PbD
* Safeguards
* Notify of breaches in 72 hrs
* Data subject consent
* Maintain record of processing activity (RoPA)
* Appoint a Data Protection Officer (DPO)
129
What is **RoPA**?
Record of Processing Activities
130
What is a **DPO**?
Data Protection Officer
131
What is a **DPIA**?
Data Protection Impact Assessment
132
When must breaches **be reported** under GDPR?
Within **72 hours** to DPAs and consumers.
133
What **additional obligations** do orgs have under GDPR?
* Third-party accountability
* DPIAs
* Consultation
* Compliance proof
* Training
134
What **actions** can GDPR **regulators** take?
* Request RoPA
* Impose bans
* Require deletion/notifications
* Suspend transfers
* Issue fines
135
What are GDPR **penalties**?
Up to **20 million** or **4% of annual** global turnover.
136
What is a **cross-border data transfer** under GDPR?
Transmission of personal data to a recipient outside the EU/EEA.
137
What is an **adequacy decision**?
EU decision that a **third country ensures data protection** essentially equivalent to EU law.
138
What **mechanisms** are used to lawfully transfer data when a **third country** is deemed inadequate?
* SCCs
* BCRs
* Appropriate safeguards
* Codes of conduct
* Derogations
139
What are **SCCs**?
Standard Contractual Clauses -- **pre-approved terms** for data transfer.
140
What are **BCRs**?
Binding Corporate Rules -- **internal policies** for multinational data transfers.
141
What is a **Data Transfer Impact Assessment** (D/TIA)?
**Evaluation of risks** in transferring data to third countries.
142
**When** was **Brazil's LGPD** passed and **when did it take effect**?
* Passed August 2018
* Effective September 2020
143
What are **key consumer rights** under **LGPD**?
* Confirm processing
* Access
* Amend
* Delete
* Anonymize
* Block
* Portability
* Withdraw consent
144
What **actions** can LGPD **regulators** take?
* Request compliance evidence
* Implement sanctions
* Enforce fines
145
What is the **maximum LGPD penalty**?
**2%** of Brazilian revenue, up to **50 million reais** per infraction.
146
What is **China's data protection law** called?
Personal Information Protection Law
| (PIPL)
147
When did the PIPL **take effect**?
November 2021
148
What **sector** does the PIPL primarily impact?
**Private** sector
149
What is a **key difference** between PIPL and GDPR **regarding state access**?
PIPL **does not prevent central government** from accessing data.
150
What are the **penalties** for general PIPL violations?
Up to **RMB 1 million** (~USD $141,000)
151
What are the **penalties for grave** PIPL violations?
Up to **RMB 50 million** (~USD $7 million) **or 5%** of annual revenue.
152
What are examples of **self-regulatory bodies**?
* Direct Marketing Association (DMA)
* Network Advertisers Initiative (NAI)
153
What is a **trust mark**?
A logo, badge, or symbol on a website indicating a standard has been met.
154
What are **examples** of trust marks?
* Verisign
* TrustArc
* McAfee
* PayPal
155
What are examples of **codes of conduct**?
* DMA Guidelines
* CARU Advertising Guidelines
* NAI Code
* EU Code of Conduct
156
What does the **EU Code of Conduct** apply to?
**B2B cloud service providers** acting as processors under GDPR Article 28.
157
What **factors** influence GDPR penalties?
* Nature
* Duration
* History
* Affected individuals
* Damage
* Mitigation
* Intent
158
What are GDPR **Tier 1 penalties**?
Up to **20M or 4%** of global turnover (for serious violations).
159
What are GDPR **Tier 2 penalties**?
Up to **10M or 2%** of global turnover (administrative violations).
160
What are examples of GDPR **non-financial penalties**?
* Warnings
* Processing bans
* Erasure
* Recertification
161
What was the **2019 Facebook** penalty?
FTC fined Facebook **$5 billion** for violating a 2011 privacy settlement.
