Privacy Program Management: Chapter 2 Frameworks and Governance

Question 1

Vision and Mission

Answer 1

Align with orgs broader purpose

Question 2

Privacy mission statement

Answer 2

describes the purpose and ideas in just a few sentences
should take less than 30 seconds to read

Question 3

Privacy program scope

Answer 3

1. Identify personal info collected and processed (Article 30)
2. identify applicable privacy and data protection laws and regulations

Question 4

Privacy Strategy Value

Answer 4

Org approach to communicating and supporting the privacy program

Management growing awareness of the importance of protecting personal data

Question 5

Privacy Program Governance

Answer 5

1. identify stakeholders and partners
2. Establish an executive privacy team, sponsor
3. develop best practices
4. conduct privacy workshops for stakeholders
5. Keep a record of ownership, discussions

Question 6

Goals of a Privacy Framework

Answer 6

• Help achieve compliance with laws
• Serve as a competitive advantage
• Support business commitment and objectives

Question 7

Common Privacy Frameworks

Answer 7

• Fair Information Practices: provide basic privacy principles (rights, controls, life cycle, management)
• Org for Economic Co-operation and Development (IECD) Guidelines: basis for GDPR, most widely accepted
• AICPA, CICA, GAPP
• NIST Privacy Framework: Core, Profile, Tiers
• PbD: proactive, default, embedded in design, full functionality (positive sum), end-to-end security, visibility / transparency, respect for user privacy

Question 8

Privacy team structures

Answer 8

Centralized
Local / Decentralized
Hybrid

Question 9

Org roles for privacy

Answer 9

CPO: corporate leader for strategy
Privacy Director / Manager: implement strategy
Privacy analyst: entry level, tactical
Bus Line Leader: senior management
Privacy Legal Counsel: legal experts
First Responders: support specific processes
DPO: required by Article 37
Privacy Engineer: technical implementation
Privacy Technologist: audit, risk, compliance

Question 10

Rationalize

Answer 10

Implement a solution that materially addresses wide range of privacy requirements

Question 11

AICPA/CICA (GAPP) Principals

Answer 11

1. Management of privacy
2. Notice provided about privacy policies
3. Choice and consent
4. Collection only for purposes disclosed
5. Use, retention, and disposal
6. Access provided to data subjects for review and collection
7. Disclosure to Third-parties only within purpose
8. Security for Privacy
9. Quality of data is ensured
10. Monitoring and Enforcement

Question 12

GDPR Article 37

Answer 12

DPO must be appointed, expert in privacy

Question 13

GDPR Article 38

Answer 13

DPO must report to the highest levels of the org

Question 14

GDPR Article 39

Answer 14

Activities shall include:
- monitoring companies compliance with GDPR
- provide advice during DPIAs
- cooperate with supervisory authorities