CIPP/US

Enroll

CIPP/E

Enroll

CIPM

Enroll

CIPM

0%

Table of Contents

TOC

Welcome

incomplete

I. Developing a Privacy Program

Introduction

incomplete

Section A: Overview of a Privacy Program

+

0/4

1. What is a Privacy Program?

incomplete

2. Key Privacy Management Concepts and Definitions

incomplete

a. Identified and Identifiable Personal Information

b. Data Subjects, Controllers, and Processors

3. The Role of Accountability and Fair Information Practices

incomplete

a. The Accountability Principle

b. Additional Principles Governing Privacy Management

i. Organizational Management

ii. Individual Rights

Section I.A Review

incomplete

Section B: Implementing a Privacy Program at the Organizational Level

+

0/7

1. Leveraging the Entire Organization

incomplete

2. Creating a Company Vision

incomplete

3. Data Governance Models

incomplete

a. Centralized Model

b. Distributed Model (a/k/a Local Model or Decentralized Model)

c. Hybrid Model

d. Advantages and Disadvantages

e. Choosing a Model and the Location for the Privacy Function

4. Defining the Scope of a Privacy Program

incomplete

a. Identifying the Personal Information Processed by an Organization

b. Identifying Applicable Privacy Laws and Regulations

c. Additional Considerations and Organizational Objectives

5. Developing a Privacy Strategy

incomplete

a. Making the Business Case for Privacy and Data Protection

b. Identifying the Stakeholders

c. Interfacing With the Organization

d. Accountability Over the Process

e. Taking Privacy Out of the Abstract

6. Structuring a Privacy Team

incomplete

a. Common Privacy Roles and Titles

b. Designated Privacy Leaders

c. Data Protection Officers (“DPO”) and the GDPR

i. When Must a DPO be Appointed?

ii. The Role of the DPO

d. Establishing the Professional Competency of Team Members

Section I.B Review

incomplete

Knowledge Review #1

incomplete

II. Privacy Program Framework

Introduction

incomplete

Section A: Developing a Privacy Program Framework

+

0/5

1. What is a Privacy Program Framework?

incomplete

a. Principles and Standards

b. Laws, Regulations, and Self-Regulatory Programs

c. Privacy Program Management Solutions

2. Using Privacy Tech to Manage a Privacy Framework

incomplete

3. Developing Organizational Privacy Policies, Standards, and Guidelines

incomplete

a. The Privacy Policy Life Cycle

b. Key Components of a Privacy Policy

c. Rationalizing Privacy Requirements

4. Defining Privacy Program Activities

incomplete

a. Education and Awareness

b. Internal Policy Compliance

c. Data Inventories, Data Flows, and Data Classification Schema

d. Risk Assessments

e. Incident Response Process

f. Monitoring Regulatory Environment

g. Internal Audit and Risk Management

Section II.A Review

incomplete

Section B: Implementing a Privacy Program Framework

+

0/9

1. Introduction

incomplete

2. Communicating the Privacy Framework to Internal and External Stakeholders

incomplete

a. Internal Communication

b. External Communication

3. Ensure Continuous Alignment With Applicable Laws and Regulations

incomplete

4. The General Data Protection Regulation

incomplete

a. Scope of the GDPR

b. Data Processing Principles and Lawfulness

c. Individual Rights

d. Organizational Obligations

e. Regulatory Powers

5. Other Global Privacy Laws

incomplete

6. United States Privacy Laws

incomplete

a. Federal Laws

b. State Data Security Laws

c. State Data Breach Notification Laws

d. Comprehensive Privacy Legislation

i. California Consumer Privacy Act (“CCPA”)

ii. California Privacy Rights Act (“CPRA”)

iii. Virginia Consumer Data Protection Act (“VCDPA”)

7. Self-Regulatory Authorities

incomplete

8. Cross-Border Data Sharing

incomplete

a. The Surprise Minimization Rule

b. International Data Transfers Under the GDPR

i. Adequacy Decisions

ii. Appropriate Safeguards

iii. Derogations

Section II.B Review

incomplete

Section C: Using Privacy Metrics

+

0/5

1. Introduction

incomplete

2. Identifying Your Intended Audience

incomplete

3. Defining Privacy Metrics

incomplete

a. Privacy Metric Development Template

b. Metric Owners

c. Identifying Collection Points

4. Analyzing Privacy Metrics

incomplete

a. Compliance Metrics

b. Trend Analysis

c. Privacy Program ROI

d. Business Resiliency Metrics

e. Privacy Program Maturity

f. Resource Utilization

g. IAPP’s DPO Report Template

Section II.C Review

incomplete

Knowledge Review #2

incomplete

III. Privacy Operational Lifecycle

Introduction

incomplete

Section A: Assess Your Organization

+

0/7

1. Documenting a Baseline of Privacy Program Activities

incomplete

2. Data Assessments

incomplete

a. Data Inventory

b. Data Flow Maps

c. Data Classification

d. Developing Data Inventories, Maps, and Classification Schema

e. GDPR Records Processing Requirements

3. Risk Assessments

incomplete

a. Privacy Assessments

b. Privacy Threshold Analysis and Privacy Impact Assessments

c. Data Protection Impact Assessments

i. When is a DPIA required?

ii. What must be included in a DPIA?

iii. Consultation With Supervisory Authorities

4. Assessing Data Processors and Third-Party Vendors

incomplete

a. Choosing a Third-Party Vendor

b. Vendor Contracts

c. Cloud Computing Issues and Data Residency

d. Restrictions on Third-Party Data Sharing

5. Physical Assessments

incomplete

a. Physical and Environmental Aspects of Information Security

b. Bring Your Own Device and Data Loss Prevention

6. Mergers, Acquisitions, and Divestitures

incomplete

Section III.A Review

incomplete

Section B: Protect Your Organization

+

0/6

1. Data Lifecycle Governance

incomplete

a. The Eleven Elements of DLM Policies

b. Data Retention and Data Destruction Policies

2. Information Privacy vs. Information Security

incomplete

a. Where Privacy and Security Diverge

b. Where Privacy and Security Overlap

c. Privacy as a Compliment to Information Security

3. Information Security Practices

incomplete

a. The CIA Triad

b. Security Controls

i. Purpose of Controls: Preventative, Detective, and Corrective

ii. Types of controls: Physical, Administrative, and Technical

iii. Evaluating Security Controls and Privacy Risk

iv. Access Controls Best Practices

4. Privacy by Design and by Default

incomplete

a. The Seven Principles of PbD

b. PbD and Privacy by Default Under the GDPR

c. Solove’s Privacy Risks

d. Privacy Design Strategies

e. Systems Development Life Cycle and Privacy Engineering

5. Aligning Privacy Policies Across the Organization

incomplete

a. The Importance of Alignment

b. Specific Policies to Align

Section III.B Review

incomplete

Knowledge Review #3

incomplete

Section C: Sustain the Privacy Program

+

0/4

1. Monitoring the Privacy Program

incomplete

2. Auditing the Privacy Program

incomplete

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

3. Communicating Privacy Policies

incomplete

a. Training vs. Awareness

b. Training and Awareness as a Communication Tool

c. Training and Awareness as a Cost-Saving Mechanism

Section III.C Review

incomplete

Section D: Respond: Data Subject Requests

+

0/8

1. Introduction

incomplete

2. Privacy Notices

incomplete

a. Legal Consequences of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

i. Common Elements

ii. Layered Notices

iii. Just-in-Time Notices

iv. Privacy Dashboards

v. Privacy Icons and Visualization Tools

vi. One or Multiple Privacy Notices?

3. Data Subject Consent

incomplete

a. Methods of Obtaining Consent

b. Consent Under the GDPR

i. Freely Given

ii. Specific to the Processing

iii. Informed

iv. Unambiguous

c. Obtaining Consent From Children

d. Responding to a Withdrawal of Consent

4. Handling Data Subject Requests and Complaints

incomplete

5. Data Subject Rights: The GDPR

incomplete

a. Right to be Informed

b. Right to Access and Information

c. Right to Rectification

d. Right to Erasure (“Right to be Forgotten”)

e. Right to Restrict Processing

f. Right to Data Portability

g. Right to Object to Processing

h. Right Not to Be Subject to Automated Decision-Making and Profiling

6. Data Subject Rights: U.S. Law

incomplete

7. Additional Data Subject Rights Globally

incomplete

Section III.D Review

incomplete

Section E: Respond: Privacy Incidents

+

0/8

1. The Costs of a Privacy Incident

incomplete

2. Legal Compliance and Defining a "Data Breach"

incomplete

3. Incident Response Planning

incomplete

a. Developing a Plan

b. Training

c. Key Roles and Responsibilities

d. Insurance Coverage

e. Managing Vendors

4. Incident Detection

incomplete

5. Incident Handling

incomplete

a. Steps in an Incident Response

b. Leadership Response Team

c. Investigation of an Incident

i. Containment and Remediation

ii. Preserving Privilege

d. Working With Insurers and Other Contracted Parties

6. Notification and Reporting a Data Breach

incomplete

a. Internal Notifications and Progress Reporting

b. Notifying Affected Individuals

i. Letter Dropping Campaigns

ii. Call Center Campaigns

iii. Remediation Offers

7. Incident Follow-Up

incomplete

Section III.E Review

incomplete

Knowledge Review #4

incomplete

Conclusion

incomplete

Full Exam #1

incomplete

Full Exam #2

incomplete

Key Privacy Management Concepts and Definitions

A privacy program seeks to protect and manage multiple categories of information. Among other pieces of data, a privacy program seeks to protect trade secrets and other confidential or proprietary information about an organization. Most importantly, however, a privacy program governs an organization’s use of “personal information,” sometimes referred to as “personally identifiable information.”

a. Identified and Identifiable Personal Information

In some jurisdictions, such as the United States, laws may differentiate between information that makes an individual “identified” from information that makes a person “identifiable.”

An Identified Individual is one who can be ascertained with certainty—for example, by reference to a unique government-issued identification number.

An Identifiable Individual, on the other hand, is one that can be indirectly identified through a combination of various factors. As the European Union’s General Data Protection Regulation (“GDPR”) defines it, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1 Typically, privacy programs govern an organization’s use of all “identifiable” personal information.

b. Data Subjects, Controllers, and Processors

Many key terms related to information processing originated in Europe but have become standard terms used throughout the privacy and data security industries. The term “processing,” or “data processing,” is a term that refers to almost anything that is done with personal information—everything from collection to storage to deletion. The GDPR, for example, expansively defines data processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”2

Three categories of persons are involved in processing personal information: a data subject, a data controller, and a data processor.

Data Subjects, Data Controllers, and Data Processors

A Data Subject is the individual whose personal information is being processed.3

A Data Controller, on the other hand, is the organization (but it may also be an individual) that decides how personal information is being utilized and processed. As defined by the GDPR, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”4 The organization that is the data controller is typically subject to the heaviest amount of regulation by privacy and data security laws.

Lastly, the term Data Processor refers to any organization or person that processes data on behalf of a data controller.5 Under this definition, one organization may be both a data controller and a data processor. Likewise, this term also refers to any subsequent data processor down a chain of outsourcing. Accordingly, if a data controller processes certain types of data itself, but also contracts with a third-party to conduct further analysis on that data, both parties would be considered data processors.

The main difference between a data controller and a data processor is who has ultimate authority over the data. A data processor is not permitted to do any processing beyond what the data controller permits or beyond what the data controller itself could do with that information. Even though a data controller is the party that has ultimate authority about how data is processed, both data controllers and data processors implement their own separate privacy programs.

Privacy professionals must be aware of the fact that the terms described above are only general terms and definitions. Numerous laws use different names to refer to these same concepts. In the United States, for example, a data processor is referred to as a “business associate” under the Health Insurance Portability and Accountability Act (“HIPAA”)6 and as a “service provider” under the Gramm-Leach-Bliley Act.7

Key Points
  • A privacy program protects personal information, as well as trade secrets and other confidential information
  • Identified individuals can be ascertained with certainty, while identifiable individuals can be indirectly identified through a combination of factors
  • Data Processing: Effectively anything that is done with personal information, including collection, storage, use, disclosure, transmission, and destruction
  • Data Subject: The person whose data is being processed
  • Data Controller: The organization that decides how information is processed
  • Data Processor: The organization that processes information on behalf of the data controller; is limited in what it can do with the data by the data controller
Sources

+

1. GDPR, OJ 2016 L 119/1, Art. 4(1).

2. GDPR, OJ 2016 L 119/1, Art. 4(2).

3. GDPR, OJ 2016 L 119/1, Art. 4(1) (defining “data subject” as a “an identified or identifiable natural person”).

4. GDPR, OJ 2016 L 119/1, Art. 4(7).

5. GDPR, OJ 2016 L 119/1, Art. 4(8).

6. 45 C.F.R. § 160.103.

7. 12 C.F.R. § 1024.31.

Previous

Next