Table of Contents




I. Developing a Privacy Program



Section A: Overview of a Privacy Program



1. What is a Privacy Program?


2. Key Privacy Management Concepts and Definitions


a. Identified and Identifiable Personal Information

b. Data Subjects, Controllers, and Processors

3. The Role of Accountability and Fair Information Practices


a. The Accountability Principle

b. Additional Principles Governing Privacy Management

i. Organizational Management

ii. Individual Rights

Section I.A Review


Section B: Implementing a Privacy Program at the Organizational Level



1. Leveraging the Entire Organization


2. Creating a Company Vision


3. Data Governance Models


a. Centralized Model

b. Distributed Model (a/k/a Local Model or Decentralized Model)

c. Hybrid Model

d. Advantages and Disadvantages

e. Choosing a Model and the Location for the Privacy Function

4. Defining the Scope of a Privacy Program


a. Identifying the Personal Information Processed by an Organization

b. Identifying Applicable Privacy Laws and Regulations

c. Additional Considerations and Organizational Objectives

5. Developing a Privacy Strategy


a. Making the Business Case for Privacy and Data Protection

b. Identifying the Stakeholders

c. Interfacing With the Organization

d. Accountability Over the Process

e. Taking Privacy Out of the Abstract

6. Structuring a Privacy Team


a. Common Privacy Roles and Titles

b. Designated Privacy Leaders

c. Data Protection Officers (“DPO”) and the GDPR

i. When Must a DPO be Appointed?

ii. The Role of the DPO

d. Establishing the Professional Competency of Team Members

Section I.B Review


Knowledge Review #1


II. Privacy Program Framework



Section A: Developing a Privacy Program Framework



1. What is a Privacy Program Framework?


a. Principles and Standards

b. Laws, Regulations, and Self-Regulatory Programs

c. Privacy Program Management Solutions

2. Using Privacy Tech to Manage a Privacy Framework


3. Developing Organizational Privacy Policies, Standards, and Guidelines


a. The Privacy Policy Life Cycle

b. Key Components of a Privacy Policy

c. Rationalizing Privacy Requirements

4. Defining Privacy Program Activities


a. Education and Awareness

b. Internal Policy Compliance

c. Data Inventories, Data Flows, and Data Classification Schema

d. Risk Assessments

e. Incident Response Process

f. Monitoring Regulatory Environment

g. Internal Audit and Risk Management

Section II.A Review


Section B: Implementing a Privacy Program Framework



1. Introduction


2. Communicating the Privacy Framework to Internal and External Stakeholders


a. Internal Communication

b. External Communication

3. Ensure Continuous Alignment With Applicable Laws and Regulations


4. The General Data Protection Regulation


a. Scope of the GDPR

b. Data Processing Principles and Lawfulness

c. Individual Rights

d. Organizational Obligations

e. Regulatory Powers

5. Other Global Privacy Laws


6. United States Privacy Laws


a. Federal Laws

b. State Data Security Laws

c. State Data Breach Notification Laws

d. Comprehensive Privacy Legislation

i. California Consumer Privacy Act (“CCPA”)

ii. California Privacy Rights Act (“CPRA”)

iii. Virginia Consumer Data Protection Act (“VCDPA”)

7. Self-Regulatory Authorities


8. Cross-Border Data Sharing


a. The Surprise Minimization Rule

b. International Data Transfers Under the GDPR

i. Adequacy Decisions

ii. Appropriate Safeguards

iii. Derogations

Section II.B Review


Section C: Using Privacy Metrics



1. Introduction


2. Identifying Your Intended Audience


3. Defining Privacy Metrics


a. Privacy Metric Development Template

b. Metric Owners

c. Identifying Collection Points

4. Analyzing Privacy Metrics


a. Compliance Metrics

b. Trend Analysis

c. Privacy Program ROI

d. Business Resiliency Metrics

e. Privacy Program Maturity

f. Resource Utilization

g. IAPP’s DPO Report Template

Section II.C Review


Knowledge Review #2


III. Privacy Operational Lifecycle



Section A: Assess Your Organization



1. Documenting a Baseline of Privacy Program Activities


2. Data Assessments


a. Data Inventory

b. Data Flow Maps

c. Data Classification

d. Developing Data Inventories, Maps, and Classification Schema

e. GDPR Records Processing Requirements

3. Risk Assessments


a. Privacy Assessments

b. Privacy Threshold Analysis and Privacy Impact Assessments

c. Data Protection Impact Assessments

i. When is a DPIA required?

ii. What must be included in a DPIA?

iii. Consultation With Supervisory Authorities

4. Assessing Data Processors and Third-Party Vendors


a. Choosing a Third-Party Vendor

b. Vendor Contracts

c. Cloud Computing Issues and Data Residency

d. Restrictions on Third-Party Data Sharing

5. Physical Assessments


a. Physical and Environmental Aspects of Information Security

b. Bring Your Own Device and Data Loss Prevention

6. Mergers, Acquisitions, and Divestitures


Section III.A Review


Section B: Protect Your Organization



1. Data Lifecycle Governance


a. The Eleven Elements of DLM Policies

b. Data Retention and Data Destruction Policies

2. Information Privacy vs. Information Security


a. Where Privacy and Security Diverge

b. Where Privacy and Security Overlap

c. Privacy as a Compliment to Information Security

3. Information Security Practices


a. The CIA Triad

b. Security Controls

i. Purpose of Controls: Preventative, Detective, and Corrective

ii. Types of controls: Physical, Administrative, and Technical

iii. Evaluating Security Controls and Privacy Risk

iv. Access Controls Best Practices

4. Privacy by Design and by Default


a. The Seven Principles of PbD

b. PbD and Privacy by Default Under the GDPR

c. Solove’s Privacy Risks

d. Privacy Design Strategies

e. Systems Development Life Cycle and Privacy Engineering

5. Aligning Privacy Policies Across the Organization


a. The Importance of Alignment

b. Specific Policies to Align

Section III.B Review


Knowledge Review #3


Section C: Sustain the Privacy Program



1. Monitoring the Privacy Program


2. Auditing the Privacy Program


a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

3. Communicating Privacy Policies


a. Training vs. Awareness

b. Training and Awareness as a Communication Tool

c. Training and Awareness as a Cost-Saving Mechanism

Section III.C Review


Section D: Respond: Data Subject Requests



1. Introduction


2. Privacy Notices


a. Legal Consequences of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

i. Common Elements

ii. Layered Notices

iii. Just-in-Time Notices

iv. Privacy Dashboards

v. Privacy Icons and Visualization Tools

vi. One or Multiple Privacy Notices?

3. Data Subject Consent


a. Methods of Obtaining Consent

b. Consent Under the GDPR

i. Freely Given

ii. Specific to the Processing

iii. Informed

iv. Unambiguous

c. Obtaining Consent From Children

d. Responding to a Withdrawal of Consent

4. Handling Data Subject Requests and Complaints


5. Data Subject Rights: The GDPR


a. Right to be Informed

b. Right to Access and Information

c. Right to Rectification

d. Right to Erasure (“Right to be Forgotten”)

e. Right to Restrict Processing

f. Right to Data Portability

g. Right to Object to Processing

h. Right Not to Be Subject to Automated Decision-Making and Profiling

6. Data Subject Rights: U.S. Law


7. Additional Data Subject Rights Globally


Section III.D Review


Section E: Respond: Privacy Incidents



1. The Costs of a Privacy Incident


2. Legal Compliance and Defining a "Data Breach"


3. Incident Response Planning


a. Developing a Plan

b. Training

c. Key Roles and Responsibilities

d. Insurance Coverage

e. Managing Vendors

4. Incident Detection


5. Incident Handling


a. Steps in an Incident Response

b. Leadership Response Team

c. Investigation of an Incident

i. Containment and Remediation

ii. Preserving Privilege

d. Working With Insurers and Other Contracted Parties

6. Notification and Reporting a Data Breach


a. Internal Notifications and Progress Reporting

b. Notifying Affected Individuals

i. Letter Dropping Campaigns

ii. Call Center Campaigns

iii. Remediation Offers

7. Incident Follow-Up


Section III.E Review


Knowledge Review #4




Full Exam #1


Full Exam #2


Key Privacy Management Concepts and Definitions

A privacy program seeks to protect and manage multiple categories of information. Among other pieces of data, a privacy program seeks to protect trade secrets and other confidential or proprietary information about an organization. Most importantly, however, a privacy program governs an organization’s use of “personal information,” sometimes referred to as “personally identifiable information.”

a. Identified and Identifiable Personal Information

In some jurisdictions, such as the United States, laws may differentiate between information that makes an individual “identified” from information that makes a person “identifiable.”

An Identified Individual is one who can be ascertained with certainty—for example, by reference to a unique government-issued identification number.

An Identifiable Individual, on the other hand, is one that can be indirectly identified through a combination of various factors. As the European Union’s General Data Protection Regulation (“GDPR”) defines it, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1 Typically, privacy programs govern an organization’s use of all “identifiable” personal information.

b. Data Subjects, Controllers, and Processors

Many key terms related to information processing originated in Europe but have become standard terms used throughout the privacy and data security industries. The term “processing,” or “data processing,” is a term that refers to almost anything that is done with personal information—everything from collection to storage to deletion. The GDPR, for example, expansively defines data processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”2

Three categories of persons are involved in processing personal information: a data subject, a data controller, and a data processor.

Data Subjects, Data Controllers, and Data Processors

A Data Subject is the individual whose personal information is being processed.3

A Data Controller, on the other hand, is the organization (but it may also be an individual) that decides how personal information is being utilized and processed. As defined by the GDPR, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”4 The organization that is the data controller is typically subject to the heaviest amount of regulation by privacy and data security laws.

Lastly, the term Data Processor refers to any organization or person that processes data on behalf of a data controller.5 Under this definition, one organization may be both a data controller and a data processor. Likewise, this term also refers to any subsequent data processor down a chain of outsourcing. Accordingly, if a data controller processes certain types of data itself, but also contracts with a third-party to conduct further analysis on that data, both parties would be considered data processors.

The main difference between a data controller and a data processor is who has ultimate authority over the data. A data processor is not permitted to do any processing beyond what the data controller permits or beyond what the data controller itself could do with that information. Even though a data controller is the party that has ultimate authority about how data is processed, both data controllers and data processors implement their own separate privacy programs.

Privacy professionals must be aware of the fact that the terms described above are only general terms and definitions. Numerous laws use different names to refer to these same concepts. In the United States, for example, a data processor is referred to as a “business associate” under the Health Insurance Portability and Accountability Act (“HIPAA”)6 and as a “service provider” under the Gramm-Leach-Bliley Act.7

Key Points
  • A privacy program protects personal information, as well as trade secrets and other confidential information
  • Identified individuals can be ascertained with certainty, while identifiable individuals can be indirectly identified through a combination of factors
  • Data Processing: Effectively anything that is done with personal information, including collection, storage, use, disclosure, transmission, and destruction
  • Data Subject: The person whose data is being processed
  • Data Controller: The organization that decides how information is processed
  • Data Processor: The organization that processes information on behalf of the data controller; is limited in what it can do with the data by the data controller


1. GDPR, OJ 2016 L 119/1, Art. 4(1).

2. GDPR, OJ 2016 L 119/1, Art. 4(2).

3. GDPR, OJ 2016 L 119/1, Art. 4(1) (defining “data subject” as a “an identified or identifiable natural person”).

4. GDPR, OJ 2016 L 119/1, Art. 4(7).

5. GDPR, OJ 2016 L 119/1, Art. 4(8).

6. 45 C.F.R. § 160.103.

7. 12 C.F.R. § 1024.31.