CIPM Study Guide
Basic security principles for role-based access controls (RBAC) include the following:
Segregation of duties Least privilege Need-to-know access
Sample training and awareness metrics include:
Number of training or awareness opportunities by topic Number of individuals who enrolled or received awareness communication Training method (e.g., live, online, poster, road shows) Percent of training completed Results of quizzes or knowledge tests Changes to the number of privacy incident reports or requests for consultation or additional training
Controls are divided into the following categories:
Preventative controls Detective controls Corrective controls
Another part of containment is fixing the vulnerabilities that allowed the bad actor to access the systems in the first place. After ensuring any breach is contained, begin analyzing vulnerabilities and addressing third parties that might have been involved. Where appropriate, it may be necessary to share learnings, but this should be done in conjunction with legal steps. Factors to consider include:
Service Providers: Were they involved? Is there a need to change access privileges? What steps do they need to take to prevent future breaches? How can you verify they have taken these steps? Network segmentation: Ensure your segmentation plan was effective in containing the breach.
Scope of privacy programs:
Sectoral Laws (United States) Comprehensive Laws (EU member states, Canada) Co-Regulatory Model (Australia) Self-Regulated Model (United States, Japan, Singapore)
It can be helpful to think about breach response tasks in broad categories:
Secure operations, notify appropriate parties, and fix vulnerabilities. While these groupings help keep you organized, they are not necessarily meant to be used as a checklist, as many steps will happen concurrently
Under the HITECH Act, which amended the HIPAA privacy and security rules, the maximum penalty for breach of protected health information per year is:
$1.5 million
Examples of entities in U.S. that are subject to privacy laws and standards:
"Financial instructions," as defined by the GLBA, are subject to GLBA. "Covered entities," such as healthcare providers and health plans, are subject to HIPAA Websites collecting information from children under 13 are required to comply with the FTC'S COPPA. A merchant of any size that handles cardholder information for debit, credit, prepaid, e-purse, and ATM and point of sale (POS) cards must follow the Payment Card Industry Data Security Standard (PCI DSS), which is a global standard.
Information security uses controls to manage risk. ISACA defines controls as:
"The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature."
Audit Lifecycle
->Plan->Prepare->Audit->Report->Follow-Up->
PMM uses five maturity levels:
1. Ad Hoc -> 2. Repeatable -> 3. Defined -> 4. Managed -> 5. Optimized
Information security is the protection of information for the purpose of preventing loss, unauthorized access, or misuse. Information security requires ongoing assessments of threats and risks to information and of the procedures and controls to preserve the information, consistent with three key attributes:
1. Confidentiality: access to data is limited to authorized parties 2. Integrity: assurance that the data is authentic and complete 3. Availability: knowledge that the data is accessible, as needed, by those who are authorized to use it
The nine exemptions to information that may be requested under FOIA:
1. Information that is classified to protect national security 2. Information related solely to the internal personnel rules and practices of an agency 3. Information that is prohibited from disclosure by another federal law 4. Trade secrets or commercial or financial information that is confidential or privileged 5. Privileged communications within or between agencies 6. Information that, if disclosed, would invade another individual's personal privacy 7. Information compiled for various law enforcement purposes 8. Information that concerns the supervision of financial institutions 9. Geological information on wells
Three reasons why there is not a complete overlap between privacy and information security:
1. Privacy has a wider set of obligations and responsibilities than information security, such as collection limitation, openness, relevancy, and use limitation. 2. Confidentiality. Because personal information is not always nonpublic (consider the phone book), the notion of confidentiality does not apply. Also, in a resource-constrained world, if the data is not considered confidential, it is not always valued and the necessary measures to ensure authorized access and use will be overlooked. 3. While information security techniques can be privacy-enabling technologies (PETs) (which means they are tools that enable privacy) and are often necessary, these PETs can also become "feral" if applied incorrectly (i.e., in an invasive manner). This is why you can have security without privacy, but you cannot have privacy without security.
Privacy by Design consists of seven foundational principles:
1. Proactive, not reactive; Preventative, not remedial. 2. Privacy as the default. 3. Privacy embedded into design. 4. Full functionality - positive-sum, not zero-sum. 5. End-to-end security - full lifecycle protection. 6. Visibility and transparency. 7. Respect for user privacy.
Congress has provided special protection for information requests for three categories of law enforcement and national security records:
1. Protects the existence of an ongoing criminal law enforcement investigation when the subject of the investigation is unaware that it is pending and disclosure could reasonably be expected to interfere with enforcement proceedings 2. Limited to criminal enforcement agencies and protects the existence of informant records when the informant's status has not been officially confirmed 3. Limited to the FBI and protects the existence of foreign intelligence or counterintelligence, or international terrorism records when the existence of such records is classified
CNIL's PIA method is composed of three guides:
1. The method explains how to carry out a PIA 2. The models help to formalize a PIA by detailing how to handle the different sections introduced in the method 3. The knowledge base is a code of practice that lists measures to be used to treat the risks
Centralized governance:
A common model that fits well in organizations used to utilizing single-channel functions (where the direction flows from a single source) with planning and decision making completed by one group or individual. Offers streamlined processes and procedures that allow efficiency, but lower individual employees or groups cannot make their own decisions and must seek approval from a higher level
Data Protection Impact Assessments (DPIAs):
A DPIA describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as much and as early as possible. DPIAs are important tools for negating risk and for demonstrating compliance with the GDPR. DPIAs are required only when an organization is subject to the GDPR and although the term PIA is often used in other contexts to refer to the same concept, a DPIA has specific triggers and requirements under the GDPR.
When faced with a potential security incident, there is often a temptation to call the situation:
A data breach. However, that term is a legal one, defined in different ways under various laws around the globe. Until a lawyer has made a determination that a fact pattern meets the legal definition, corporations should refer to a security incident as just that, an incident or a potential incident.
The GDPR sets out the minimum features of a DPIA:
A description of the processing, including its purpose and the legitimate interest being pursued. The necessity of the processing, its proportionality, and the risks that it poses to data subjects. Measures to address the risks identified.
Transparency with Privacy Notices:
A privacy notice is an external statement directed to current or potential customers or users. Provided when an organization collects information from a data subject, it is a tool used to describe the organization's privacy practices. A privacy notice can help an organization comply with applicable laws, but it does not provide blanket protection from privacy-related litigation. A privacy notice should be considered a promise the organization makes to data subjects. If the organization breaks those promises, it may face regulatory action or litigation.
Privacy Policy vs. Privacy Notice:
A privacy policy is an internal document addressed to employees and data users. This document clearly states how personal information will be handled, stored, and transmitted to meet organizational needs as well as any laws and regulations. It will define all aspects of data privacy for the organization, including how the privacy notice will be formed, if necessary, and what it will contain. A privacy notice is an external communication to individuals, customers, or data subjects that describes how the organization collects, uses, shares, retains, and discloses its personal information based on the organization's privacy policy.
Should a company face litigation exposure, reputational liability, and potential regulatory scrutiny, factors that will be considered include:
A purported obligation to prevent unauthorized access to or use of the data If the company satisfied an applicable industry standard of care Whether there were damages or injury, and if the organization's conduct (or lack thereof) was the proximate cause of the damages
International Organization for Standardization 29134:
A set of guidelines for the process of running a PIA and the structure of the resulting report. It is not a standard for PIAs, unlike, say, a standard for information security.
Tabletop exercise:
A structured readiness-testing activity that simulates an emergency situation (such as a data breach) in an informal, stress-free setting. Participants, usually key stakeholders, decision makers, and their alternates gather around a table to discuss roles, responsibilities, and procedures in the context of an emergency scenario.
Attestation:
A tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities.
Just-in-time notice:
A type of layered approach provided immediately before the data is collected - for instance, when a mobile application asks to track your location. More information is typically available by clicking a link or hovering over the notice.
Metric:
A unit of measurement that should be as objective as possible. Metrics can provide data that helps to answer specific questions. As a basic rule, a metric must add value by accurately reflecting the state of business objectives and goals. The same logic applies to privacy programs and operations: An objective can be broad-based, but a goal should be structured in a way that is measurable.
The Privacy Maturity Model (PMM):
A well-established model that sets out maturity levels for privacy programs and operations. Maturity is a useful metric because it focuses on a scale as opposed to an endpoint. For example, acceptable data privacy protections may be in place without being the "most mature."
Concepts needing to be understood by a CIPM:
Accountability Beyond Law and Compliance Why Does an Organization Need a Privacy Program? Privacy Across the Organization Awareness, Alignment, and Involvement
Additionally, information security includes the concepts of:
Accountability and assurance. Accountability - entity ownership is traceable Assurance - all other four objectives are met
Accountability:
Accountable organizations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate they have the capacity to comply with applicable privacy laws. They promote trust and confidence and make all parties aware of the importance of proper handling of personal information. The idea is that, when organizations collect and process information about people, they must be responsible for it. They need to take ownership and take care of it throughout the data lifecycle. By doing so, the organization can be held accountable. Accountability as defined by laws can actually benefit organizations because, although it may impose obligations to take ownership and to explain how the organization is compliant, in exchange, it can give organizations a degree of flexibility about exactly how they will comply with their obligations.
Enterprise program management services require buy-in from the privacy office, IT, and C-suite. Services include:
Activity monitoring; Data discovery; De-identification/pseudonymization; Enterprise communications.
Options for transferring data outside of the EU:
Adequacy decisions regarding appropriate safeguards, such as binding corporate rules (BCRs), standard contract clauses (SCCs), codes of conduct or certification mechanisms, and ad hoc contractual clauses authorized by supervisory authorities
Comprehensive privacy policies must:
Align with supporting documents, including additional policies that respond to the needs and intent of the organization to fix an issue, serve a specific purpose, or meet a specific goal. Higher-level policies and procedures include items such as security configurations and responsibilities, while examples of those that address issues include behavior modification, proper usage of organization property, newer technology threats, social media use, email use, and internet use. Documents addressing these issues should be reviewed and updated regularly.
Hybrid governance:
Allows for a combination of centralized and local governance. This is most typically seen when a large organization assigns a main individual (or department) responsibility for privacy-related affairs and for issuing policies and directives to the rest of the organization. The local entities then fulfill and support the policies and directives from the central governing body.
Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required can result in:
An administrative fine of up to €10 thousand, or in the case of an undertaking, up to 2 percent of the total worldwide annual revenue of the preceding financial year, whichever is higher.
Under the GDPR, electronic consent requires:
An affirmative act from the individual establishing a freely given, specific, informed, and unambiguous indication of the individual's agreement to the processing. A pre-ticked box is not sufficient to imply consent; according to the WP29, a clear action, such as swiping a bar on a screen, waving in front of a smart camera or turning a smartphone around may be sufficient.
Privacy Impact Assessment:
An analysis of the privacy risks associated with processing personal information in relation to a project, product, or service. To be an effective tool, a PIA also should suggest or provide remedial actions or mitigations necessary to avoid or reduce/minimalize those risks.
What is a privacy impact assessment?
An analysis of the privacy risks associated with processing personal information in relation to a project, product, or service. To be an effective tool, a PIA also should suggest or provide remedial actions or mitigations necessary to avoid, reduce, or minimize those risks. Requirements regarding PIAs emanate from industry codes, organizational policy, laws, regulations, and supervisory authorities. When an organization collects, stores, or uses personal data, the individuals whose data is being processed are exposed to risks. These risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to causing individuals to worry that their data will be used by the organization for unknown purposes.
Privacy engineering:
An emerging discipline within, at least, the software or information systems domain, that aims to provide methodologies, tools, and techniques such that the engineered systems ensure acceptable levels of privacy. Privacy engineering is a concept for which PbD is a facilitator. It provides valuable design guidelines that privacy engineers should follow. In turn, privacy engineering adds to and extends PbD. It provides a methodology and technical tools based on industry guidelines and best practices, including the Unified Modeling Language.
Difference between a security incident and a data breach:
An incident is a situation in which the confidentiality, integrity, or availability of personal information may potentially be compromised. For a data breach to exist, typically there must be some sort of unauthorized access or acquisition of the information, although the definition of a "breach" varies. If a breach exists, impacted individuals and, in many cases, regulatory authorities must be notified.
The European Telecommunications Standards Institute (ETSI):
An independent, not-for-profit, standardization organization in the telecommunications industry and produces globally applicable standards for information and communications technologies, including fixed mobile, radio, converged, broadcast, and internet technologies.
Return on Investment (ROI):
An indicator used to measure the financial gain or loss of a project or program in relation to its cost. ROI analysis provides the quantitative measurement of benefits and costs, strengths and weaknesses of the organization's privacy controls. There are two considerations in developing the metric. First, the ROI of a given function must be related to the reason for implementing that function. Second, the value of the asset must be defined.
Since metrics continue to change as the business objectives and goals evolve:
An individual should be assigned to both champion and own the metric. A metric owner must be able to evangelize the purpose and intent of that metric to the organization. As a best practice, it is highly recommended that a person with privacy knowledge, training, and experience perform this role to limit possible errors in interpretation of privacy-related laws, regulations, and practices. It is not necessary that the metric owner be responsible for data collection or measurement.
Cyclical compenent:
Analysis that shows data over a time period focused on regular fluctuations. Measuring the number of privacy breaches in the month after an organization rolls out new privacy training, this analysis is focused on explaining any changes in the number reported as the distance from training increases.
Data retention and destruction policies should support the idea that personal information should be retained:
Only for as long as necessary to perform its stated purpose.
External awareness is more directed towards:
Building confidence through brand marketing. The challenge is to meet the reasonable expectations of consumers and regulators and provide proof of compliance if challenged, otherwise state agencies or the FTC may file civil penalties against your company for misleading its consumers.
The privacy questions most frameworks answer primarily include:
Are privacy and the organization's privacy risks properly defined and identified in the organization? Has the organization assigned responsibility and accountability for managing a privacy program? Does the organization understand any gaps in privacy management? Does the organization monitor privacy management? Are employees properly trained? Does the organization follow industry best practices for data inventories, risk assessments, and privacy impact assessments (PIAs)? Does the organization have an incident response plan? Does the organization communicate privacy-related matters and update that material as needed? Does the organization use a common language to address and manage cybersecurity risk based on business and organizational needs?
When investigating an incident, a company will want to make sure that its investigation and related communications and work product:
Are protected by attorney-client privilege, which protects any communication between a lawyer and their client made for the purpose of giving or obtaining legal advice. The attorney work product doctrine protects documents or analyses made by a lawyer or at the direction of a lawyer in anticipation of litigation. A company should involve its attorneys as soon as it discovers a breach has occurred and ensure that the attorneys are directing the investigation for the purpose of legal advice or in anticipation of litigation. (CC'ing an attorney on an email is not enough to create privilege.) It is better to have the process directed by outside counsel than by inside counsel, because courts have in some instances ruled that there was no privilege where inside counsel appeared to be acting in a business rather than a legal capacity.
What provisions of EU law articulate what is meant by data protection by design and default from an EU perspective?
Article 25 from Chapter IV of the EU GDPR and Recital 78
Designation of a Data Protection Officer is required under:
Article 37 of the GDPR. A DPO is an individual accountable for an organization's privacy compliance. Canada's PIPEDA and South Korea's Data Protection Act also have similar requirements
Steps for a successful communication and awareness campaign include:
Assessing the organization's education and awareness initiatives Sustaining communication via awareness and targeted employee, management, and contractor training Partnering with HR or training functions, or an organization change management expert Using badges and slogans Repeating training over a predetermined period (e.g., annually, biannually) Using microlearning or blended learning Inserting privacy messaging into other department trainings Going to road shows and staff meetings Tracking participation and comprehension
Privacy tech vendors in the category of privacy program management typically work directly with the privacy office. Vendors may manage:
Assessment; Consent; Data mapping; Incident response; Privacy information; Website scanning/cookie compliance.
Several best practices when developing internal partnerships include:
Become aware of how others treat and view personal information. Understand their use of the data in a business context. Assist with building privacy requirements into their ongoing projects to help reduce risk. Offer to help staff meet their objectives while offering solutions to reduce risk of personal information exposure. Invite staff to be a part of the privacy advocate group to further privacy best practices.
The qualities of the PbD paradigm include:
Being proactive; Embedded privacy controls; Demonstrating respect for users.
A layered approach to privacy notices provides a high-level summary of the various sections of the privacy notice and allows the users to read more about that section by clicking a link to that section or scrolling below. Such an approach has been endorsed by:
Both the FTC and the EU's Article 29 Working Party (WP29), now the European Data Protection Board (EDPB)
To help operations run smoothly in a time of crisis, such as during an incident response, many companies depend on a:
Business Continuity Plan (BCP). The plan is typically drafted and maintained by key stakeholders and spells out departmental responsibilities and actions teams must take before, during, and after an event. To ensure proper execution of the BCP, all planning and response teams should know which stakeholder is responsible for overseeing the plan and who, within a specific job function, will lead them during an event.
Examples of departments that should be involved in incident response planning include:
Business development (BD); Communications and PR; Union leadership; Finance; President, chief executive officer (CEO); Board of directors
How can you discover where personal data resides?
By conducting a data inventory and mapping data flows. The data inventory, also known as a data map, provides answers to these questions by identifying the data as it moves across various systems, and thus indicating how it is shared and organized and where it is located. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities, which in turn serves to identify the most and least valuable data and reveal how it is accessed, used, and stored.
Article 37 of the GDPR establishes the specific criteria triggering the requirements for an organization to designate a DPO. Subject to some exceptions, designation of a DPO is required:
By public authorities or bodies. Where the organization's "core" activities consist of processing operations that require "regular and systematic monitoring of data subjects on a large scale" Where the organization's "core" activities consist of processing "special" categories of data on a large scale"
Laws, Regulations, and Programs concerning Privacy Frameworks:
Canadian PIPEDA GDPR EU-U.S. Privacy Shield (now invalidated) Local data protection authorities, such as France's Commission de l'informatique et des libertés (CNIL)
Once the initial chaos of a breach has subsided, the affected organization should:
Carefully evaluate its incident response plan. Among the most beneficial questions to answer about the response are: Which parts of the process clearly worked as intended? Which worked only after some modification? Which did not work at all? What did the team do exceptionally well? What didn't go well? Were any unforeseen complications encountered? How could they have been avoided? How well was the team prepared for the unexpected? How realistic were the plan's response timelines? What was the difference between actual and budgeted costs? Was the team successfully staffed? Were all relevant parties part of the team? What could be learned and what be improved upon for the next potential breach?
Privacy governance models include:
Centralized, local, and hybrid versions, but are not limited to only these options. Governance models and the choice of the correct model objectives should ensure information is controlled and distributed to the right decision makers. Since decision making must be based on accurate and up-to-date management data, the allocation and design of the governance model will foster intelligent and more accurate decisions.
Training and awareness must have the intention of:
Changing bad behaviors and reinforcing good ones that are integral to the success of the privacy program.
Education efforts may be recorded in employee records and include formal and informal methods such as:
Classroom training; Online learning through streaming, videos, and websites; Poster campaigns; Booklets; Workshops
Different types of monitoring for different business purposes:
Compliance - detecting and correcting violations, supporting enforcement actions, and evaluating progress Regulation - constantly changing laws, regulations, and requirements Environment - vulnerabilities, such as physical concerns, programmatic concerns, and insider threats
Ensuring the privacy program aligns with business initiatives is very important. Business units must know and understand the goals and objectives of the privacy program and be part of the solution:
Compliance should be the baseline. Privacy by design, plus strategizing with business colleagues, will further the organization's goals and help strike a balance. Compliance creates an opportunity to simultaneously re-evaluate and improve data management practices, such as data inventory and data access controls. Compliance should be achieved with the least amount of business disruption, as business disruption is another form of penalty that should be considered in addition to potential fines for noncompliance.
What steps should be taken in building a coalition of supporters for privacy as a business imperative?
Conduct informal one-on-one conversations with executives within the organization who have accountability for information management and/or security, risk, compliance, or legal decisions. Sense which executive will serve as the program sponsor, or "champion" for the privacy program (the champion acts as an advocate and sponsor to further foster privacy as a core organization concept), or whether an executive is even necessary.
Overlaps and differences of Information Security and Privacy:
Confidential Information that is Personal: Accuracy/Integrity; Authorized Access; Accountability; Access/Accountability Only in Information Security: Confidential Information Only in Privacy: Personal Information
Various motivators driving businesses to be more responsible with an individual's personal data besides law and compliance:
Consumer trust (both business-to-consumer and business-to-business) Company's branding
Data subject rights under the FTC-created National Do Not Call (DNC) Registry as a part of revisions to its Telemarking Sales Rule (TSR): Note: the FCC also enforces the DNC Registry and adopted its own do-not-call rule, effectively plugging gaps in the FTC's jurisdiction and applying the registry to all telemarketing of goods or services.
Consumers may file a complaint with the FCC if they believe they have received an illegal call or text. Consumers can sign up without charge for the DNC Registry in order to stop unwanted commercial solicitation calls. The FTC enforces the DNC Registry by taking legal action against companies and telemarketers who violate the applicable laws and rules.
Immediately following the decision to notify affected parties, tactical portions of the incident response plan begin to unfold. Companies dealing with an incident may find themselves balancing two possibly conflicting issues:
Containment and legal exposures. An incident response process will need to balance these objectives.
A list of tips to help manage expectations and communicate with executives: (2 of 2)
Convene with individual stakeholders to discuss lawsuits, media inquiries, regulatory concerns, and other pressing developments Keep individual response-team members on tract to meet their performance objectives and timelines Track budget adherence for all response activities Contact outside incident response resources to confirm engagement and monitor performance Prepare a final analysis of the response effort and lead the post-event evaluation
GRC tools are generally used to:
Create and distribute policies and controls and map them to regulations and internal compliance requirements. Assess whether the controls are in place and working, and fix them if they are not. Ease risk assessment and management.
If a breach event has occurred but does not affect employees directly, the following activities may help supplement the internal announcement process:
Creation, approval, and posting of employee-only FAQs Response training for HR personnel and call center staff Creation, approval, and distribution of explanatory letter, email, or intranet communications
Data subject rights under the Federal Credit Reporting Act (FCRA):
Customers can obtain access to all the information a consumer reporting agency has on file about them. Such information is usually complied into a credit report and must be provided to consumers free of charge once a year. Consumers can correct or delete any incorrect information that may be contained in their files by notifying the credit reporting agency. If inaccurate information is discovered in the consumer file, the credit reporting agency must examine the disputed information, usually within 30 days of notification. Consumers have the right to request removal of outdated negative information such as civil suits, judgments, and liens from their consumer reports 7 years after the statute of limitations has expired, while bankruptcies may be removed from credit reports after 10 years. Consumers have several notification rights under FCRA, including the right to be notified of adverse actions taken against them based on information contained in their credit reports. If a financial institution submits or plans to submit negative information to a credit reporting agency, the financial institution must provide a notice to the consumer prior to furnishing such negative information.
There are two central concepts of choice:
Data subjects can either give their consent to processing by opting in, or withhold or revoke such consent by opting out.
After establishing a privacy mission statement and vision, you'll need to:
Define the scope of the privacy program. Every organization has its own unique legal and regulatory compliance obligations, and you'll need to identify the specific privacy and data protection laws and regulations that apply to it.
Once you've determined which laws apply, you must:
Design a manageable approach to operationalizing the controls needed to handle and protect personal information (Develop and Implement a Framework). Using an appropriate privacy framework to build an effective privacy program can: Help achieve material compliance with the various privacy laws and regulations in-scope for your organization. Serve as a competitive advantage by reflecting the value the organization places on the protection of personal information, thereby engendering trust. Support business commitment and objectives to stakeholders, customers, partners, and vendors.
California's "Online Eraser" Law:
Designed to protect individuals under the age of 18, the law requires operators of websites, online services, online applications, and mobile applications to permit minors who are registered users of services to request and remove content a minor may have posted on the operator's website or application. Subject to certain exceptions that limit its effectiveness in application.
Actions an organization can take to develop a data retention policy include:
Determine what data is currently being retained, how, and where Work with legal to determine applicable legal data retention requirements Brainstorm scenarios that would require data retention Estimate business impacts of retaining versus destroying the data Work with IT to develop and implement a policy
After a breach is made known, which task should a company accomplish first: coordinate with other-affected companies to limit the damage, or determine whether notification is legally required.
Determine whether notification is legally required. Notification is the process of informing affected individuals that their personal data has been breached. Many statutes prescribe specific time frames for providing notification - either to impacted individuals and/or relevant regulators. The legal requirements change regularly. For planning purposes, however, it is enough to know that when investigating an incident, time is of the essence. Timing is even more critical once the incident has been confirmed to be a breach. An organization's privacy professionals, and those charged with incident response planning and notification, should be intimately familiar with the prevailing notification requirements and guidelines and should work with qualified legal counsel to assist in making the legal determinations about the need to give notice.
You need a master plan or roadmap to guide your choices in developing and refining a privacy program. What is the best action to take?
Develop an overarching privacy program framework. Implementing and managing a program that addresses the various rights and obligations of each privacy regulation on a one-off basis is a nearly impossible task. Instead, using an appropriate privacy framework to build an effective privacy program can: (a) help achieve material compliance with the various privacy laws and regulations in-scope for your organization; (b) serve as a competitive advantage by reflecting the value the organization places on the protection of personal information, thereby generating trust; and (c) support business commitment and objectives to stakeholders, customers, partners, and vendors.
The privacy team, along with all relevant departments, can take the following operational actions to ensure ongoing awareness:
Develop and use internal and external communication plans to ingrain operational accountability Communicate information about the organization's privacy program Ensure policy flexibility for incorporating changes to compliance requirements from laws, regulations, and standards Identify, catalog, and maintain all document requirements updates as privacy requirements change
What step can best help you to identify the specific needs and objectives of a company regarding privacy protection? Enlistment of a privacy champion familiar with the organization. Review of privacy laws and standards. Development of the business case. Physical audit of the facility.
Development of the business case. Part of developing a business case includes creating a privacy committee. Many organizations create a privacy committee or council composed of the stakeholders (or representatives of functions) that were identified at the start of the privacy program implementation process. These individuals and functions will launch the privacy program, and their expertise and involvement will continue to be tapped as remediation needs - some of which may sit within their areas of responsibility - are identified. They will be instrumental in making strategic decisions and driving them through their own department.
For complaints, internal procedures should define and enable mechanisms for:
Differentiating between sources and types of complaints Designating proper recipients Implementing a centralized intake process Tracking the process Reporting and documenting resolutions Redressing
When conducting a baseline assessment of your privacy program, you should:
Document areas of remediation that are currently in process. It may be tempting to avoid creating a record of where there are deficiencies in existing programs, especially if those deficiencies are being addressed. However, if you fail to document deficiencies, you create an assessment based on hypotheticals that may not prove true over time and will not provide a true baseline. In addition, if ongoing remediations are not included, the new privacy program will appear to have more deficiencies than actually exist and may result in resources being diverted to solve problems that are already being resolved.
All the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions EXCEPT: Effective date of most restrictive law. Implementation Complexity. Legal regulations. Costs.
Effective date of most restrictive law. Building a privacy strategy may mean changing the mindset and perspective of an entire organization. Everyone in an organization has a role to play in protecting the personal information an organization collects, uses, and discloses. Management needs to approve funding to resource and equip the privacy team, fund important privacy-enhancing resources and technologies, support privacy initiatives such as training and awareness, and hold employees accountable for following privacy policies and procedures. Sales personnel must secure business contact data and respect the choices of these individuals. Developers and engineers must incorporate effective security controls, build safe websites, and create solutions that require the collection or use of only the data necessary to accomplish the purpose.
HR privacy concerns can be addressed through several types of HR policies. These policies may address the following privacy concerns:
Employee communications, including employee browser histories, contact lists, phone recordings, and geolocations Employee hiring and review, including performance evaluations, background checks, and the handling of resumes Employee financial information, such as bank account information, benefits information, and salary
If appropriate safeguards are not instituted and enforced, what are typically the most common cause of data breaches, data loss, and data misappropriation?
Employees and data users (from article by Ronald Breaux and Sam Jo)
The Asia-Pacific Economic Cooperation (APEC) Privacy Framework:
Enables Asia-Pacific data transfers to benefit consumers, businesses, and governments.
The need for a privacy program may include any one or more of the following:
Enhance the company's brand and public trust. Meet regulatory compliance obligations. Enable global operations and entry into new markets. Reduce the risk of data breach. Increase revenues from cross-selling and direct marketing. Comply with the GDPR. Provide a competitive differentiator. Increase value and quality of data. Reduce risk of employee and consumer lawsuits. Be a good corporate citizen. Meet expectations of business clients. Meet consumer expectations/enhance trust.
Some mistakes typically associated with education and awareness include:
Equating education with awareness Using only one communication channel Lacking effectiveness measurements Eliminating either education or awareness due to budget concerns
Escalation and notification:
Escalation refers to the internal process whereby employees alert supervisors about a security-related incident, who in turn report the details to a predefined list of experts - typically the privacy office - which will then engage IT, information security, facilities, or HR. Notification is the process of informing affected individuals that their personal data has been breached.
What would be the best way for a company to respond to its customers' complaints after a data breach? Assess the relative liabilities of all parties involved. Develop a formal opt-out procedure. Establish a formal complaint and resolution procedure. Create an ombudsman and refer complaints there.
Establish a formal complaint and resolution procedure. Complaints about how the organization manages data subject rights may come from both internal sources, such as employees, and from external sources, such as customers, consumers, competitors, patients, the public, regulators, and vendors. Complaints from data subjects should go though some centralized process. There needs to be a central point of control that deals with data subject complaints. Because you have limited time to respond, and may need cooperation from other parties (e.g., other controllers, processors), it is critical to have an efficient and consistent process.
Building a strong privacy program starts with:
Establishing the appropriate governance of the program.
The strategic upside of investing in breach preparedness includes:
Exposure of critical gaps in applications, procedures, and plans in a pre-incident phase Greater overall security for customers, partners, and employees Reduced financial liability and regulatory exposure Lower breach-related costs, including legal counsel and consumer notification Preservation of brand reputation and integrity in the marketplace
California Consumer Protection Act (CCPA):
Extends existing privacy rights of CA residents in the CA constitution, including: The ability to request a record of: 1) What types of personal information an organization holds about the requestor, its sources, and the specific personal information that has been collected 2) Information about the use of the individual's personal information in terms of both business use and third-party sharing A right to erasure - that is, deletion of the personal information (with exceptions for completion of a transaction, research, free speech, and some internal analytical use), as well as disclosure of this right to consumers In relation to businesses that sell personal information, the option for consumers to opt out of having their data sold to third parties
What are nongovernmental organizations that advocate for privacy protection known as?
External privacy organizations. If an organization is small, or the privacy office staffing is limited, the privacy professional and organization could consider third-party solutions to track and monitor privacy laws relating to the business. These third parties include legal and consulting services that can assign people to the organization and use automated online services that allow research on privacy law, news, and business tools. Privacy professionals from large and small firms can also take advantage of a growing number of free resources to help them to keep up-to-date with developments in privacy.
FCRA obligations on employers:
FCRA places obligations upon employers to obtain an applicant or employee's written consent prior to conducting a background check. Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment. This information must be provided in a standalone written notice separate from an employment application.
One of the biggest challenges for privacy professionals is to prioritize the projects, products, or services that should be submitted to a PIA. To identify the data-processing activities that represent a higher privacy risk, some organizations:
First conduct an express PIA, which consists of a small questionnaire that assesses the need for a full and more comprehensive PIA.
Three types of audits:
First-party (internal): generally used to support self-certifications; scope is based on resources and the current state of compliance Second-party (supplier): when a data collector outsources activities related to personal information management, accountability for compliance is retained Third-party (independent): conducted by independent outside sources, typically under consent decree or regulatory request. They may align to various regional or industry frameworks such as NIST or ISO
A relatively new type of insurance coverage, called cyber-liability insurance, may cover many breach-related expenses, including:
Forensic investigations; Outside counsel fees; Crisis management services; PR experts; Breach notification; Call center costs; Credit monitoring; Fraud resolution services
Innovating ways to communicate training and awareness opportunities to employees include:
Formal education; E-learning; Road shows and department team meetings; Newsletters, emails, and posters; Handouts; Slogans and comics; Video teleconferencing; Web pages; Voicemail broadcast
Age threshold in other jurisdictions:
GDPR - 16 years old, but allows individual countries to set the age threshold between 13 and 16 years old. CCPA - requires organizations to obtain parental or legal guardian consent for children under the age of 13 years old and the affirmative consent of children between 13 and 16 years of age prior to engaging in data selling.
Governance, Risk, and Compliance (GRC)
GRC is an umbrella term whose scope touches the privacy office as well as other departments, including HR, IT, compliance, and the C-suite. GRC tools aim to synchronize various internal functions toward "principled performance" - integrating the governance, management, and assurance of performance, risk, and compliance activities.
One of the most challenging aspects of building a privacy program and the necessary supporting strategy is:
Gaining consensus from members of the organization's management on privacy as a business imperative. (Identify Stakeholders and Internal Partnerships)
Laws are typically grouped into the following categories:
General privacy laws [e.g., GDPR; national privacy laws in countries including Australia, New Zealand, Argentina, Israel, and Uruguay] Federal privacy laws, such as those in the U.S., that apply only to a specific market sector State laws and provincial laws Health privacy laws; Financial privacy laws; Online privacy laws; Communication privacy laws; Information privacy laws; Education; Privacy in one's home
Privacy professional:
General term used to describe a member of the privacy team who may be responsible for privacy program framework development, management, and reporting within an organization.
California's "Shine the Light" Law:
Gives California residents the right to request and be notified about how businesses use and share their personal information with other businesses for direct marketing purposes. The law also gives consumers a private right of action in the event a business fails to respond to a consumer's request.
Privacy policy:
Governs the privacy goals and strategic direction of the organization's privacy office. It is a high-level policy that supports documents such as standards and guidelines that focus on technology and methodologies for meeting policy goals through manuals, handbooks, and/or directives. It also supports a variety of documents communicated internally and externally.
Training is a key control, and under some regulations, such as ___, it is required.
HIPAA
Incident Response Support Roles by Miscellaneous Functions:
HR: Serve as information conduit to employees Finance: Secure resources to fund resolution Marketing: Establish and maintain a positive and consistent message PR: Assume positions on the front line Customer care: Handle breach-related call traffic BD: Notify key accounts Union leadership: Communicate and coordinate with union President/CEO: Promptly allocate funds and personnel and publicly comment on breach
Multinational and multisector organizations have additional challenges to ensure policies are consistent and uniform across all locations while satisfying local laws, regulations, and industry guidance. Different business functions may have diverse policy needs. The organization should document and review policies of the following functions and others to ensure alignment:
HR; Business development (when assessing proposed projects); Project management; Procurement and contract management; Risk management; Incident management; Performance management
Typical HR privacy policies to consider include the following:
Handling of applicant information; Employee background checks; Access to employee data; Termination of access; Bring your own device (BYOD); Social media; Employee/workplace monitoring; Employee health programs
U.S. Industry-Specific Concerns (1 of 3):
Healthcare - HIPAA and HITECH cover healthcare facilities as well as researchers and anyone doing business with healthcare operations. Financial - Organizations must monitor confidentiality, financial, (particularly GLBA), and terrorism (anti-money laundering, specifically) laws. Telecom - Not just the content of communications is important for protection, but also metadata and location information, to which law enforcement often wants access.
Organizational structures function within a framework by which the organization communicates, develops goals and objectives, and operates daily. Companies can use one of several structures or switch from one to another based on need. Principles within that framework allow the organization to maintain the structure and develop the processes necessary to do so efficiently. Considerations include:
Hierarchy of command - the authority of senior management, leaders, and the executive team to establish the trail of responsibility Role definition - clear definition of the responsibilities to create individual expectations and performance Evaluation of outcomes - methods for determining strengths and weaknesses and correcting or amplifying as necessary Alteration of organizational structure - ability to remain dynamic and change as necessary to meet current objectives, adopt new technology, or react to competition Significance - complex structure typical for large organizations; flat structures for smaller organizations Types of structures - product organizational structures, function organizational structures, and others Customers - consider the different needs depending on nature of products and services the organization offers Benefits - to the organization, customers, and stakeholders, as aligned to the objectives and goals
A good question about communication to ask regularly is:
How effectively are we communicating the expectations of our privacy program to the workforce - everyone who is using the data?
Effective incident response requires systematic, well-conceived planning before a breach occurs. The success of an incident-response plan ultimately depends on:
How efficiently stakeholders and constituent teams execute assigned tasks as a crisis unfolds.
When gathering information about personal data, the team should also be gaining an understanding of:
How that data is being processed. The type of security used to protect the data. The retention periods for the data. Who has access to it. Who is it disclosed to. The legal basis for processing the data.
What is business resiliency?
How well a business responds to and adapts after a disaster.
The most common locations of personal or sensitive information within an organization are:
IT or information security; HR; Marketing; Customer relationship management (CRM) systems of customer care and sales departments; Audit and compliance; Shareholder management
Another axis with which to classify personal information is:
Identifiability and linkability. This becomes useful in calibrating risk - especially when contemplating big data analytics - or finding ways to use data, or articulating how and to what degree personal information has been de-identified (ex. Identified; Pseudonymous; Anonymous)
Information security builds upon risk management practices to provide:
Identification of risk Selection and implementation of controls and measures to mitigate risk Tracking and evaluation of risk to validate the first two parts
Data subjects:
Identified or identifiable individuals whose personal information is being processed by an organization. Preparing to respond and effectively responding to data subject requests is a critical component of any privacy program.
The goals of a privacy program manager:
Identify privacy obligations for the organization. Identify business, employee, and customer privacy risks. Identify existing documentation, policies, and procedures. Create, revise, and implement policies and procedures that effect positive practices and together comprise a privacy program
A typical approach to identifying the scope of the privacy program includes the following two steps:
Identify the personal information collected and processed. Identify in-scope privacy and data protection laws and regulations.
Vendors should be held to the same privacy standards as the organization. When engaging vendors, an organization may:
Identify vendors and their legal obligations Evaluate risk, policies, and server locations Develop a thorough contract Monitor vendors' practices and performances Use a vendor policy An organization must exercise similar due diligence for mergers, acquisitions, and divestitures.
When is a DPIA required?
In case the processing is "likely to result in a high risk to the rights and freedoms of natural persons," the controller shall, prior to processing, carry out a DPIA.
The distinction of individuals in an organization with law degrees who are not serving in the role of lawyers is important, because:
In order to protect attorney-client privilege, the investigation will need to be done at the direction of counsel. Thus, in many organizations, the leader is, of necessity, legal counsel.
Where should an organization's procedures for resolving consumer complaints about privacy protection be found?
In written policies regarding privacy. The privacy policy is a high-level policy that supports documents such as standards and guidelines that focus on technology and methodologies for meeting policy goals through manuals, handbooks, and/or directives. The privacy policy also supports a variety of documents, communicated internally and externally, that (a) explain to customers how the organization handles their personal information, (b) explain to employees how the organization handles personal information, (c) describe steps for employees handling personal information, and (d) outline how personal data will be processed.
Some of the ways for information privacy and information security programs to align are:
Increased involvement of privacy personnel on information security teams and vice versa Employment of core privacy functions with an IT motivated to get a better handle on their data and the extent of their corporate risk Increased investment in privacy technology Increased use of privacy impact assessments and data inventory and classification Increased use of data retention policies The recognition that many PETs and standards are, in many cases, information security technologies and standards The limitation of time and money
The Certified Information Privacy Manager (CIPM) certification:
Indicates that a privacy program manager has the proper understanding of concepts, frameworks, and regulations to hold the role of privacy program manager for their employer.
Data subject rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
Individuals have the right to obtain a copy of their medical record and other health information. Usually, a copy of this information must be provided within 30 days. An individual has the right to change any incorrect information and add any information that may be missing or incomplete. In most cases, these changes must be implemented within 60 days. Similarly, an individual has the right know how their information has been shared with others and to limit information that an individual may not want to be shared.
No matter which Governance Model is chosen, there are some important steps to integrate into it:
Involve senior leadership. Involve stakeholders. Develop internal partnerships. Provide flexibility. Leverage communications. Leverage collaboration.
Guidelines for common incident response planning expectations by function (1 of 2):
Information security - Provide guidance regarding how the organization addresses detection, isolation, removal, and preservation of affected systems Legal - Ensure the response program is designed to protect privilege and think about and design the program with an eye toward limiting legal liability HR - Provide an employee perspective Marketing - Advise about customer relationship management BD - Represent knowledge in handling and keeping the account
Who is considered a primary audience for metrics data? Information security officers Chief financial officers Stockholders External regulatory bodies
Information security officers, not stockholders (pay attention to stockholders vs. stackholders). Relevant stakeholders are generally those who will use the data to view, discuss, and make strategic decisions - or some combination of all three. There are no limits to both internal and external audiences, particularly in consideration of reporting requirements. The difference in audience is based on level of interest, influence, and responsibility for privacy as specified by the business objectives, laws and regulations, or ownership. Primary audiences generally include legal and privacy officers, including a data protection officer (DPO) as prescribed under the General Data Protection Regulation, senior leadership, chief information officer (CIO), chief security officer (CSO), monitoring and auditing program performance managers, information system owners, information security officers (ISO), other considered users, and managers.
Information security control examples:
Information security policies; Organization of information security; Human resource (HR) controls; Asset management; Access controls; Cryptography; Physical and environmental security; Operational security; Communications security; Systems acquisition, development, and maintenance; Supplier relationships; Information security incident management; Information security aspects of business continuity management; Compliance
If your organization plans to do business within a jurisdiction that has inadequate or no data protection regulations:
Institute your organization's requirements, policies, and procedures instead of reducing them to the level of the country in which you are doing business. Choose the most restrictive policies - not the least restrictive.
A good place to start building an awareness program internally is through:
Interdepartmental cooperation working toward the shared goal of privacy protection. Discuss how different groups can work together to reinforce the privacy message with the workforce, creating an even greater awareness of your privacy program.
Surprise minimization:
Is the country to which you're transferring personal data likely roughly equivalent in terms of privacy protections? Would a person who has entrusted you with personal data be likely to object to their data traveling to that country? Organizations transferring personal information to third parties are ultimately responsible for safeguarding that information.
Regardless of the intent, supporting policies may contain the following data:
Issue/objective statement. Statements of the organization's position. Applicability. Roles and responsibilities. Compliance. Points of contact and supplementary information.
What is a data protection impact assessment?
It describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as much and as early as possible. DPIAs are important tools for negating risk and for demonstrating compliance with the GDPR.
What date is Data Privacy Day?
January 28
Required or (suggested) administrative policy controls for privacy can be found in four areas:
Laws and regulations Self-regulatory regime Industry practices Corporate ethos/policy
Breach-Related Expenses:
Legal Costs: Punitive Costs Internal Costs: Outside Counsel; Crisis Management/PR; Forensic Investigations; Call Center Support; Equipment Replacement and Security Enhancements; Insurance; Card Replacement; Employee Training Remediation Costs: Victim Notification; Remediation Offers; Victim Damages Intangible Costs: Customer Retention; Lost Revenue and Stock Value; Opportunity Costs
Binding corporate rules (BCRs):
Legally binding internal corporate privacy rules for transferring personal data within a corporate group. Article 47 of the GDPR lists requirements of BCRs (e.g., application of GDPR principles). Under the GDPR, BCRs must be approved by the competent supervisory authority.
What are the most common forms of breach notification?
Letters and emails. Unlike outputting documents from a computer for the latter, industrial-level printing requires a great deal of preparation and quality control for the former.
One of the more onerous new requirements under the GDPR is the obligation under Article 30 for controllers and processors to:
Maintain a detailed record of their processing activities. A prescriptive list of the contents of this record includes: The name and contact details of the controller or processor, data protection officer (DPO), and/or data protection representative. The purpose for the processing (for controllers). A description of the categories of personal data and categories of data subjects (for controllers) or the categories of processing (for processors). The categories of recipients (for controllers). Any international transfers to third countries. Where possible, the retention periods for the various categories of personal data (for controllers). A general description of the safeguards implemented.
What are the most common cause of data breaches?
Malicious actors or criminal attack (48%) Human error (27%) Systems glitch (25%) Employee error or negligence is reported to be one of the biggest causes of privacy breaches. Even malicious and criminal attacks often take the form of phishing attacks, which rely on unsuspecting employees.
A list of tips to help manage expectations and communicate with executives: (1 of 2)
Manage executive leaders' expectations by establishing the frequency of updates/communications Determine what is appropriate for the situation and communicate when/if the frequency needs to change Hold a kickoff meeting to present the team with the known facts and circumstances Provide senior executives with an overview of the event and of the team's expected course of action Engage remediation providers to reduce consumers' risk of fraud or identity theft
Protecting personal data and building a program that drives privacy principles into the organization cannot be the exclusive job of the privacy officer or the privacy team:
Many organizations create a privacy committee or council composed of the stakeholders (or representatives of functions) that were identified at the start of the privacy program implementation process. Organizations with a global framework often create a governance structure consisting of representatives from each geographic region and business function to ensure that proposed privacy policies, processes, and solutions align with local laws (and to modify them when necessary).
Privacy assessments:
Measure an organization's compliance with laws, regulations, adopted standards, and internal policies and procedures. Their scope includes education and awareness; monitoring and responding to the regulatory environment; data, systems, and process assessments; risk assessments; incident response; contracts; remediation; and program assurance, including audits. Privacy assessments are conducted internally by the audit function, the DPO or a business functions, or externally by a third party.
More metrics do not equate to more value:
Metric identification is difficult and must be done in consideration of what is both sustainable and scalable. Making informed decisions on the investment and application of privacy-enhancing technology and process improvements (e.g., automated reviews) is a challenge. Using the right metrics as key performance indicators (KPIs) can help the organization set and track multiple objectives and goals.
What role would data loss prevention software have in a privacy program?
Monitoring of certain types of personal data disclosures to outside entities. Data loss prevention software can be a useful tool to monitor certain types of disclosures outside of an organization, both authorized and nonauthorized. It can be used to check the effectiveness of policies and controls. But it cannot prevent all data breaches. Even if you have it configured so that it forbids the external disclosure of personal data via email, for example, a determined person could still circumvent this. It does not prevent a data thief from hacking into your network. It is only one tool amongst many, not a panacea.
Monitoring:
Monitoring should be done to ensure that the organization is actually doing what they say they are doing - and what they are supposed to be doing. Monitoring should be continual, based on the organization's risk goals, and executed through defined roles and responsibilities that may include privacy, audit, risk, and security personnel.
Most global organizations are subject to many data protection and privacy laws - and some personal information collected and processed may be subject to:
More than one regulation.
An example of attestation in the U.S.:
NIST 800-60, a guide from the National Institute of Standards and Technology (NIST) and the U.S. Department of Commerce. The guide maps types of information and information systems to security categories.
Technical controls fall into four main areas:
Obfuscation: Personal data is made obscure, unclear, or unintelligible (e.g., masking, tokenization, randomization, noise, hashing) Data minimalization: The collection of personal information is limited to that which is directly relevant and necessary to accomplish a specified purpose (e.g., granulation, data segregation, deletion, de-identification, aggregation) Security: Protective privacy measures are used to prevent unauthorized access (e.g., encryption, access controls for physical and virtual systems, data loss management, destruction, auditing, testing) Privacy engineering technologies: Technologies ensure engineered systems provide acceptable levels of privacy (e.g., secure multiparty computations, homomorphic encryption, differential privacy, mix networks, anonymous digital credentials)
Data Destruction:
One important way to protect personal information and privacy is to destroy personal information when it is no longer needed. Two ways of electronically destroying data are overwriting and degaussing. Three ways of physically destroying data are shredding, melting, and burning. Regardless of the methodology selected, privacy professionals should work with their data retention functions so agreed-upon policies, standards, and guidelines are in place to ensure personal information is destroyed when it is supposed to be destroyed.
Trending, or trend analysis:
One of the easiest statistical methods to use for reporting data. This approach attempts to spot a pattern in the information as viewed over a period of time. There are many different statistical trending methods, including simple data patterns, fitting a trend (i.e., least-squares), trends in random data (i.e., data as a trend plus noise, or a noisy time series), and the goodness of fit (i.e., R-squared).
For many organizations, however, the level of fines and enforcement activity in a given jurisdiction will often guide the organization in making the priorities for remediation of its data protection compliance following a gap analysis. Therefore, it may be important to also link this activity to the business case development at the outset:
One possible strategy is to use examples of high-profile breaches suffered by other organizations to gain management buy-in for the budget to support and mature the privacy program.
U.S. Industry-Specific Concerns (2 of 3):
Online - Watch out for issues presented by online transactions, the lure of detailed information (to law enforcement, marketers, and criminals) available on the web for scraping and collection, and the global nature of online privacy concepts. Government - The courts are constantly re-evaluating definitions of "public records," and governments have specific obligations regarding transparency that often conflict with privacy. Education - Laws are focused on educational agencies and institutions (e.g., public schools) receiving funding under any program administered by the U.S. Dept of Education and private post-secondary schools.
GDPR and its "mandatory DPO":
Organizations processing large amounts of personal data not only must employ a DPO but ensure those DPOs report to "the highest management level" of the organizations. This is where metrics are vital to the privacy program. How can the DPO or other privacy leader demonstrate the status of compliance?
Privacy by Design (PbD):
Originating in the mid-1990s and developed by Ann Cavoukian, former information and privacy commissioner of Ontario, the Privacy by Design framework dictates that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage through deployment, use, and ultimate disposal or disposition.
Acceptable Use Policies (AUPs) consider the following:
Others' privacy; Legal protections (e.g., copyright); Integrity of computer systems (e.g., anti-hacking rules); Ethics; Laws and regulations; Others' network access; Routing patterns; Unsolicited advertising and intrusive communications; User responsibilities for damages; Security and proprietary information; Virus, malware protection, and malicious programs; Safeguards (e.g., scanning, port scanning, monitoring) against security breaches or disruptions of network communications.
Guidelines for common incident response planning expectations by function (2 of 2):
PR - Plan strategic and tactical communication to inform and influence Union leadership - Represent union interests Finance - Calculate and manage the bottom-line impact of containment and correction President/CEO - Demonstrate value of preventing breaches through actions Customer care - Offer insight on customer/caller behavior
Notable self-regulatory programs:
Payment Card Industry Data Security Standard (PCI DDS) DMA Guidelines for Ethical Business Practices (data driven marketing in all media) VeriSign, TrustArc, McAfee, PayPal trust marks (online vendors' ecommerce sites) Children's Advertising Review Unit (CARU) guidelines Network Advertising Initiative (NAI) Code of Conduct (collection and use of data for interest-based advertising)
An example of media sanitization would be:
Performing a manufacturer's reset to restore an office printer to its factory default settings. Media sanitization is technically defined as "a process that renders access to target data on the media infeasible for a given level of effort." To adequately sanitize media, the data or the media must be either cleared, purged, or destroyed.
According to controls' nature:
Physical controls Administrative or policy controls Technical controls
The specific responsibilities of the privacy program manager include:
Policies, procedures, and governance; Privacy-related awareness and training; Incident response; Communications; Privacy controls; Privacy issues with existing products and services; Privacy-related monitoring; Privacy impact assessments; Development of privacy staff; Privacy-related investigations; Privacy-related data committees; Privacy by design in product development; Privacy-related vendor management; Privacy audits; Privacy metrics; Cross-border data transfers; Preparation for legislative and regulatory change; Privacy-related subscriptions; Privacy-related travel; Redress and consumer outreach; Privacy-specific or -enhancing software; Privacy-related web certification seals; Cross-functional collaboration with legal, IT, information security (IS or InfoSec), cybersecurity, and ethics team, among others; and Reporting to chief privacy officer (CPO), data protection officer (DPO), and/or data protection authority (DPA).
Metric Audience:
Primary, secondary, and tertiary stakeholders who obtain value from a metric.
Privacy Frameworks can be broadly grouped into three categories:
Principles and standards. Laws, regulations, and programs. Privacy program management solutions.
Compliance with COPPA:
Prior to collecting personal information online (including via mobile applications) from a child under 13, organizations must obtain verifiable parental consent from a parent or legal guardian of the child. The law provides parents with the right of access, modification, and deletion of their child's personal information. COPPA also provides parents with an opportunity to prevent and limited further collection and use of their child's personal information.
To be an effective tool, a PIA should be accomplished early, in other words:
Prior to deployment of a project, product, or service that involves the collection of personal information. When there are new or revised industry standards, organizational policies, or laws and regulations. When the organization creates new privacy risks through changes to methods by which personal information is handled.
Three types of assessments and impact assessments for data privacy:
Privacy assessments Privacy Impact Assessments Data Protection Impact Assessments
Privacy Program Management Solutions:
Privacy by Design (PbD) - calls for privacy to be taken into account throughout the whole product engineering process to ensure consideration of consumers' privacy protections. The European Union Agency for Network and Information Security (ENISA) - provides recommendations on cybersecurity, supports policy development and its implementation, and collaborates with operational teams throughout Europe. The National Institute of Standards and Technologies (NIST) - concepts of privacy engineering, risk management, and privacy frameworks published by the federal government
Metrics Owner:
Process owner, champion, advocate, and evangelist responsible for management of the metric throughout the metric lifecycle.
Privacy Engineer's Manifesto:
Process, management, governance
Section 5 of the Federal Trade Commission Act:
Prohibits unfair and deceptive trade practices and allows the U.S. FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices. Similarly, most states have consumer protection laws that provide state attorneys general (AGs) with the authority to address unfair and deceptive business practices. In the U.S., the FTC and AGs have routinely used this power to investigate whether companies act contrary to the statements made in their privacy notices.
The goals of a privacy program (at a minimum):
Promote consumer trust and confidence. Enhance the organization's reputation. Facilitate privacy program awareness, where relevant, of employees, customers, partners, and service providers. Respond effectively to privacy breaches. Continually monitor, maintain, and improve the privacy program.
Policies:
Provide a deliberate system of principles to guide decisions by dictating a course of action and providing clear instructions for implementation through procedures, protocols, or guidance documents.
Fair Information Practices:
Provide basic privacy principles central to several modern frameworks, laws, and regulations. Practices and definitions vary across codifications: rights of individuals (notice, choice, and consent, data subject access), controls on information (information security, information quality), information lifecycle (collection, use and retention, disclosure), and management (management and administration, monitoring and enforcement).
The data inventory, also known as a data map:
Provides answers to these questions by identifying the data as it moves across various systems, and thus indicating how it is shared and organized and where it is located. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities, which in turn serves to identify the most and least valuable data and reveal how it is accessed, used, and stored.
To properly protect data, it needs to be classified. Most information security classifications schemes use the following categories:
Public; Confidential; Highly confidential; Restricted
Although policy formats will differ from organization to organization, a privacy policy should include the following components:
Purpose; Scope; Risk and responsibilities; Compliance (General organization compliance; The ability to apply penalties and disciplinary actions, and; Understanding of the penalties for noncompliance)
Once an organization decides on a framework or frameworks, it will be easier to organize the approach for complying with the plethora of privacy requirements mandated by the laws and regulations that are applicable to it. One option is to:
Rationalize requirements, which essentially means implementing a solution that materially addresses them. Factors include offering similar types of rights to individuals, a growing consensus among data protection regulators and businesses on the actions and activities that meet these regulatory obligations, addressing requirements that fall outside of the common obligations (often termed outliers), such as when countries' local laws exceed the requirements of national law or when countries have industry- or data-specific requirements, and looking to the strictest standard when seeking a solution, provided it does not violate any data privacy laws, exceed budgetary restrictions, or contradict organization goals and objectives.
Several potential costs are associated with developing, implementing, and maintaining policies. The most significant are:
Related to implementing the policy and addressing the impacts on the organization that potentially limit, reduce, remove, or change the way data is protected.
There are different audiences for different metrics:
Relevant stakeholders are generally those who will use the data to view, discuss, and make strategic decisions - or some combination of all three. The difference in audience is based on level of interest, influence, and responsibility for privacy as specified by the business objectives, laws and regulations, or ownership.
Even if it's determined that a DPO is not required, the organization may choose to voluntarily appoint one. Keep in mind that formally appointing a DPO will subject the organization to the following DPO requirements:
Reporting structure and independence: The DPO is required to "report to the highest management level of the controller or the processor." Qualifications and Responsibilities: Includes that the DPO possesses "expert knowledge of data protection law and practices." Such expertise is likely required as a result of Article 39, which requires the DPO to perform certain activities, including monitoring the company's compliance with the GDPR, providing advice during data protection impact assessments (DPIAs), and cooperating with supervisory authorities.
Standards for selecting vendors may include:
Reputation Financial condition and insurance Information security controls Point of transfer Disposal of information Employee training and user awareness Vendor incident response Audit rights
Similarities across jurisdictions of privacy law:
Requirements for ensuring individual rights (i.e., access, correction, and deletion), and obligations (safeguarding data) Contractual requirements, audit protocol, self-regulatory regimes, and marketplace expectations
An information security policy establishes what is done to protect the data and information stored on organization systems, including:
Risk assessments; User and password policies; Administrative responsibilities; Email policies; Internet policies; Intrusion detection; Antivirus and malware policies; Firewall rules and use; Wireless management
Together with the Council of Europe's Convention 108, the OECD Guidelines are the basis for:
The EU Data Protection Directive and the GDPR.
Various ways to ascertain what personal information your organization collects, uses, stores, and otherwise processes:
Setting up information-gathering interviews with the typical functions that usually collect, use, store, and otherwise process personal information (less structural approach). Engaging an outside consultancy to assess where personal information is collected, stored, used, and shared, or engaging internal resources to assist the privacy team with the discovery (more structured approach).
Vendor policies:
Should guide an organization in working with third parties from procurement through termination. Policy components may include requirements for vendors, logistics (e.g., where work should be conducted), and onboarding and employee training.
The following list gives a few examples of the kind of information you may want to consider in contract language for service-level agreements:
Specifics regarding the type of personal information to which the vendor will have access at remote locations Vendor plans to protect personal information Vendor responsibilities in the event of a data breach Disposal of data upon contract termination Limitations on the use of data that ensure it will be used only for specified purposes Rights of audit and investigation Liability for data breach
For a breach or incident response review, or a post-incident assessment, these items should be reviewed at minimum:
Staffing and resourcing Containment, including timing and processes The C-suite commitment, including signoff on new measures and allocation of resources Clarity of roles of the response team and others The notification process for individuals, regulatory bodies, and others
It's important to work with the organization's legal and HR departments on any vendor contract, including the following:
Standard contract language Requirement to inform the organization when any privacy/security policies change Prohibition against making policy changes that weaken privacy/security protections Data migration/deletion upon termination Vendor security incident response procedures Vendor liability Right to audit
Acceptable Use Policy (AUP):
Stipulates rules and constraints for people within and outside the organization who access the organization's network or internet connection. It outlines acceptable and unacceptable use of the network or internet connections to which the user agrees either in written or electronic form. Violation typically leads to loss of use and/or punitive action either by the organization or by law enforcement if necessary. People affected include employees, students, guests, contractors, and vendors.
The last objective to formalize the organization's approach to privacy is:
Structuring the Privacy Team
To realize better alignment with information privacy and information security, consider these four principles:
Teaming; Don't reinvent; Stay aware; Rank and prioritize
Examples of information security risks include:
Technology with weak security; Social media attacks; Mobile malware; Third-party entry; Neglect of proper configurations; Outdated security software; Social engineering; Lack of encryption; Corporate data on personal devices; Inadequate security technology
What provides a more concrete set of processing operations that require a DPIA due to their inherent high risk?
The Article 29 Working Party (WP29)
Data subject rights under the FTC'S Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM):
The FTC allows individuals to forward unwanted or deceptive messages to the FTC in order to report and in effect reduce the number of spam emails. An individual may also file a complaint with the FTC regarding a company's unsolicited emails and/or its refusal to honor a request to unsubscribe from the mailing list.
The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA), which have formed the AICPA/CICA Privacy Task Force, developed:
The Generally Accepted Privacy Principles (GAPP) to guide organizations into developing, implementing, and managing privacy programs in line with significant privacy laws and best practices.
Data inventories are legally required for some institutions, such as those covered by:
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
Which state biometric law provides the most robust consumer rights?
The Illinois Biometric Information Privacy Act (BIPA)
The best known and most prominent information security standards are:
The International Organization for Standardization (ISO) Standards. ISO/IEC 27001 Annex A contains a summary of security controls, while ISO/IEC 27002 examines controls and control objective in more depth.
What are the most widely accepted privacy principles?
The Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
The Canadian Standards Association (CSA) Privacy Code became a national standard in 1996 and formed the basis for:
The Personal Information Protection and Electronic Documents Act (PIPEDA)
Data subject rights under the Privacy Act of 1974:
The Privacy Act of 1974 provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual. The law also permits an individual to request an amendment of his or her records and to challenge the accuracy of information that an agency has on file. Information collected for one purpose may not be used for a different purpose. Lastly, individuals may bring civil actions against agencies for violations of the act.
Many functions directly support the various activities required by the privacy program, including:
The adoption of privacy policies and procedures. Development of privacy training and communications. Deployment of privacy- and security-enhancing controls. Contract development with and management of third parties who process the personal information of the organization. The assessment of compliance with regulations and established control mechanisms.
In addition to the support of internal functional leaders, a successful response may depend heavily on:
The aid of outside specialists retained to manage notification (including through print vendors), call center, and breach remediation activities. It is a best practice to negotiate agreements with experienced breach response providers prior to having to respond to an incident.
The potential for compromising sensitive data exists throughout every business of every size in every industry. [no definition]
[no definition]
Information security defines "risk" as:
The combination of the probability of an event and its consequences (ISO/IEC 73).
Privacy governance:
The components that guide a privacy function towards compliance with privacy laws and regulations and enable it to support the organization's broader business objectives and goals. These components include: Creating the organizational privacy vision and mission statement. Defining the scope of the privacy program. Selecting an appropriate privacy framework. Developing the organizational privacy strategy. Structuring the privacy team.
Information security aims to ensure:
The confidentiality, integrity, and availability of information throughout the data life cycle. Confidentiality - prevention of unauthorized disclosure of information Integrity - ensures information is protected from unauthorized or unintentional alteration, modification, or deletion Availability - information is readily accessible to authorized users
Managing privacy within an organization requires:
The contribution and participation of many members of that organization. Because privacy should continue to develop and mature over time within an organization, functional groups must understand just how they contribute and support the overall privacy program as well as the privacy principles themselves. Importantly, individual groups must have a fundamental understanding of data privacy because, in addition to supporting the vision and plan of the privacy officer and the privacy organization, these groups may need to support independent initiatives and projects from other stakeholders.
A key step in incident preparation is:
The formal creation of an incident response plan. To create the plan, the drafting team will need to gather a vast amount of information and then use the information they have gathered to develop processes and procedures. This team should be led by the privacy office and the legal department and include help from IT, communications, HR, and senior management. The exact stakeholders will vary by organization.
In the EU, the GDPR creates two tiers of maximum fines depending on whether the controller or processor committed any previous violations and the nature of violation. Fines depend on several factors, with:
The higher fine threshold being 4 percent of an undertaking's worldwide annual turnover or €20 million, whichever is higher. The lower fine threshold being 2 percent of an undertaking's worldwide annual turnover or €10 million, whichever is higher.
Privacy vision or mission statement:
The key factor that lays the groundwork for the rest of the privacy program. The privacy vision should align with the organization's broader purpose and business objectives and be refined with feedback from key partners. Describes the purpose and ideas in just a few sentences. It should take less than 30 seconds to read.
With the increased use of cloud computing and other offsite storage, vendors that provide cloud computing services may pose distinct privacy challenges, especially because of compliance requirements and security risks. An organization should ensure its acceptable use policy for cloud computing requires:
The privacy and security of its data as well as compliance with policies, laws, regulations, and standards. Risks of processing data using cloud-based applications and tools should be mitigated. The policy should stipulate approval of all cloud computing agreements by appropriate leadership, such as the Chief Information Officer.
California Online Privacy Protection Act (CalOPPA):
The law applies to any website or online service operator in the U.S. and possibly the world whose website collects personally identifiable information (PII) from California consumers. The law requires the disclosure of specific information in the privacy notice such as categories of PII collected, description of a process by which a website operator notifies consumers of material changes to the privacy notice, and disclosure of how an operator honors Do Not Track requests, among others. The Delaware Online Privacy Protection Act (DOPPA) is materially similar to CalOPPA; however, there are a few notable differences.
There are typically two levels to a response team:
The leaders who will make the key decisions about how an incident is handled. The individuals who will be providing input and support to the core team. Those in this group will vary depending on the type of incident. A balance should be struck between ensuring that the appropriate stakeholders are included but that communications are controlled to avoid legal exposure.
Examples of the different functions involved in creating procedures related to privacy include:
The learning and development group that manages activities related to employee training. The communications group can assist with publishing periodic intranet content, email communications, posters, and other collateral that reinforce good privacy practices. The information security group is more closely aligned to the privacy group than any other function in the organization. It deploys security-enhancing technology which helps the privacy program meet its requirements for implementing security controls to protect personal information. The IT group supports and enhances the effectiveness of the privacy program by adding processes and controls that support privacy principles. An internal audit group assesses whether controls are in place to protect personal information and whether people and processes within the organization are abiding by these controls. Procurement ensures that contracts are in place with third-party service providers who process personal information on behalf of the organization, and that the appropriate data privacy contractual language is imposed on these service providers.
Building a privacy strategy may mean changing:
The mindset and perspective of an entire organization. Everyone in an organization has a role to play in protecting the personal information an organization collects, uses, and discloses.
Often, vendors are the ones that suffer a data breach. But because of the way data breach notification laws are drafted:
The obligation to notify may fall on your company, not the vendor.
Decentralized governance:
The policy of delegating decision-making authority down to the lower levels in an organization, at a distance and below a central authority. A decentralized organization has fewer tiers in the organizational structure, a wider span of control, and a bottom-to-top flow of decision making and ideas. While this may be inefficient because each process may be reproduced many times instead of once, employees are also tasked with solving problems with which they are closest and most familiar
Organization privacy professionals and those charged with incident response planning and notification should be intimately familiar with:
The prevailing notification requirements and guidelines and should work with qualified legal counsel to assist in making the legal determination about the need to give notice. When investigating an incident, time is of the essence. Timing is even more critical once the incident has been confirmed to be a breach.
Now that the framework through which the organization will organize its privacy requirements has been identified, the next consideration is:
The privacy strategy, which is the organization's approach to communicating and obtaining support for the privacy program.
The process for International Organization for Standardization 29134:
The process first involves conducting a threshold analysis to determine whether a PIA is needed, then preparing for a PIA, performing a PIA, and following up on the PIA. The performing phase consists of five steps: 1. Identifying information flows of PII 2. Analyzing the implications of the use case 3. Determining the relevant privacy-safeguarding requirements 4. Assessing privacy risk using steps of risk identification, risk analysis, and risk evaluation 5. Preparing to treat privacy risk by choosing the privacy risk treatment option; determining the controls using control sets such as those available in ISO/IEC 27002 and ISO/IEC 29151, and creating privacy risk treatment plants The follow-up phase consists of: Preparing and publishing the PIA report Implementing the privacy risk treatment plan Reviewing the PIA and reflecting changes to the process
Performance Measurement:
The process of formulating or selecting metrics to evaluate implementation, efficiency, or effectiveness; the gathering of data and production of quantifiable output that describes performance.
Metrics Lifestyle:
The processes and methods to sustain a metric to match the ever-changing needs of an organization.
The Privacy Act requirements include:
The rights to receive timely notice of location, routine use, storage, retrievability, access controls, retention and disposal; rights of access and change to personal information; consent to disclosure; and maintenance of accurate, relevant, timely, and complete records. As such, the PIA will describe in detail the information collected or maintained, the sources of that information, the uses and possible disclosures, and potential threats to the information.
What is privacy program management?
The structured approach of combining several disciplines into a framework that allows an organization to meet legal compliance requirements and the expectation of business clients or customers while reducing the risk of a data breach.
Questions can be used to determine the data assets of an organization.
They should be specific to the organization's line of business and may be organized around the data lifecycle - collection, usage, transfers, retention, and destruction. Internal policies and procedures, laws, regulations, and standards may also be used to compose the questions.
Irregular component, or noise:
This analysis focuses on what is left over when the other components of the series (time and cyclical) have been accounted for. It is the most difficult to detect - an example would be the absence of privacy breaches.
There is sometimes confusion about who - between legal, CPO/CCO, and CISO - should be directing and leading an incident response. The best incident response teams are:
Those in which the three work together, ensuring maintenance of privilege, containment, and swift investigations.
Typical costs incurred in responding to a breach include:
Threat isolation; forensic investigation; engaging of legal counsel, PR communications, and media outreach, and; reporting and notification (including printing, postage, and call center)
What is the purpose of a privacy audit?
To determine the degree to which technology, processes, and people comply with privacy policies and practices. Audits are evidence-based procedures to help measure how well the programs put in place meet the organization's goals; show compliance with legal, regulator, and internal requirements; increase general awareness; reveal gaps; and provide a basis for remediation planning.
Purpose of a privacy audit:
To determine the degree to which technology, processes, and people comply with privacy policies and practices. Privacy audits help measure efficacy of privacy procedures, demonstrate compliance, increase the level of general privacy awareness, reveal gaps, and provide a basis for remediation planning. Audits differ from assessments in that they are evidence-based.
Internal information security policies serve several purposes:
To protect against unauthorized access to data and information systems To provide stakeholders with information efficiently, while simultaneously maintaining confidentiality, integrity, and availability (CIA) To promote compliance with laws, regulations, standards, and other organizational policies To promote data quality
In the United States, some states mandate that notification letters contain specific verbiage or content, such as:
Toll-free numbers and addresses for the three major credit bureaus, the FTC, and a state's attorney general. Multiple state laws may apply to one breach, and notification may be delayed if law enforcement believes it would interfere with an ongoing investigation.
Data assessments:
Tools that can help organizations identify privacy risks to individuals in advance and deal with them effectively at the beginning of any project that involves the processing of personal data.
Metrics:
Tools that facilitate decision making and accountability through collection, analysis, and reporting of data. They must be measurable, meaningful, clearly defined (with boundaries), and able to indicate progress and answer a specific question to be valuable and practical.
Forms of Monitoring:
Tools; Audit; Breaches; Complaints; Data Retention; Controls; Human Resources; Suppliers
The words "training" and "awareness" are used interchangeably, but they serve different functions.
Training communicates the organization's privacy message, policies and processes, including those for data usage and retention, access control, and incident reporting. An organization's privacy awareness program reinforces the privacy message through reminders; continued advertisement; and mechanisms such as quizzes, posters, flyers, and lobby video screens.
Preparedness to a data incident falls into five categories:
Training; getting an incident response plan in place; understanding key stakeholders; getting insurance coverage where appropriate, and; managing vendors who might be a part of an incident.
Freedom of Information Act (FOIA):
Under FOIA, federal agencies are required to disclose any federal agency records or information upon request by the public, unless the request falls under one of the nine exemptions and three exclusions that protect national security interests, personal privacy, and law enforcement interests, for example.
Appropriately scoping your organization's privacy program is a challenging exercise. A successful approach requires:
Understanding of the end-to-end personal information data lifecycle. Consideration of the global perspective in order to meet legal, cultural, and personal expectations. Customizing of privacy approaches from both global and local perspectives. Awareness of privacy challenges, including translations of laws and regulations and enforcement activities and processes. Monitoring of all legal compliance factors for both local and global markets.
Guidelines for user access management (also known as identity access managment) include the following:
Unique user IDs Credentials for ID (e.g., smart card, password, two-factor authentication, machine certificate) Level of access based on business purpose Formal logical access process for granting and removing Password management Review of user access rights (e.g., privileged accounts, job function changes, employment termination) User responsibility Users required to follow good security practices in selecting and protecting passwords Clean desk policy for papers and removable storage media
Frameworks:
Used broadly for the various processes, templates, tools, laws, and standards that may guide the privacy professional in privacy program management.
Performance management:
Used by organizations to inform different audiences (e.g., leadership, management, employees) about operations. Measurement systems must be easy to understand, repeatable, and reflective of relevant indicators.
Article 28 of the GDPR:
Uses the device of limiting the controller's use of processors to those who can provide "sufficient guarantees" about the implementation of appropriate technical and organizational measures for compliance with the GDPR and for the protection of the rights of data subjects. This idea of sufficient guarantees encompasses much more than the creation of contracts, but the use of contracts is a key control mechanism. The focus is on obtaining proof of the processor's competence (third-party assessment or certification validation; audit processes).
U.S. Industry-Specific Concerns (3 of 3):
Video - Originally designed to protect renters and purchasers of goods from videotape rental stores, laws have now been interpreted to apply to online streaming services. Marketing - This has become one of the most complicated areas of privacy. Professionals must understand not just law, but rapidly evolving technology, self-regulatory schemes, and new data marketplaces. Energy - An emerging privacy arena due to the emergence of smart grid technology and so-called smart houses. HR - Standard ideas of confidentiality in this area are running up against technology in the work environment, where efficiency often means monitoring.
An organization's procedures around withdrawal of consent may address:
When and how consent may be withdrawn Rules for communicating with individuals Methods for withdrawing consent Documentation of requests and actions taken
The U.S. government, under the E-Government Act of 2002, required PIAs from government agencies:
When developing or procuring IT systems containing personally identifiable information (PII) of the public or when initiating an electronic collection of PII. This requirement is preceded by a privacy threshold analysis (PTA) to determine if a PIA is needed. The PTA would seek to determine from whom data is collected, what types of personal data are collected, how such data is shared, whether the data has been merged, and whether any determinations have been made as to the information security aspects of the system.
The detailed record of processing required under Article 30 of the GDPR must be disclosed to a data protection authority (DPA) upon request. The only exemption from the requirement to maintain a detailed record of processing is:
When the controller or processor employs fewer than 250 people, provided that the processing it undertakes is occasional, does not include sensitive personal data, and is not likely to result in a risk for the rights and freedoms of the individual.
When must the supervisory authority be contacted?
Whenever the data controller cannot find sufficient measures to reduce the risks to an acceptable level (i.e., the residual risks are still high), consultation with the supervisory authority will be necessary. Moreover, the controller will have to consult the supervisory authority whenever Member State law requires controllers to consult with, and/or obtain prior authorization from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
When privacy incidents occur, it is important to consider the following:
Where possible, leverage lessons learned from events that make the headlines. Use mistakes as learning opportunities to improve processes rather than as cause for complaint. Use stories. Hold "lunch and learn" sessions. Make it fun. Develop slogans that can be used in presentations to capture the essence of the message.
Some key questions that should be asked to help define the scope of the privacy program:
Who collects, uses, and maintains personal information relating to individuals, customers, and employees? What types of personal information are collected and what is the purpose of the collection? Where is the data stored physically? To whom is the data transferred? When (e.g., during a transaction or hiring process) and how (e.g., through an online form) is the data collected? How long is data retained and how is it deleted? What security controls are in place to protect the data?
Your organization's privacy notice will typically provide the following information:
Who your organization is and your organization's contact information What information is collected, directly or indirectly How your organization will use the information With whom your organization will share the information How the behavior of website users is monitored How data subjects may exercise their rights
Organizations typically face the following questions when they're making the case for training or planning its execution:
Why train? Which function within an organization should fund training? Who should receive training? What form should training take?
A roadmap or crosswalk of the organization's privacy requirements is as simple or complex as the organization desires. For some, a simple spreadsheet with tabs for applicable law, audit protocol, and specific contract language is sufficient. For overlap in global laws and regulations, note the similarities regarding notice, choice and consent, purpose limitation, individual rights, data retention limits, and data transfers. [No Definition]
[No Definition]
Awareness-raising is one of the key aspects of the privacy framework and should be prioritized for all organizations. It can come in different forms, none of which require huge budgets. If people are not aware of what they are processing, they are also unaware of the consequences and liabilities that result from not knowing. [No Definition]
[No Definition]
Breach notification laws in the U.S. are numerous, and lawsuits often arise post-notification. [No Definition]
[No Definition]
In the U.S., consent may be affirmative (i.e., opt-in or implied), but express (i.e., not implied) is now required in the EU. If relying on consent, it is important to keep a legally admissible record that established what the individual consented to and establishes that such individual agreed to the notice. [No Definition]
[No Definition]
Methods to track the changes in laws and regulations include using many resources, such as the internet, printed and online journals, automated online services, and third-party vendors. [No Definition]
[No Definition]
When building your data inventory, select the tool that will enable your organization to most easily update it. Options may include spreadsheets, a governance, risk, and compliance (GRC) software system, an internally developed system or another product. Updating data inventories is often a manual process involving multiple departments. Remember that changes in the organization may trigger the need to update data inventories. [No Definition]
[No Definition]
Conduct a privacy workshop for stakeholders to level the privacy playing field by defining privacy for the organization, explaining the market expectations, answering questions, and reducing confusion. [no definition]
[no definition]
During the management of a privacy incident, it is imperative that all internal communications are locked down so that inaccurate or incomplete details regarding the incident are not sent around the organization. The incident response team should be responsible for all internal communications regarding the incident; these communications should only be forwarded to staff on a need-to-know basis. [no definition]
[no definition]
Every organization must ensure that it has a procedure for retrieving portable storage devices or media from departing employees. [no definition]
[no definition]
In smaller organizations, a legal department may create contract requirements if there is no procurement. [no definition]
[no definition]
Incident response teams should always confirm requirements with legal counsel experienced in data privacy litigation prior to initiating or foregoing any notification campaign. [no definition]
[no definition]
Not all breaches require notification. There are various types of notification requirements to regulators and affected individuals. If data was encrypted, or if an unauthorized individual accidentally accessed but didn't misuse the data, potential harm and risk can be minimal and companies may not need to notify (based on applicable laws). Notification may be required even without harm to an individual. Coordinating with legal counsel to understand notification obligations is critical. [no definition]
[no definition]