1
Q
What is a mission statement?
A
- Defines purpose, core values, and objectives
- Focuses on present; describes what, who, and how
2
Q
What is a vision statement?
A
- Describes future goals and aspirations
- Aspirational; provides long-term direction
3
Q
How does a mission statement differ from a vision statement?
A
- Mission is present-focused and specific
- Vision is future-focused and aspirational
4
Q
What factors influence the scope of a privacy program?
A
- Jurisdiction
- Business type
- Applicable laws
- Regulations
- Internal policies
5
Q
How can you identify data collected by the organization?
A
- Manual (interviews with business units)
- Automated (data discovery tools, consultancies)
6
Q
What are the 4 regulatory models?
A
- Sector-specific
- Comprehensive
- Co-regulatory
- Self-regulatory
7
Q
How should organizations handle no or unknown legal requirements?
A
Apply the organization’s highest internal standards.
8
Q
How is the United States regulatory model characterized?
A
Sector-specific and state-specific.
e.g., HIPAA, GLBA, CCPA
9
Q
How is the EU, UK, and Canada regulatory model characterized?
A
Comprehensive; privacy is a fundamental right; enforced by official oversight agencies.
10
Q
What is Australia’s approach to privacy regulation?
A
Co-regulatory; industry develops standards overseen by a privacy agency.
11
Q
How is privacy regulation handled in countries like Japan and Singapore?
A
Self-regulatory; industry creates and enforces codes of practice.
e.g., TrustArc, WebTrust
12
Q
What is a strategy?
A
A high-level plan outlining an organization’s data management and protection approach.
13
Q
What is a privacy strategy?
A
A plan to communicate and support a privacy program’s mission and vision.
14
Q
What are ISACA’s 5 components of a privacy strategy?
A
- Data
- People
- Processes
- Technology
- Rules
15
Q
Why is privacy considered a team sport?
A
It requires buy-in from management, sales, and developers to shift organizational mindset.
16
Q
What is the role of management in establishing a privacy strategy?
A
Provide funding for PETs, training, and awareness.
17
Q
What is the developer’s role in a privacy strategy?
A
Implement Privacy by Design and Default in systems like websites and apps.
18
Q
Which groups should be targeted to socialize a privacy strategy?
A
- Managers
- Executives
- Internal partners
19
Q
What is the purpose of conducting internal interviews?
A
- Identify parties responsible for information, security, risk
- Find internal partners
20
Q
Who is considered a ‘champion’ for the privacy program?
A
A program sponsor who advocates for resources and policies, respected, experienced.
e.g., CISO, CCO, GC
21
Q
What are key components of relationship building in a privacy program?
A
- Understand info culture, data use
- Give privacy guidance
- Support business goals
- Invite to governance body
22
Q
Why are privacy workshops important?
A
- To build baseline understanding
- Train on Privacy 101
- Establish buy-in
23
Q
What topics should be covered in a privacy workshop?
A
- Privacy 101
- Legal requirements
- Data use
- Risks
- Obligations
- Expectations
- Challenges
24
Q
Why is it important to keep a record of ownership after workshops?
A
Supports:
- Audits
- Legal compliance
- Accountability
25
What is a **framework** in a privacy program context?
Processes, tools, and standards that **guide privacy program management**.
26
What are **key attributes** of a successful privacy framework?
* Achieves compliance
* Supports business goals
* Is a competitive differentiator
* Addresses legal obligations
27
What **mnemonic** helps remember **key privacy frameworks**?
Fluffy Owls Gather Cookies And Eat Noisily
28
What is the **OECD** and its role in privacy?
* Organisation for Economic Co-operation and Development
* Created privacy guidelines basis, which was adopted for GDPR
29
What are **Generally Accepted Privacy Principles**?
| (GAPP)
Framework from AICPA/CICA for managing privacy compliance.
30
What is the **CSA Privacy Code**?
Canadian standard forming the basis of **PIPEDA**.
31
What does the **APEC Privacy Framework** address?
Guides data transfers across **Asia-Pacific economies**.
32
What is **ETSI** and its role?
* European Telecommunications Standards Institute
* Creates ICT standards
33
What is the **NIST Privacy Framework**?
A voluntary, tech/law-agnostic framework by a **U.S. government agency** for managing privacy risks.
34
What does '**risk-based**' mean in the NIST Privacy Framework?
Prioritizes identification, assessment, and mitigation of risks **based on potential impact**.
35
What are the **3 parts** of the NIST Privacy Framework?
* Core
* Profile
* Tier
36
What is the '**Core**' in the NIST Privacy Framework?
Privacy protection activities and outcomes.
37
What is the '**Profile**' in the NIST Privacy Framework?
Customized activities based on risk appetite, goals, and resources.
38
What is the '**Tier**' in the NIST Privacy Framework?
Level of organizational maturity in managing privacy risk.
39
What is **a maturity model** and **what are its levels**?
* A model to assess organizational capability
* Levels: initial, repeatable, defined, managed, optimized
40
What does **PIPEDA** stand for?
Personal Information Protection and Electronic Documents Act
41
What **Canadian bill** is associated with modernizing PIPEDA?
Bill C-27, Digital Charter Implementation Act
42
What is the **GDPR** and **its reach**?
* General Data Protection Regulation
* Extraterritorial and supplemented by local laws
43
What replaced the **EU-US Privacy Shield in 2023**?
The EU-US Data Privacy Framework
| (DPF)
44
Why was the EU-US Privacy Shield **invalidated**?
Due to CJEU ruling in **Schrems II case**.
| (Data Protection Commission v. Facebook Ireland)
45
What are **Binding Corporate Rules**?
| (BCRs)
Legally binding rules for data transfer **within a corporate group**.
46
What does **HIPAA** regulate?
* **Protected Health Information** (PHI)
* Sets national standards for electronic healthcare data
47
When can PHI **be shared without patient opt-in** under HIPAA?
For treatment, payment, or operations.
| (**TPO**)
48
What **role** do Data Protection Authorities (DPAs) play?
Provide **guidance on privacy law implementation**.
## Footnote
E.g., France's CNIL
49
What does '**rationalizing requirements**' mean in privacy compliance?
Implementing **one solution** (policy/process) **that satisfies multiple** laws, regulations, or frameworks.
50
What are **commonalities** in privacy laws and frameworks?
* Notice
* Consent
* Choice
* Purpose limitation
51
How should organizations deal with **outliers in legal requirements**?
Apply the **strictest standard** across regions or tailor solutions to specific local needs.
52
What does **GRC** stand for?
Governance, Risk, and Compliance
53
What is **governance**?
System of rules, practices, and processes for directing a program and achieving objectives.
54
What is **risk** in the GRC context?
* The potential for harm
* Risk = Threat x Vulnerability
55
How is **risk managed**?
By identifying risks and implementing controls.
56
What is a **control** in risk management?
A **measure** used to mitigate risk.
57
What is **compliance**?
Following auditable policies, processes, and procedures to **meet legal/regulatory requirements**.
58
What does '**auditable**' mean?
An auditor can **confirm** that a policy, process, or procedure is **effectively implemented**.
59
What is **privacy technology**?
Tools and platforms that **aid compliance with privacy laws** and manage privacy risks.
## Footnote
Data discovery, data mapping, assessment management, supplier due diligence, redaction, deidentification, incident response tools.
60
What does **data discovery** involve?
* Identifying, classifying, and locating data
* Understanding volume and context
61
What is **data mapping** used for?
**Connecting data fields** between systems to ensure accurate data transfer.
62
What is **data activity monitoring**?
* **Tracking** how data is accessed, used, modified
* Ensures **security** and **compliance**
63
What are the **3 types** of **governance models**?
1. Centralized
2. Decentralized
3. Hybrid
64
What is a **centralized** governance model?
* **One** person/team (e.g., CPO) manages privacy
* **Top-down** approach
65
What are **pros** of a **centralized model**?
* Repeatable policies
* Uniform resources
* Consistent practices
66
What is a **decentralized** governance model?
* Privacy managed at **local** levels
* **Bottom-up** approach
67
What are **pros** and **cons** of a decentralized model?
* **Pros**: Agile, local solutions
* **Cons**: Duplicated efforts, inconsistency
68
What is a **hybrid** governance model?
* **Central** team sets policies
* **Local** teams implement and adapt them
69
What are **pros** and **cons** of a hybrid model?
* **Pros**: Shared resources, consistency, local flexibility
* **Cons**: Hard to balance authority and adaptability
70
What is the '**cross-functional nature**' of privacy programs?
Programs **across the organization** must know privacy roles, laws, and operational practices.
71
Why is '**it takes a village**' relevant to privacy programs?
* Privacy needs involvement from all departments
* Training, tech, contracts, assessments
72
What is the role of **the governance body** in privacy programs?
Enterprise-wide reps ensure:
* Policies align with local laws
* Adjust policies as needed
* Track implementation
73
What is the role of **Learning and Development** in privacy?
* Teach policy operationalization
* Reinforce good behavior
* Correct bad behavior
74
What does the **Communications** team do for privacy?
Drives engagement through intranet content and emails
75
How does **Information Security** support privacy?
* Implements tools like DLP, encryption, role-based access
* Closely aligned with privacy
76
What is the **IT team's** contribution to privacy?
* Software development
* Group permissions
* Privacy by design (PbD) implementation
77
How does **Internal Audit** support privacy programs?
* Assesses privacy controls
* Develops frameworks to monitor policy effectiveness
78
What role does **Procurement** play in privacy?
* Ensures vendor contracts include privacy language
* Supports legal due diligence
79
What are **HR's** privacy responsibilities?
Handles **sensitive employee data**.
## Footnote
e.g., medical, background checks
80
What role does **Ethics and Compliance** play?
Handles **whistleblower complaints** and **investigations**.
81
What is the **Marketing** team's involvement in privacy?
Manages data for **media and marketing initiatives**.
82
How does **Business Development & Strategy** contribute?
Uses privacy as a competitive differentiator.
83
What **privacy laws** affect the **Finance** team?
* PCI-DSS
* SOX (Sarbanes-Oxley Act)
84
What is **Legal**'s responsibility in privacy?
Maintains knowledge of **applicable privacy laws** and regulations.
85
What does **Data Governance** do?
Establishes **framework and policies** to manage organizational data assets.
86
What does **Product R&D** contribute to privacy?
* Conducts PIAs
* Consults on privacy by design and default (PbDD)
87
What is the role of the **Chief Privacy Officer**?
| (CPO)
Corporate leader who **creates privacy strategy and policy**.
88
What does a **Director or Manager** in privacy do?
* Implements strategy and privacy program
* Reports to CPO
* Manages projects
89
What are the **responsibilities** of a Privacy Analyst?
* Entry-level role
* Performs operational tasks and supports projects with research
90
Who are **Business Line Leaders** in privacy?
Senior-level program managers overseeing privacy in specific business areas.
91
What is the role of **Legal Counsel** in privacy?
Provides **legal expertise and advice** on privacy-related matters.
92
Who are **First Responders** in privacy?
Support specific privacy processes in specific situations.
93
What is a **Data Protection Officer**?
| (DPO)
* GDPR-required role
* Oversees data protection strategy and compliance
94
What does a **Privacy Engineer** do?
* Implements technical privacy solutions
* Embeds PbDD in the software development lifecycle
95
What is a **Privacy Technologist**?
* Implements tech to protect privacy
* Includes roles like audit, compliance, and system developers
96
Which laws internationally **require or reference** a DPO?
* GDPR Article 37
* Brazil’s LGPD
* Canada’s PIPEDA
* South Korea’s Data Protection Act
97
What are '**special categories of data**' under GDPR?
* Race
* Ethnicity
* Political opinions
* Religious/philosophical beliefs
* Genetic
* Health
* Sexual data
98
What is the primary **alignment focus** of privacy managers?
Align with business objectives, not prohibit them.
99
What are the **general goals** of a privacy manager?
* Define objectives
* Identify and mitigate risks
* Implement policies
* Lead training
100
How do privacy managers **handle metrics**?
Identify, track, and communicate privacy metrics.
101
What **reporting responsibilities** do privacy managers have?
Internal and external privacy-related reporting.
102
What **structural factors** influence privacy teams?
* Organization's hierarchy
* Documented roles/responsibilities
* Role evaluation
* Flexibility
* Customer service model
* Value add
