0% found this document useful (0 votes)

41 views

(Exam Guide) Cipm - Exam Privacy Program Management - Participant Guide

Uploaded by

studysahara

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views

(Exam Guide) Cipm - Exam Privacy Program Management - Participant Guide

Uploaded by

studysahara

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 358

PRIVACY PROGRAM MANAGEMENT

PARTICIPANT GUIDE

An publication
Privacy Program Management
Participant Guide

An IAPP Publication
CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM® and CIPT® are registered
trademarks of the International Association of Privacy Professionals, Inc.

© 2024, The International Association of Privacy Professionals, Inc. (IAPP). All rights reserved. No
part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, mechanical, photocopying, recording or otherwise, without the prior, written
permission of the IAPP. For more information contact [email protected].

v 5.2
Welcome!

In today’s information economy, the risks — and opportunities — associated

with the use and collection of data continue to skyrocket. But you probably
already know that.

You probably also know that skilled privacy pros are in high demand. After
all, that is one of the reasons you are here, right?

You have come to the right place. The IAPP is the world’s largest
information privacy organization. We are a non-advocacy, not-for-profit
membership association focused on advancing the privacy profession.

Our globally recognized privacy training is designed to give you the expertise
and know-how you need to get ahead. You will hear from world-class privacy
faculty who are experts working in the field of privacy and data protection
today. They will share their knowledge, insights and real-life experiences to
help you sharpen your skills and work smarter — not to mention, take your
career to a whole new level.

While contemporary topics, developments and events may be discussed in

this training, please understand this is not a current events course but,
rather, is based on the corresponding IAPP exam's body of knowledge. The
BoK is an outline of topics, developed and approved by an exam
development board, that is reviewed/updated annually and serves as the
foundation for the certification exam and training.

If emerging privacy and data protection issues or events become part of the
exam, the training will be updated accordingly at least one month prior to
the release of exam updates.

Whether you are a seasoned professional or new to the field of privacy and
data protection, this class is an opportunity to learn essential skills, and, if
you decide to aim for an IAPP credential, you will have a head start!

Ready to get certified? Visit iapp.org/certify/prepare for advice on how to

prepare.

Thank you for joining us today.

Privacy Program Management

Privacy Program
Management

1
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Acknowledgements

2
Thank you to the following subject matter experts who provided their
guidance to the development of this course:

BOB SIEGEL NITIN DHAVATE

CIPP/C, CIPP/E, CIPP/G, CIPP/E, CIPM, FIP
CIPP/US, CIPM, CIPT, FIP Data Privacy, Digital & AI (DPDAI) Head –
President, Privacy Strategist APMA and Global Health
Privacy Ref, Inc. Novartis

PAUL GRAY
ROBERT STREETER CIPP/US, CIPM
Data Protection Officer (ret.)
Compliance Risk Manager
USAA
BAVO VAN DEN HEUVEL
CIPP/E, CIPP/US, CIPM, CIPT, FIP JANELLE HSIA
Partner CIPP/E, CIPP/US, CIPM, CIPT
Cranium President
Privacy SWAN Consulting
TIM CLEMENTS JOYCE HUANG
CIPP/E, CIPM, CIPT, FIP
CIPP/E, CIPM, CIPT, FIP
Business Owner & Privacy Professional
Fintech
Purpose and Means

2
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Acknowledgements

3
Thank you to the following subject matter experts who provided their
guidance to the development of this course:

FUNKE BABATUNDE NATASHA PETTERSON

CIPP/E, CIPM, FIP CIPP/E, CIPM
Group Data Protection Officer Manager, Privacy Compliance
Somerset Bridge Group Salesforce

ERIN BUTLER PARI SARNOT

CIPM CIPM, CIPT
Global Privacy and Cyber Risk Lead Experienced Manager
Under Armour Grant Thornton

BEN WILCZYNSKI
ADEBOLA HAMED CIPP/E, CIPM, FIP
CIPP/US, CIPM, FIP Data Protection Officer and Strategic IG Lead
IT Audit Manager/Global Privacy Advisor Innovate Healthcare Services

LUI KOK KWANG ALFONSO J. YI

CIPP/E, CIPM, CIPT, FIP AIGP, CIPP/E, CIPP/US, CIPM, FIP
Data Privacy Specialist VP, Security Advisory
Panasonic Asia Pacific Prudential Financial

3
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Acknowledgements

4
Thank you to the following subject matter experts who provided their
guidance to the development of the course outline:

AILEEN CRONIN CHRIS PAHL

VP, Business Integrity CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM,
F5 Inc. CIPT, FIP
Chief Privacy Officer

ORRIE DINSTEIN
STEFAN WEISS
CIPP/US
CIPP/E, CIPP/US, CIPT
Global Chief Privacy Officer
Data Protection Officer (Europe)
Marsh McLennan
CSL Behring

PAUL GRAY AARON WELLER

CIPP/US, CIPM CIPP/US, CIPM, CIPT, FIP
Compliance Risk Manager Leader, Privacy Engineering Center of
USAA Excellence
HP

4
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

5
Trainer
Introduction

Trainer introduction

5
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

6
Chat

Share
How would you describe your industry?

Chat: Share
How would you describe your industry?

6
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

7
Chat

Share
What are your, or your department’s,
primary privacy responsibilities?

Chat: Share
What are your or your department’s primary privacy responsibilities?

7
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

• Module 1: Introduction to privacy program

management
• Module 2: Privacy program framework: Privacy

8
governance
• Module 3: Privacy program framework: Applicable
laws and regulations
• Module 4: Privacy operational life cycle — Assess:
Data assessments
• Module 5: Privacy operational life cycle — Protect:
Course Protecting personal information

outline • Module 6: Privacy operational life cycle — Protect:

Policies
• Module 7: Privacy operational life cycle — Sustain:
Monitoring and auditing program performance
• Module 8: Privacy operational life cycle — Sustain:
Training and awareness
• Module 9: Privacy operational life cycle — Respond:
Data subject rights
• Module 10: Privacy operational life cycle —
Respond: Data breach incident plans

Course outcomes
This course will help you…
• Use effective strategies for developing and implementing a privacy program
• Integrate privacy requirements into organizational policies and procedures
• Create a culture of privacy awareness
• Effectively plan for and respond to a data security breach
• Monitor, measure, analyze and audit privacy program performance

8
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

9
Learning objectives
• Define privacy program management and the
Module 1 phases of the privacy operational life cycle.
• Define data life cycle management.
• Summarize privacy program manager
Introduction responsibilities.

to privacy • Explore the relationship between

accountability and privacy program
program management.

management • Explain trending motivations for creating an

effective privacy program.
• Recognize privacy concerns of diverse
functions within an organization.
• Identify privacy program stakeholders.

Module 1 learning objectives

• Define privacy program management and the phases of the privacy operation life cycle.
• Define data life cycle management.
• Summarize privacy program manager responsibilities.
• Explore the relationship between accountability and privacy program management.
• Explain trending motivations for creating an effective privacy program.
• Recognize privacy concerns of diverse functions within an organization.
• Identify privacy program stakeholders.

9
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy operational life cycle

10
1. Assess

4. Respond 2. Protect

3. Sustain

Module 1: Introduction to privacy program management

Session notes
Privacy operational life cycle
Privacy program management is the structured approach to combining several projects into a
framework and life cycle to protect personal information and individuals’ rights.

The privacy operational life cycle provides the means to assess, protect, sustain and respond to
positive and negative effects of influencing factors on the program.

Phase 1: Assess
• Provides steps, checklists and processes for assessing a privacy program
• Involves comparing the program to industry best practices, corporate privacy policies, applicable
laws and regulations, and privacy program frameworks

Phase 2: Protect
• Provides the data life cycle, information security practices and privacy-by-design principles to
protect personal information
• Embeds privacy principles and information security management practices into the organization
to address, define and establish privacy practices

Phase 3: Sustain
• Provides monitoring, auditing and communication aspects of the management framework
• Ensures “business as usual” by monitoring throughout multiple functions in the organization for
identifying, mitigating and reporting risk

Phase 4: Respond
• Seeks to reduce organizational risk and bolster compliance
• Involves the respond principles of information requests, legal compliance, incident response
planning and incident handling
• Requires organizations to be accountable for data they collect and how they use it

10
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data life cycle management

11
• Privacy governance
• Applicable laws and regulations
• Data assessments
• Protecting personal
information
• Policies
Collection
• Monitoring and auditing to deletion
program performance
• Training and awareness
• Data subject rights
• Data breach incident plans

Module 1: Introduction to privacy program management

Session notes
Data life cycle management
• Data life cycle management: Policy-based approach to managing flow of information through its
life cycle from collection to final disposal
• Related terms: Information life cycle management and data governance
• DLM may be driven by organization’s need to harness big data while simultaneously protecting
that data and meeting government/industry regulations

The following privacy program management topics will be discussed in this course:
• Privacy governance
• Applicable laws and regulations
• Data assessments
• Protecting personal information
• Policies
• Monitoring and auditing program performance
• Training and awareness
• Data subject rights
• Data breach incident plans

11
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

12
Privacy program management requires

Accountability

Module 1: Introduction to privacy program management

Session notes
Privacy program management requires accountability. Accountability is, debatably, the most
important aspect of privacy program management.

Who holds organizations accountable for privacy?

• Customers/clients/patients
• The public
• Regulators/DPAs
• Professional organizations and associations
• Employees and business partners
• Investors
• Industry watchdogs
• The media
• Hacktivists

12
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

One Earth Medical’s Privacy Program Development

Diana Garcia has been hired as the Global Privacy Officer for One Earth Medical. Her broad

13
charge is to create a consistent global privacy program for all divisions of the company and
define how the elements of that program will be implemented company-wide.

One Earth Medical deals with a lot of personal information, including sensitive information,
both internally and through its network of third-party vendors. This includes patient records,
financial information and experimental trial results.

Recently, a hacking attack was made on a central One Earth Medical database that contains
patient information. Until this attack took place, all privacy issues were addressed at local
functional levels within each division, rather than at the corporate level. The company had
no global privacy policy in place, and the various functional levels of responsibility within
the company had developed policies and procedures for their discrete areas of operation
without regard to how their problems might interact with other organizations or divisions.
Many of the local functional solutions had no applicability outside the business unit’s
particular operations. The attack turned out to be amateurish and low-risk; however, the
lack of a plan for company-wide response was clear.

Privacy Officer Garcia must coordinate many variables to successfully create and implement
a company-wide global privacy program.

Module 1: Introduction to privacy program management

Chat: Activity #1
Read the scenario to answer the question that follows.

13
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

14
Chat

Activity #1
Generally speaking, what are a privacy
program manager’s responsibilities?

Module 1: Introduction to privacy program management

Chat: Activity #1
Generally speaking, what are a privacy program manager’s responsibilities?

Resource
OPC and OIPCs of Alberta and British Columbia, Getting Accountability Right with a Privacy
Management Program, Accessed April 25, 2017,
https://iapp.org/media/pdf/knowledge_center/Canada-Getting_Accountability_Right(Apr2012).pdf.

14
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Roles and responsibilities of the privacy team

15
What are the common roles?

• Chief privacy officer

• Privacy directors/managers
• Privacy analysts
• Business line privacy leaders
• Privacy/legal counsels
• First responders
• Data protection officer
• Privacy engineers
• Privacy technologists

Module 1: Introduction to privacy program management

Session notes
The roles and responsibilities of the privacy team include managing privacy-related matters,
developing and implementing an enterprise-wide privacy program, safeguarding personal and
sensitive data, ensuring compliance with privacy policies and regulations, and aligning with global
regulations.

Chief privacy officer: Leads the privacy office and is responsible for developing the company's
privacy strategy and operationalizing the privacy program.
Privacy directors/managers: Typically report to the CPO and assist with implementing the privacy
strategy/program. May oversee specific business activities or regions (e.g., Director of Privacy
U.S./EMEA, Marketing Privacy Manager).
Privacy analysts: Assist with conducting research, privacy impact assessments, risk assessments and
supporting policy implementation. Can be an entry-level role.
Business line privacy leaders: Senior management roles who oversee privacy within specific
business lines or regions.
Privacy/legal counsels: Provide legal guidance, review contracts for compliance and represent the
organization in legal proceedings. These roles may sit within the privacy team, legal function or rely
on external counsel.
First responders: Support specific privacy processes in scenarios like incidents.
Data protection officer: Acts as a liaison with data protection authorities, ensures compliance with
data protection laws and advises on data protection impact assessments. The designation of a DPO is
a relatively new requirement formally established under Article 37 of the GDPR and is now also
required under LGPD.
Privacy engineers: Focus on the technical implementation of privacy requirements into product
design and lead privacy-by-design principles.
Privacy technologists: Technology professionals who ensure privacy in technology, including audit,
risk, compliance managers, data professionals, architects, engineers and scientists. These roles may
not necessarily sit within the central privacy office.

15
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

It’s not just about law and compliance

16
Privacy governance activities
Developing and implementing privacy Developing policies and standard
policy (92% of respondents) practices related to notice and
consent (87%)
Designing and implementing Identifying and owning the
privacy impact assessments (90%) management of privacy risk (86%)

Establishing management of and Interacting with and providing

responding to incidents and breaches guidance for privacy complaints
(88%) (84%)

Designing policies and responding to Participating in and developing

requests related to data subject standards for regulatory
rights (88%) interactions (73%)

Designing and delivering privacy Gathering information and

training (88%) advising inventory functions (72%)

Responses to an IAPP-EY survey regarding types of activities the privacy function undertakes

Module 1: Introduction to privacy program management

Session notes
It’s not just about law and compliance
• Privacy is no longer solely about law and compliance; it has evolved into a tool for building
customer trust and enabling business growth
• A privacy team’s most critical responsibilities differ across organizations
• Although compliance tends to be top priority, the need for privacy extends beyond
regulatory/legal considerations and includes contractual obligations, customer expectations,
ethical values and strategic goals
• Noticeable shift in recent years regarding privacy teams. Once seen as a hindrance to business
operations, privacy teams now collaborate closely with the business and are business enablers

Top 10 responses to an IAPP-EY survey asking respondents to indicate the types of activities their
privacy function undertakes (from the IAPP-EY Privacy Governance Report):

1) Developing and implementing privacy policy (92% of respondents)

2) Designing and implementing privacy impact assessments (90%)
3) Establishing management of and responding to incidents and breaches (88%)
4) Designing policies and responding to requests related to data subject rights (88%)
5) Designing and delivering privacy training (88%)
6) Developing policies and standard practices related to notice and consent (87%)
7) Identifying and owning the management of privacy risk (86%)
8) Interacting with and providing guidance for privacy complaints (84%)
9) Participating in and developing standards for regulatory interactions (73%)
10) Gathering information and advising inventory functions (72%)

Resource
IAPP-EY Privacy Governance Report: https://iapp.org/resources/article/privacy-governance-report/

16
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

17
Chat

In your experience
Which departments/functions are typically
involved in an organization’s privacy
program?

Module 1: Introduction to privacy program management

Session notes
A successful privacy program will integrate privacy requirements and representation into functional
areas across the organization.

Chat: In your experience

Which departments/functions are typically involved in an organization’s privacy program?

17
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Human resources

18
Privacy concerns

• Compensation and benefits

• Talent acquisition/hiring
• Employee records
• Employee relations
• Training and development
• Performance management
• Succession planning

Module 1: Introduction to privacy program management

Session notes
HR privacy concerns
The HR department looks at the personal information life cycle of specific HR data to ensure the
handling of all information by HR personnel is in compliance with the organization’s privacy
policies/procedures.

The human resources function should integrate privacy into areas such as…
• Compensation and benefits
• Talent acquisition and hiring
• Employee records
• Employee relations
• Training and development
• Performance management
• Succession planning

Multinational organizations are required to meet local regulations and privacy expectations of their
employees in all countries in which they operate.

Resource
Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work,
https://iapp.org/media/pdf/resource_center/wp249_data-processing-at-work_06-2107.pdf.

18
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Human resources

19
Employee privacy

• Investigations
• Protecting trade secrets
• Human rights concerns
• Safety compliance
• System integrity
• Whistle-blowing
• Ethics

Module 1: Introduction to privacy program management

Session notes
Employee privacy
• Investigations of fraud and criminal activities
• Handling of organization trade secrets
• Prevention of discrimination, sexual harassment and other human rights concerns
• Compliance with workplace safety
• System integrity with compliance of security and privacy practices
• Whistle-blowing
• Significant issue, with some countries having strong restrictions on how it may be done
(e.g., France)
• Considerations
• Anonymity of the whistle-blower (where permitted)
• Impacts on those who may be the subject(s) of the whistle-blowing
• Ethics function must exist (even if no ethics office)
• Must be a trusted place where people can take complaints, concerns and whistle-blowing
when necessary
• Will often function independent of normal chain of command—properly empowered and
staffed to perform necessary tasks
• Necessary to guard integrity of ethics function, protect data and protect
organization from possible misconceptions of data confidentiality

19
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Marketing/business development

20
• Any processing related to
marketing activities may be
subject to:
– Legal requirements
– Self-regulatory
requirements

Module 1: Introduction to privacy program management

Session notes
Marketing/business development
• Any activities where personal information is processed (collected, used and shared) as function of
marketing and media purposes
• Must conform to legal requirements and requirements of any self-regulatory regimes to
which the organization may be subject
• Example: Digital advertising
• To safeguard consumer rights, several laws exist that advertisers must understand and abide by
• Example: National Do Not Call Registry

Resource
Fieldfisher’s EU e-marketing requirements, Accessed May 11, 2020,
https://res.cloudinary.com/fieldfisher/image/upload/v1585817516/PDFs/EU_e-
marketing_requirements_updated_March_2020_g6jh2u.pdf

20
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

21
Chat

Let’s talk about…

What aspects of the financial function may be
impacted by privacy concerns?

Module 1: Introduction to privacy program management

Chat: Let’s talk about…

What aspects of the financial function may be impacted by privacy concerns?

21
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security

22
• Confidentiality, integrity,
availability
• Technical, physical and
administrative controls
support CIA
– IT systems
– Building security
– Remote users
– Vendors
– Third parties

Module 1: Introduction to privacy program management

Session notes
Information security
• Technical and physical controls that span the organization
• IT systems, building security, remote users, vendors and third parties

At highest level
• Information security provides standards and guidelines
• For applying management, technical and operational controls
• To reduce probable damage, loss, modification, unauthorized access to systems, facilities and
data
• Includes strategy for destruction documentation; sanitization of hard drives and portable drives;
security of fax machines, imaging, copier machines

Three common information security principles: C-I-A triad/information security triad

• Confidentiality: Unauthorized disclosure of information is prevented
• Integrity: Information is protected from unauthorized or unintentional alteration, modification,
deletion
• Availability: Information is readily accessible to authorized users

22
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information technology

23
• Accessibility limitations
• Database management
• Asset inventory
• Virtual machines

Module 1: Introduction to privacy program management

Session notes
Information technology
• Works closely with privacy and security to ensure alignment
• Example: Security designates who has access to information; IT enables access to those
with proper permissions
• Accessibility limitations: Determined by…
• How personal information is being used
• Who needs access
• For how long access is needed
• Database management
• Limited sharing and appropriate destruction when no longer needed
• Asset inventory
• Example: Monitoring information through its life cycle, such as old files that need to be
deleted
• Virtual machines
• Tracking hosts on the internal network
• Ensuring they are shut down when function is complete

23
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Legal and compliance

24
Legal, security, audit, risk
and compliance may overlap
or be separate

Module 1: Introduction to privacy program management

Session notes
Legal and compliance functions will be discussed in more depth in module 3.

Legal
• Organization must conduct factual and legal due diligence to align privacy practices and minimize
legal liability
• Factual due diligence allows you to determine what information your organization uses
• Legal due diligence allows you to determine what laws govern the use of that information
• Legal should have controls, documentation management practices and tracking mechanisms
• Identify, track and record
• All procurements, contracts, service-level agreements and performance measurements
for privacy management
• Vendors held to same standards as employees

Compliance
• Can exist within any of the core business functions

24
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Legal and compliance

25
Separate or combine?

Module 1: Introduction to privacy program management

Session notes
Advantages and disadvantages of separating or combining functions
• Separation of legal, compliance, internal audit and security functions
• Collaboration is more challenging, but functional independence is assured
• Combination of legal, compliance, internal audit and security functions
• Collaboration is assured, but functional independence is more challenging

25
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

26
Chat

Share
What laws directly influence how personal
information is managed in your
organization?

Module 1: Introduction to privacy program management

Chat: Share
What laws directly influence how personal information is managed in your organization?

26
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning and development

27
• Manages activities related
to employee training
• May include privacy-
related training and
awareness
• Can help operationalize
privacy principles

Module 1: Introduction to privacy program management

Session notes
Training and awareness will be discussed in more depth in module 8.

Learning and development

• Integral to the success of the privacy program
• Help translate policies and procedures into teachable content
• Contextualize privacy principles into tangible operations and policies
• In smaller organizations, these responsibilities may fall on the privacy team
• Privacy team should approve privacy training output that has been produced

27
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Internal audit

28
• Assesses whether controls
are in place to protect
personal information
• Evaluates if people and
processes comply with the
controls
• Privacy program ally

Module 1: Introduction to privacy program management

Session notes
Internal audit
Good practice is aligning with the internal audit team in developing a framework to monitor privacy
policies, controls and procedures already implemented to ensure they are being adhered to and
working as they should.

28
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Procurement

29
• Ensures contracts are in
place with third-party
providers that process
personal information on
behalf of the organization
• Ensures appropriate
privacy language in
contracts with providers

Module 1: Introduction to privacy program management

Session notes
Procurement
• Most privacy laws require data controllers to ensure their privacy requirements are fulfilled
• Procurement teams support the privacy and legal teams in performing due diligence, taking
action on the results of their findings, and making sure contractual language reduces the
organization’s exposure
• In smaller organizations, a legal department may create contract requirements

29
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Communications

30
• Produces intranet content,
emails, posters and other
collateral that reinforce
good privacy practices
• Advises on best methods of
communications to boost
higher engagement

Module 1: Introduction to privacy program management

Session notes
Communications
• Ensures privacy-related communications are consistent with the organization’s branding,
objectives and tone of voice
• Determines best mode of delivery to boost engagement, e.g., a video, poster or intranet blog
post

30
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Additional privacy program

31
stakeholders

Module 1: Introduction to privacy program management

Session notes
In addition to the organization and its business functions, privacy program stakeholders will include:
• Employees and business partners, often including workers who are not technically employees,
such as temporary workers and contractors
• Investors
• Industry watchdogs
• The media
• Professional organizations/associations
• Regulators/DPAs
• The public
• Customers, clients, patients

31
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

32
Chat 1. To whom may One Earth
Medical be held accountable
Review for privacy?
question

Module 1: Introduction to privacy program management

Session notes
1. To whom may One Earth Medical be held accountable for privacy?

32
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

33
2. To garner support and

Chat budget, Privacy Officer Garcia

must understand One Earth
Medical’s motivators for
Review initiating a global privacy
program. What reasons
question should be considered and
prioritized?

Module 1: Introduction to privacy program management

Session notes
2. To garner support and budget, Privacy Officer Garcia must understand One Earth Medical’s
motivators for initiating a global privacy program. What reasons should be considered and
prioritized?

33
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

34
Chat 3. Garcia will need to work
across functions to align the
privacy program with all
departments. Which key
Review functions should be involved?
question

Module 1: Introduction to privacy program management

Session notes
3. Garcia will need to work across functions to align the privacy program with all departments.
Which key functions should be involved?

34
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives


35
Define privacy governance and identify its
components.
Module 2  Analyze the components of a privacy vision/privacy
mission statement.
 Summarize considerations for defining a privacy
program’s scope and charter.
Privacy  Explain the purpose of a privacy strategy.

program 

Define privacy program frameworks.
Discuss common privacy program frameworks.

framework: 

Compare and contrast privacy governance models.
Describe a DPO’s required skill set and typical
responsibilities.
 Discover ways to receive buy-in for a privacy
Privacy 
program.
Review considerations for keeping a record of
governance 
ownership.
Explore ways key functional areas are involved in
creating and enforcing privacy policies.
 Analyze considerations for choosing a privacy
technology product.
 Discuss strategies for aligning privacy compliance
with organizational strategy.

Module 2 learning objectives

• Define privacy governance and identify its components.
• Analyze the components of a privacy vision/privacy mission statement.
• Summarize considerations for defining a privacy program’s scope and charter.
• Explain the purpose of a privacy strategy.
• Define privacy program frameworks.
• Discuss common privacy program frameworks.
• Compare and contrast privacy governance models.
• Describe a DPO’s required skill set and typical responsibilities.
• Discover ways to receive buy-in for a privacy program.
• Review considerations for keeping a record of ownership.
• Explore ways key functional areas are involved in creating and enforcing privacy policies.
• Analyze considerations for choosing a privacy technology product.
• Discuss strategies for aligning privacy compliance with organizational strategy.

35
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy governance

36
CREATING
Creating the organizational privacy
vision and mission statement

STRUCTURING DEFINING
Structuring the Defining the scope of the
privacy team Components of privacy program
privacy governance

DEVELOPING SELECTING
Developing the organizational Selecting an appropriate
privacy strategy privacy framework

Module 2: Privacy program framework: Privacy governance

Session notes
Building a strong privacy program starts with establishing the appropriate governance of the
program. Privacy governance refers to the components guiding a privacy function toward compliance
with privacy laws and regulations and enabling them to support the organization’s broader business
goals.

These components include:

• Creating the organizational privacy vision and mission statement
• Defining the scope of the privacy program
• Selecting an appropriate privacy framework
• Developing the organizational privacy strategy
• Structuring the privacy team

36
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

37
Chat

Share
Where does the privacy program fit within
your organization?

Module 2: Privacy program framework: Privacy governance

Session notes
There is no standard organizational structure for privacy across organizations.

Chat: Share
Where does the privacy program fit within your organization?

37
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Where does the privacy program fit

38
within the organization?
Which teams do privacy teams work with the most?

Module 2: Privacy program framework: Privacy governance

Session notes
Which teams do privacy teams work with the most?
In the IAPP-EY Privacy Governance Report:
• 62 percent of respondents say their privacy team works the most with the legal and compliance
team
• Survey results show 46 percent of respondents work most closely with the IT team; 46 percent
work most closely with the security team
• Additional responses include:
• Data governance (20%)
• Human resources (15%)
• Marketing (14%)
• Risk management (13%)
• Product development (13%)
• Vendor management (12%)
• Ethics and compliance (10%)
• Audit/internal control (9%)
• Customer support (7%)
• Other (7%)
• Executive leadership (6%)

Considerations when positioning privacy within organization:

• Which department has the most influence with the business?
• Which has global scope?
• Which is the best-funded?
• Which executes enterprise projects the best? (Privacy touches all parts of the organization.)
• Which is the strongest supporter of privacy?

Resource
IAPP-EY Privacy Governance Report: https://iapp.org/resources/article/privacy-governance-report/

38
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

39
Chat

Share
What are your organization’s privacy vision
and mission statements?

Module 2: Privacy program framework: Privacy governance

Session notes
The privacy vision and mission (or “purpose” or “ambition”) statements concisely communicate the
organization’s privacy stance to all stakeholders.
The vision statement is a values statement regarding what the organization hopes to achieve in the
future.
A mission statement should define what you do to protect individuals’ privacy in a tangible way. It
should be focused on the present and should be clear, concise and easy for all stakeholders to
understand and act upon.
Example:
Irish Data Protection Commission
Our vision: The DPC will be a fully fit-for-purpose independent, internationally respected and
trusted supervisor and enforcer of EU data protection law.
Our mission: Protecting data privacy rights by driving compliance through guidance, supervision
and enforcement.

Creating a company vision requires…

• Acquiring knowledge on privacy approaches
• Evaluating the intended objective
• Gaining executive sponsor approval

Stakeholder consensus — both internal and external — of the privacy vision and mission is very
important to facilitate acceptance of and ongoing success with evolving privacy policies and privacy
management. It is also imperative that employees have access to policies and procedures along with
updates relative to their role(s).

Chat: Share
What are your organization’s privacy vision and mission statements?
Resource
“Mission Statement,” An Coimisiún um Chosaint Sonraí | Data Protection Commission,
www.dataprotection.ie/en/who-we-are/mission-statement.

39
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy vision and mission

40
Common elements

• Value of privacy to the

organization
• Organizational objectives
• Strategies to achieve
intended outcomes
• Roles and responsibilities

The privacy vision and mission

statements create awareness
about the organization’s
privacy practices

Module 2: Privacy program framework: Privacy governance

Session notes
Review the elements of a company privacy vision and mission statement.

Common elements
• Value of privacy to the organization
• Organizational objectives
• Strategies to drive tactics to achieve intended outcomes
• Roles and responsibilities

The privacy mission and vision statements help to create awareness about the organization’s
privacy practices both internally and externally.

Internal awareness: By integrating the mission statement into training programs and internal
communications, employees become well-versed in the organization’s privacy commitments and
their role in upholding these standards.

External awareness: Sharing the mission statement externally demonstrates transparency and your
commitment to privacy, building trust with customers and other stakeholders.

40
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Defining program scope and charter

41
Understand the universe of your privacy program

Global and local laws, regulations Types of personal information

and standards the organization collects/stores
and how it is used
Culture, expectations, and
perspectives, including risk Regulatory challenges
acceptance

Business-sector requirements

Module 2: Privacy program framework: Privacy governance

Session notes
What are some early considerations for rolling out a privacy program?

• Generally, a privacy program needs to be initiated to execute a new privacy strategy

• A formal sign-off, typically from the C-suite level, may be required to justify significant
investment of funds and people
• Justification for investment in a privacy program can be in the form of a business case, program
charter or program initiation document
• Name may vary according to the organization
• Sets out the what, why, how, who, how much and when of the program in relation to
privacy strategy execution, and typically includes the considerations listed in the slide,
among others

Sample Information Security and Privacy Program Charter:

https://www.isc.upenn.edu/information-security-and-privacy-program-charter

41
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Basics of a

42
privacy strategy

Business alignment

Module 2: Privacy program framework: Privacy governance

Session notes
• Privacy strategy should lay out goals of privacy program
• Development may be complex and challenging
• Process may involve several stakeholders with potentially disparate objectives
• Topics below discussed in more depth throughout the training

Basics of a privacy strategy

• Business alignment
• Make operational business case for privacy
• Identify stakeholders and internal partnerships
• Make connections and foster relationships
• Find a champion
• Leverage key functions
• Create process for interfacing within the organization (e.g., privacy committee)
• Align organizational culture and privacy objectives
• Obtain funding/budget for privacy and privacy team
• Ensure alignment is included in operational discussions

42
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Basics of a

43
privacy strategy

Business alignment

Data governance of personal information

Module 2: Privacy program framework: Privacy governance

Basics of a privacy strategy

• Data governance of personal information (Consider the entire data life cycle: collection,
authorized use, access, sharing, transferring, security and destruction)
• Make inventory of applicable privacy laws, regulations and standards
• Then design approach to handling and protecting personal information (e.g., rationalized
approach that leverages overlapping requirements)

43
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Basics of a

44
privacy strategy

Business alignment

Data governance of personal information

Inquiry-/complaint-handling procedures

Module 2: Privacy program framework: Privacy governance

Basics of a privacy strategy

• Inquiry-/complaint-handling procedures
• Consider processes for customers, regulators, employees
• Train individuals handling requests
• Explore the use of technology to increase efficiency of responses

44
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Strategic priorities

45
Module 2: Privacy program framework: Privacy governance

Session notes
The IAPP-EY Privacy Governance Report 2023 revealed shifting strategic priorities in response to
changing external and internal environments.
• Notably, AI governance surged in importance, becoming a top priority for one in three
respondents, moving from ninth to second place in just a year
• Privacy by design continued to be the foremost priority for privacy professionals in 2023
• The priorities of international transfers and data deletion, which were among the top three in
2022, fell to fourth and fifth positions, respectively, in 2023
• Cross-border compliance with new laws in various jurisdictions emerged as the third strategic
priority, acknowledging the complex landscape of global privacy, with nearly a third of
respondents highlighting its importance

45
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Balancing privacy with organizational

46
strategy

Module 2: Privacy program framework: Privacy governance

Session notes
Balancing privacy with organizational strategy
• In complying with the law, organizations should seek to align their privacy-related activities
with their overall strategy
• Compliance should be the baseline
• Creates opportunity to simultaneously reevaluate and improve data management
practices, such as data inventory and data access controls
• Should be achieved with least amount of business disruption
• Business disruption is another form of penalty that should be considered in
addition to fines for noncompliance, etc.
• Privacy by design (discussed in module 5) plus strategy with business colleagues
• Will begin to further the organization’s goals
• As well as strike a balance

Along with understanding the organization's business strategy, it is also important to consider the
company's risk appetite.
• An organization's risk appetite is the amount and type of risk it is willing to accept or tolerate to
achieve its goals
• It guides decision-making and strategy, influencing how risks are managed across all aspects of
the business
• Privacy professionals need to match the company's privacy work with its main goals and what
risks it is willing to take

Resource
Bob Siegel, “For a Successful Privacy Program, Use These Three A’s,” The Privacy Advisor (IAPP),
February 22, 2016, https://iapp.org/news/a/for-a-successful-privacy-program-use-these-three-as/.

46
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

External privacy organizations

47
• American Civil Liberties • International Association of
Union Privacy Professionals
• Better Business Bureau • NOYB — European Center for
• Bits of Freedom Digital Rights
• Center for Democracy and • Online Trust Alliance
Technology
• Privacy International
• DataEthics
• Privacy Rights Clearinghouse
• Electronic Frontier
Foundation
• Electronic Privacy
Information Center

Module 2: Privacy program framework: Privacy governance

Session notes
Several independent organizations provide sound privacy practices based on privacy issues that
continue to arise worldwide. These are private groups formed to approach and promote privacy.

External privacy organizations

• American Civil Liberties Union — U.S.
• Better Business Bureau — U.S. and Canada
• Bits of Freedom — Netherlands
• Center for Democracy and Technology — Global
• DataEthics — EU/Global
• Electronic Frontier Foundation — Global
• Electronic Privacy Information Center — Global
• International Association of Privacy Professionals — Global
• NOYB — European Center for Digital Rights — EU
• Online Trust Alliance — Global
• Privacy International — Global
• Privacy Rights Clearinghouse — U.S.

47
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

48
Privacy program framework
An implementation roadmap to guide
the privacy professional through
privacy management

Module 2: Privacy program framework: Privacy governance

Session notes
Once privacy strategy is confirmed, the organization can move on to determine privacy framework.

What distinguishes a privacy strategy from a privacy framework?

• A privacy strategy can be thought of as the “why”: Why is privacy important to our organization?
• A privacy framework can be considered the “what”: What form or structure will our privacy
program take?

Privacy program frameworks:

• Provide a benchmark to measure your program
• Generally include policies, procedures and processes to ensure the organization knows how to
be compliant with the framework
• Offer structure or checklists to guide the privacy team through privacy management, including
controls or statements, which need to be operationalized
• Can be either a standard, a law/regulation, or an industry standard framework. There is no one-
size-fits-all framework. Usually, an organization combines components from multiple sources
(for example, ISO 27001, ISO 27701, GDPR and U.S. state privacy laws) to create their framework.

48
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

49
Chat

Let’s talk about…

What are the benefits of using a privacy
program framework?

Module 2: Privacy program framework: Privacy governance

Chat: Let’s talk about…

What are the benefits of using a privacy program framework?

49
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Develop and implement the privacy

50
program/policy framework

Develop the program framework

• Develop organizational privacy

policies, standards and/or
guidelines
• Define privacy program activities

Module 2: Privacy program framework: Privacy governance

Session notes
These topics will be discussed in more depth throughout the training.

Develop the privacy program framework

• Develop organizational privacy policies, standards and guidelines
• Adopt a shared privacy program vocabulary (e.g., incident vs. breach)
• See the IAPP’s “Glossary of Privacy Terms”: www.iapp.org/resources/glossary

• Define privacy program activities

• Education and awareness
• Monitoring and responding to regulatory environment
• Internal policy compliance
• Data inventories, data flows and classification
• Risk assessment
• Incident response and process, including jurisdictional regulations
• Remediation
• Program assurance, including audits

50
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Develop and implement the privacy

51
program/policy framework
Implement the policy framework

• Communicate the framework to

internal and external
stakeholders
Develop the program framework
• Ensure continuous alignment to
applicable laws and regulations to
• Develop organizational privacy support the development of an
policies, standards and/or organizational privacy program
guidelines framework
• Define privacy program activities

Module 2: Privacy program framework: Privacy governance

Session notes
Implement the privacy policy framework
• Communicate framework to internal and external stakeholders
• Ensure continuous alignment to applicable laws and regulations to support development of an
organizational privacy program framework
• National laws and regulations
• Applicable local laws and regulations
• Penalties for noncompliance with laws and regulations
• Scope and authority of oversight agencies (e.g., data protection authorities, privacy
commissioners, Federal Trade Commission, etc.)
• Privacy implications of doing business in/with countries with inadequate/without privacy
laws
• Ability to manage global privacy function
• Ability to track multiple jurisdictions for changes in privacy law
• International data-sharing arrangements

51
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Current privacy program frameworks

52
Principles and
standards

• FIPs
• OECD Guidelines
• GAPP
• CSA Privacy Code
• APEC Framework
• ETSI standards
• ISO standards

Module 2: Privacy program framework: Privacy governance

Session notes
Current privacy frameworks
• Privacy frameworks began emerging in 1970s
• Industry frameworks may be internationally or nationally based to support principles within
different taxonomies
• “Framework” as a term is used broadly for various processes, templates, tools, laws and
standards that may guide the privacy professional in privacy program management
• This and following slides include widely recognized frameworks that may aid in development and
implementation
• Each example has varying objectives, but can all be used to help create tailored privacy program
frameworks
Principles and standards
• Fair Information Practices (FIPs) provide basic privacy principles central to several modern
frameworks, laws and regulations. Practices and definitions vary across codifications. They
include: rights of individuals (notice, choice and consent, and data subject access), controls on
information (information security and information quality), information life cycle (collection, use
and retention, and disclosure), and management (management and administration, and
monitoring and enforcement).
• The Organisation for Economic Co-operation and Development (OECD) Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data are the most widely accepted
privacy principles; together with the Council of Europe’s Treaty 108, they are the basis for the
EU’s General Data Protection Regulation (GDPR).
• The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of
Chartered Accountants (CICA), which have formed the AIPCA/CICA Privacy Task Force, developed
the Generally Accepted Privacy Principles (GAPP) to guide organizations in developing,
implementing and managing privacy programs in line with significant privacy laws and best
practices.
• The Canadian Standards Association (CSA) Privacy Code became a national standard in 1996 and
formed the basis for PIPEDA.
• The APEC Privacy Framework enables Asia-Pacific data transfers to benefit consumers,
businesses and governments.
• The European Telecommunications Standards Institute is a nonprofit organization that provides
standards related to information and communication technology, especially in Europe.
• ISO is an international standard setting body. Standards 27701, the 8000 series, 15489, the 27000
series and 22301 are particularly relevant to the privacy professional.

52
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Current privacy program frameworks

53
Principles and Laws,
standards regulations
and programs
• FIPs • PIPEDA
• OECD Guidelines • APPs
• GAPP • GDPR
• CSA Privacy Code • LGPD
• APEC Framework • PIPL
• ETSI standards • HIPAA
• ISO standards • Jurisdictional and
sectoral laws and
guidance

Module 2: Privacy program framework: Privacy governance

Session notes
Current privacy frameworks continued

Laws, regulations and programs

• The Canadian Personal Information Protection and Electronic Documents Act and Australian
Privacy Principles provide well-developed and current examples of generic privacy principles
implemented through national laws.
• EU data protection legislation includes the GDPR, which offers a framework for data protection
with increased obligations for organizations and far-reaching effects.
• Brazil’s Lei Geral de Proteção de Dados, inspired by the GDPR, creates a new legal framework
for the use of online and offline personal data in Brazil in the private and public sectors.
• China’s new law, the Personal Information Protection Law, forms an overarching framework
along with the Cybersecurity Law and the Data Security Law to govern data protection,
cybersecurity and data security in China.
• The Health Insurance Portability and Accountability Act is a U.S. law passed to create national
standards for electronic health care transactions, among other purposes. HIPAA required the U.S.
Department of Health and Human Services to promulgate regulations to protect the privacy and
security of personal health information. The basic rule is that patients must opt-in before their
information can be shared with other organizations — although there are important exceptions,
such as for treatment, payment and health care operations.
• Local data protection authorities, such as France’s Commission nationale de l’informatique et
des libertés, provide guidance on legal frameworks.

53
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Current privacy program frameworks

54
Principles and Laws, Privacy
standards regulations program
and programs management
• FIPs • PIPEDA
solutions
• PbD
• OECD Guidelines • APPs • COBIT 2019
• GAPP • GDPR • NIST privacy
• CSA Privacy Code • LGPD engineering/risk
• APEC Framework • PIPL management
• ETSI standards • HIPAA • WebTrust
• ISO standards • Jurisdictional and • Vendor solutions
sectoral laws and
guidance

Module 2: Privacy program framework: Privacy governance

Session notes
Current privacy frameworks continued

Privacy program management solutions

• Privacy-by-design solutions are built by organizations to ensure consumers’ privacy protections
at every stage in developing their products. These include reasonable security for consumer data,
limited collection and retention of such data, and reasonable procedures to promote data
accuracy.
• The National Institute of Standards and Technologies has published “An Introduction to Privacy
Engineering and Risk Management in Federal Systems,” introducing concepts of privacy
engineering and risk management for federal systems: a common vocabulary to facilitate better
understanding and communication of privacy risk within federal systems and effective
implementation of privacy principles. Two key components support the application of privacy
engineering and risk management: privacy engineering objectives and a privacy risk model.
• The NIST Cybersecurity Framework, updated to version 2.0 in 2024, aims to help organizations
across all economic sectors to manage and reduce risks. The framework enables all types of
organizations to apply the principles and best practices of risk management to improving security
and resilience. The framework provides a common organizing structure for multiple approaches
to cybersecurity by assembling effective standards, guidelines and practices, with the 2024
updates adding emphasis on governance.
• The American Institute of Certified Public Accountants and Canadian Institute of Chartered
Accountants created WebTrust, now managed by the Chartered Professional Accountants of
Canada, through which accountants can become certified to conduct privacy evaluations.
• Vendors may provide tools and frameworks for privacy compliance and management.

54
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

55
Chat
Which of the recognized privacy
program frameworks below does
your organization use/follow?
• FIPs • PIPEDA • PbD
• OECD Guidelines • APPs • COBIT 2019
• GAPP • GDPR • NIST privacy
• CSA Privacy Code • LGPD engineering/risk
• APEC Framework • PIPL management
• ETSI standards • HIPAA • WebTrust
• ISO standards • Jurisdictional and • Vendor solutions
sectoral laws and
guidance

Module 2: Privacy program framework: Privacy governance

Chat: Share
Which of the recognized privacy frameworks does your organization use/follow?

55
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy governance models

56
Centralized

Module 2: Privacy program framework: Privacy governance

Session notes
Considerations for creating a privacy office governance model
• Organizational structure
• Existing governance models used by IT, Security, Finance, etc.
• Positioning and authority of privacy team (e.g., corporate legal umbrella vs. IT umbrella)
• The maturity of the program
• Involvement of senior leadership
• Involvement of internal stakeholders
• Development of internal partnerships

The governance model utilized may change over time.

Privacy governance models

• Centralized
• One team or person is responsible for privacy-related affairs
• This model works best in organizations that use single-channel functions with planning
and decision-making completed by one group

56
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy governance models

57
Centralized

Local/decentralized

Module 2: Privacy program framework: Privacy governance

Session notes
Privacy governance models
• Local/decentralized
• Decision-making is delegated to lower levels of the organization
• This model widens the span of control and allows decisions and information to flow
from bottom to top

57
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy governance models

58
Centralized

Local/decentralized Hybrid

Module 2: Privacy program framework: Privacy governance

Session notes
Privacy governance models
• Hybrid
• This model combines centralized and local/decentralized governance
• It is most common when a large organization assigns an individual or organization
responsibility for privacy-related affairs for the rest of the organization
• Local entities support the central governing body

58
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Structure the privacy team

59
Establish the
organizational model,
responsibilities and
reporting structure
appropriate to the size
of the organization

Module 2: Privacy program framework: Privacy governance

Session notes
Establish the organizational model, responsibilities and reporting structure appropriate to the
size of the organization.

Structure the privacy team

• Large organizations
• Chief privacy officer
• Global privacy officer
• Privacy manager
• Privacy analysts
• Business line privacy leaders
• “First responders”
• Small organizations
• Sole officer, sometimes not only job
• Designate point of contact for privacy issues
• Establish/endorse measurement of professional competency
• Consider using project/program management resources to orchestrate/drive the program
especially during program initiation
• Data Protection Officer
• Some legislation requires organizations appoint a DPO under certain circumstances, such
as the EU’s GDPR and Brazil’s LGPD
• Even if an organization does not need to appoint one, it is good practice to review this
requirement periodically
• Privacy champions, executives who serve as privacy program sponsors and act as advocates to
further foster privacy as a core organizational concept, are also crucial to an organization’s
privacy team

59
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

60
The GDPR DPO: Required skills
• Risk/IT
• Legal expertise/independence
• Communication
• Leadership/broad exposure
• Self-starter/board level
• Common touch/teaching
• No conflicts/credibility

Module 2: Privacy program framework: Privacy governance

Session notes
The GDPR requires all public authorities in the EU and many private organizations (in/outside EU) to
appoint a data protection officer to help with GDPR compliance.

The DPO: Required skills under the GDPR

• Working closely with regulators and advising stakeholders to work toward compliance
• Ensuring that their organizations are aware of their training and awareness obligations
• Keeping up with changes in law and technology
• Building, implementing and managing privacy programs

Required DPO skills

• Risk/IT: Experience assessing risk and best practice mitigation
• Legal expertise/independence: Knowledge of relevant laws and regulations (including
outsourcing activities)
• Communication: Interpersonal flexibility and ability to effectively communicate with business
functions (legal, IT, etc.)
• Leadership/broad exposure: Project management and ability to manage own professional
development
• Self-starter/board level: Ability to fulfill the role autonomously
• Common touch/teaching: Ability to speak to citizens, handle requests/complaints and train
others to assist data subjects
• No conflicts/credibility: No “roles that conflict with their DPO role”

Resources
IAPP Westin Research Center, “From Here to DPO: Building a Data Protection Officer,” January 25,
2017, https://iapp.org/resources/article/from-here-to-dpo-building-a-data-protection-officer/.

Thomas Shaw, “What Skills Should Your DPO Absolutely Have?” The Privacy Advisor (IAPP), January
24, 2017, https://iapp.org/news/a/what-skills-should-your-dpo-absolutely-have/.

60
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Operationalizing DPO responsibilities

61
• DPO independence
• Working with regulators
• Accessibility to data subjects
• Assessing privacy risk
• DPO dismissal and penalties

Module 2: Privacy program framework: Privacy governance

Session notes
DPO responsibilities are set out by the GDPR and further explained by Article 29 Working Party
guidance. (Upon enactment of the GDPR, 25 May 2018, the Article 29 Working Party was replaced by
the European Data Protection Board. However, the opinions from the Working Party are still valid.)

Operationalizing DPO responsibilities

• DPO independence
• DPO may hold another position within the organization, as long as its functions do not
conflict with DPO role and is not a position, such as CEO, that makes decisions about
means of processing personal information
• Working with regulators
• DPO should be acquainted with relevant regulators (in jurisdictions where the
organization does business) and have positive working relationship with them
• Accessibility to data subjects
• Article 29 Working Party: Important for DPOs to be available to answer data subject
questions
• Assessing privacy risk
• The DPO should provide advice regarding when and how privacy impact assessments or
data protection impact assessments (a requirement under the GDPR and other privacy
regulations) are conducted
• DPO dismissal and penalties
• DPO may not be dismissed or penalized for performing DPO-related duties

Resource
Article 29 Data Protection Working Party, Guidelines on Data Protection Officers, Revised April 5,
2017, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048.

61
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

62
The LGPD DPO
Every controller must appoint a DPO

• Can be outsourced
• DPOs must:
– Guide employees and contractors as to processes and rules

– Manage communications from data subjects and from the National

Data Protection Authority

Module 2: Privacy program framework: Privacy governance

Session notes
The LGPD requires every data controller, regardless of size or volume of data processed, to appoint
a DPO, although the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção
de Dados, or “ANPD”) can later issue regulations on exemptions. The law does not set forth required
skills, but describes the data protection officer’s (DPO) responsibilities, which include:
• Communications channel: Communications with the ANPD and with data subjects; should be in
charge of responding to any requests made by them.
• Guide employees and contractors as to processes and rules: Ensuring employees and
contractors are trained in the rules, processes and obligations; keeping up with law and
technology changes; building, implementing and managing privacy programs.
• Can be outsourced: Brazilian Executive Order No. 869/18 changed the requirement in the law
such that a DPO is no longer required to be a “natural person.” This allows for the position to be
outsourced to an external firm, which is commonly referred to as DPO-as-a-service.
It is anticipated that the ANPD will provide additional guidance about which organizations will be
required to have a DPO as well as additional requirements and instructions.

Resource
Sarah Rippy, “Top-5 operational impacts of Brazil’s LGPD: Part 4 – DPOs,” Privacy Tracker (IAPP),
November 12, 2020, https://iapp.org/news/a/top-5-operational-impacts-of-brazils-lgpd-part-4-data-
protection-officers/.

62
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Receiving buy-in for a privacy program

63
Be a “people person”

Getting Pitching Mobilizing

buy-in privacy stakeholders

Module 2: Privacy program framework: Privacy governance

Session notes
Building a privacy strategy may mean changing the mindset and perspective of an entire
organization.

Be a “people person”
• Getting buy-in
• Building relationships with key internal stakeholders at executive level and throughout
the organization
• Privacy champion/leader outside privacy office
• Pitching privacy (informally/formally)
• Business case for privacy that aligns business/executive objectives (e.g., generating
revenue and cutting costs) with privacy objectives
• Reframing privacy as a benefit where it may be considered an obstruction (e.g.,
marketing and product development)
• Mobilizing stakeholders across functions
• Steering committee/working group of key internal stakeholders who support the program
• May additionally make strategic decisions, assist in implementing the privacy
program and support remediation needs
• Clear ownership of responsibilities
• Record of discussions to ensure stakeholders can refer back to what was decided

• View the IAPP series, “The Privacy Imperative,” for more on developing a culture of privacy in
your organization and explicating the need to elevate privacy as a business asset:
https://iapp.org/train/imperative/

63
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

64
Chat

Your outlook
How can privacy support business
objectives, such as generating revenue and
cutting costs?

Module 2: Privacy program framework: Privacy governance

Chat: Your outlook

How can privacy support business objectives, such as generating revenue and cutting costs?

64
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Communication and awareness

65
Internally and externally

Organization-wide effort Customer trust

Module 2: Privacy program framework: Privacy governance

Session notes
Once your privacy program has been established, you must create awareness of the program, both
internally and externally.

Internally:

• Building privacy awareness and generating support for the organization’s privacy program
involves communicating that privacy success can only happen with organization-wide effort

• Each department needs to know that its activities have lasting impacts on data protection

Externally:

• In an era of increasing regulation, advanced privacy programs can help protect consumer data
and create the trusting and intimate customer relationships that marketers want

• Communicating your privacy program externally can help build customer confidence in your
organization and deliver measurable returns

65
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Keeping a record of ownership

66
RACI matrix
Chief Chief
privacy information Data team IT team Legal
officer security officer
Maintain privacy
policy R C I I A
Establish process for
de-identification of C A R C I
data
Manage international
data transfers R I C I A
Implement data
retention and C R A C C
destruction processes

[R] Responsible, [A] Accountable, [C] Consulted, [I] Informed

Module 2: Privacy program framework: Privacy governance

Session notes
This slide provides a snapshot of a RACI matrix that gives a quick overview of the different roles
concerning some privacy challenges. Responses are samples only and may differ within your
organization.

Keep a record of ownership

• Key internal stakeholders who will support the program may form a steering committee to
establish clear ownership of assets and responsibilities
• Assets/responsibilities may be owned by more than one department
• Keep record of discussions as tool for communication/to ensure stakeholders can refer back to
what was decided

A RACI matrix is a useful tool to embed responsibilities:

R = Who is responsible?
A = Who is accountable?
C = Who needs to be consulted?
I = Who needs to be informed?

Resources
Eric Dieterich and Ana Rodgers, “Building a Privacy Program from Ground Zero,” Recorded June 22,
2015 at the IAPP Canada Privacy Symposium, Toronto, ON, Reprise Web Conference,
https://iapp.org/resources/article/building-a-privacy-program-from-ground-zero/.

European Data Protection Supervisor, “Accountability on the ground Part I: Records, Registers and
when to do Data Protection Impact Assessments,” July 2019, pg. 4,
https://edps.europa.eu/sites/edp/files/publication/19-07-
17_accountability_on_the_ground_part_i_en.pdf.

Transcend, “RACI Framework for Effective Privacy Programs,” accessed October 17, 2023,
https://transcend.io/raci-framework-privacy-programs.

66
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Ongoing involvement of key

67
functional areas

Privacy

Module 2: Privacy program framework: Privacy governance

Session notes
• Key functional areas help create/enforce the privacy program
• Involvement should be ongoing

Example: A marketing privacy manager should advise and sign off on new marketing initiatives and
email campaigns from a privacy perspective.

67
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Internal audit and risk management

68
functions
Threats

Controls

Functions and
operations

Module 2: Privacy program framework: Privacy governance

Session notes
Auditing and analyzing performance of a governance structure is essential to its success.

Internal audit
• Reviews and analyzes operations across all departments
• Communicates results
• Independent of management — helps ensure unbiased reporting of audit findings
• Typically reports to audit committee
• Tasks
• Evaluate the organization’s risk management culture
• Identify risk factors within all systems, processes and procedures
• Evaluate control design and implementation to ensure proper risk management
• Test controls to ensure proper operation

Risk management
• Ensures business and regulatory requirements are met through detailed market, credit, trade and
counterparty analysis
• Communicates risk/issues throughout the organization

68
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

69
Chat

Your outlook
What strategies can help the privacy team
ally with internal audit and risk
management functions?

Module 2: Privacy program framework: Privacy governance

Chat: Your outlook

What strategies can help the privacy team ally with internal audit and risk management
functions?

69
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy tech vendors

70
• Tech vendor market growing rapidly
• Rise driven by new compliance requirements (GDPR, CPRA, etc.) and consumer
awareness and expectations
• New investments by venture capitalists and angel funding

• Type of product needed may be driven by “privacy pain points”

• Need for architectural, administrative and technical controls

• Privacy tech vendor considerations

• Organizational needs
• Cost vs. savings / Risks vs. benefits
• Need to “vet” vendors (stability, reputation)
• Usability and customization
• Contract negotiations
• Implementation and training

Module 2: Privacy program framework: Privacy governance

Session notes
The content on this and the following slide is from the IAPP’s Privacy Tech Vendor Reports (2018–
2022)
Privacy tools/technology
• Not necessary for all organizations
• May be used as part of a properly thought-out privacy program
• May help the organization achieve compliance (cannot itself be compliant)

Drivers behind rapid growth in privacy technology

• New compliance requirements
• EU: GDPR, ePrivacy Regulation; U.S.: comprehensive state laws (CCPA/CPRA), HIPAA;
Canada: PIPEDA; China: PIPL
• Growing consumer awareness of data breaches and increasing demands that organizations protect
their information

Type of product needed driven by “privacy pain points” (the need for architectural, policy and
technical controls)

Privacy tech vendor considerations

• Organizational needs
• Costs vs. savings, risks vs. benefits
• Need to “vet” vendors (stability, reputation)
• Usability and ability to customize
• Contract negotiations
• Implementation and training needs

Resource
IAPP, Privacy Tech Vendor Report, https://iapp.org/resources/article/privacy-tech-vendor-report/.

70
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Module 2: Privacy program framework: Privacy governance

Session notes
Categories of privacy tech vendors

Privacy tech vendors in the category of privacy program management typically work directly with
the privacy office. They include…
• Privacy assessment management
• Consent management
• Data mapping
• Data subject request management
• Incident response
• Privacy information management
• Website scanning/cookie compliance tools

Those in the category of enterprise program management typically require buy-in from the privacy
office, IT and C-suite. They include…
• Activity monitoring
• Data discovery
• Deidentification/pseudonymization
• Enterprise communications

Some overlap among vendors belonging to sub-categories.

Resource
IAPP, Privacy Tech Vendor Report, https://iapp.org/resources/article/privacy-tech-vendor-report/.

71
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

“The acronym GRC was invented as a

72
shorthand reference to the critical
capabilities that must work together
to achieve Principled Performance —
the capabilities that integrate the
governance, management and
assurance of performance, risk, and
compliance activities.”
—OCEG, “GRC Defined”

Module 2: Privacy program framework: Privacy governance

Session notes
“The acronym GRC was invented as a shorthand reference to the critical capabilities that must
work together to achieve Principled Performance — the capabilities that integrate the
governance, management and assurance of performance, risk, and compliance activities.”
—OCEG, “GRC Defined”

GRC
• Umbrella term (governance, risk management and compliance)
• Scope touches privacy office among several other internal departments, such as HR, IT,
compliance and C-suite
• Goal: Synchronize various internal functions toward what OCEG calls “principled performance”
(OCEG is nonprofit responsible for GRC concept)

Resource
OCEG, “What is GRC?” Accessed March 18, 2020, http://www.oceg.org/about/what-is-grc/.

72
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

73
Chat 1. The GDPR requires One Earth
Medical to appoint a DPO.
Review What skills should this
individual possess?
question

Module 2: Privacy program framework: Privacy governance

Session notes
1. The GDPR requires One Earth Medical to appoint a DPO. What skills should this individual
possess?

73
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

74
2. Privacy Officer Garcia needs

Chat
to assess One Earth Medical’s
former privacy governance
model, which delegates
decision-making to lower
Review levels of the organization.
question What type of model is this?
Name at least two additional
options.

Module 2: Privacy program framework: Privacy governance

Session notes
2. Privacy Officer Garcia needs to assess One Earth Medical’s former privacy governance model,
which delegates decision-making to lower levels of the organization. What type of model is
this? Name at least two additional options.

74
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

75
Chat 3. Privacy Officer Garcia must
get support internally for
developing and implementing
a new privacy program. How
Review might she accomplish this?
question

Module 2: Privacy program framework: Privacy governance

Session notes
3. Privacy Officer Garcia must get support internally for developing and implementing a new
privacy program. How might she accomplish this?

75
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

76
Module 3
Learning objectives
Privacy • Compare and contrast key privacy/data
program protection laws, regulations and standards
around the world.
framework: • Describe components of a regulatory
environment.
• Review privacy compliance considerations
Applicable for conducting international data transfers.
• Discuss strategies for aligning privacy
laws and compliance with organizational strategy.
regulations • Understand privacy implications and
territorial scope when doing business or
basing operations in other countries with
differing privacy laws.

Module 3 learning objectives

• Compare and contrast key privacy/data protection laws, regulations and standards around the
world.
• Describe components of a regulatory environment.
• Review privacy compliance considerations for conducting international data transfers.
• Understand privacy implications and territorial scope when doing business or basing
operations in other countries with differing privacy laws.

76
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

One Earth Medical grows by acquisition

77
One Earth Medical has decided that AtlantiPulse, a third-
party vendor, is an excellent candidate for acquisition.

AtlantiPulse provides medical support services

within the U.S., using a model that One Earth
hopes to expand into other countries,
including the EU where One Earth has its
headquarters. One Earth eventually plans to
use the AtlantiPulse model to sell a package
of systems and training to other companies.
One Earth’s CEO has made it clear that he
expects due diligence to ensure AtlantiPulse’s
privacy processes comply with all applicable
laws, regulations and standards of the
countries in which One Earth currently
operates.

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Read the scenario to answer the question that follows.

77
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

78
Chat

Activity #2
To ensure compliance with all applicable
laws, regulations and standards, what does
Global Privacy Officer Garcia need to do
before the acquisition?

Module 3: Privacy program framework: Applicable laws and regulations

Chat: Activity #2
To ensure compliance with all applicable laws, regulations and standards, what does Global
Privacy Officer Garcia need to do before the acquisition?

78
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy around the world

79
Canada
Japan
Europe
U.S. China

Asia-Pacific
Africa
Brazil
Australia

New Zealand

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Privacy around the world
Comprehensive data protection laws exist across the globe. While each law is different, there are
many commonalities in terms of the rights, obligations and enforcement provisions of each.
• A roadmap or “crosswalk” may be used to determine where legal requirements overlap
• For small businesses, this could be a simple spreadsheet
• Larger businesses may use a tech solution
• The IAPP has created the “Global Privacy Law and DPA Directory” as a tool to identify privacy
legislation and data protection authorities in countries around the world:
https://iapp.org/resources/global-privacy-directory/

Resources
Deidre Rodriguez, “10 Steps to a Quality Privacy Program: Part One,” 10 vols, The Privacy Advisor
(IAPP), June 24, 2013, https://iapp.org/news/a/10-steps-to-a-quality-privacy-program-part-one/.

79
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Law comparison

80
GDPR LGPD

• Restrictions on how and why • DPOs mandatory to all

businesses can process controllers
personal data
• Specific consent for
• Additional protections for processing sensitive data
sensitive personal data
• Provides for additional legal
• Privacy by design and bases such as exercise of
privacy by default rights in legal proceedings,
health protection and credit
• Opt-in consent where
protection
consent is required

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Notes on leveraging GDPR compliance for LGPD:

Keep in mind, compliance with the GDPR does not necessarily equate to compliance with the LGPD.
There are some similarities and differences when it comes to the compliance and enforcement of
these laws:

Territorial Scope
• GDPR: Businesses that have an establishment in the EU or businesses that offer goods and
services to data subjects in Europe, regardless of where the businesses are located
• LGPD: Businesses based in Brazil or selling goods or services in Brazil are subject to the law (data
flows that are merely transmitted into Brazil, but not further processed, do not fall within the
scope of the law)

Material Scope
• GDPR: Applies to the processing of personal data by automated means or non-automated means if
the data is part of a filing system
• LGPD: Applies to any processing operation

Data Processing Principles

• Both the GDPR (Article 5) and LGPD (Article 6) contain principles that guide and validate data
processing

Enforcement
• Both the GDPR and the LGPD are currently assigned to be enforced by a governmental authority
(by supervisory authorities for GDPR and by the ANPD [National Data Protection Authority] in
Brazil)

Resources
Renato Leite Monteiro, “GDPR Matchup: Brazil’s General Data Protection Law,” Privacy Tracker,
IAPP, October 4, 2018, https://iapp.org/news/a/gdpr-matchup-brazils-general-data-protection-
law/.

Comparing Privacy Laws: GDPR v. LGPD, DataGuidance by OneTrust,

https://www.dataguidance.com/sites/default/files/gdpr_v_lgpd_revised_edition.pdf.

80
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

GDPR overview

81
Be aware of...
What data subjects can do, organizations must do, regulators may do

Europe

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
GDPR overview
High-level components of the GDPR, including obligations of organizations and consequences for
noncompliance

What data subjects can do

• Withdraw consent for processing
• Request a copy of their personal information to move their data to another organization or to
have their data deleted
• Object to automated decision-making processes
• Request that controllers “freeze” processing of their personal information
• Influence regulators
What organizations must do
• Implement privacy by default and privacy by design
• Maintain appropriate data security
• Notify data subjects and regulators of data breaches (in some circumstances)
• Follow special rules for directly processing children’s data
• Provide notice of intention to process personal information
• Appoint a data protection officer (in some circumstances)
• Take responsibility for processing activities of third-party vendors
• Conduct data protection impact assessments (in some circumstances)
• Ensure adequacy or appropriate safeguards for data transfers
• Consult with regulators before processing (in some circumstances)
• Keep records (in most circumstances) and demonstrate compliance
What regulators may do
• Ask for records of compliance (e.g., register of processing activities, DPIAs, documentation, risk-
analysis)
• Impose temporary data processing bans, require data breach notification and order erasure of
personal information
• Suspend international data flows
• Enforce penalties of up to 20 million euros or four percent of total annual revenue for
noncompliance

81
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

LGPD overview

82
Be aware of...
What data subjects can do, organizations must do, regulators may do

Brazil

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
LGPD overview
What data subjects can do
• Confirm the existence of processing
• Access their data
• Correct incomplete, inaccurate or out-of-date data
• Anonymize, block or delete unnecessary or excessive data or data processing in violation of the
law
• Export data to another service or product provider
• Delete personal data processed pursuant to consent
• Obtain information about entities with which data is shared
• Obtain information about denying consent
• Review decisions made solely based on automated processing
• Oppose non-consent-based processing when in violation of the law
What organizations must do
• Implement privacy-by-design and -default processes
• Develop incident response and remediation plans
• Maintain appropriate data security
• Notify data subjects and regulators of data breaches
• Follow special rules for directly processing children’s data
• Provide notice of intention to process personal information
• Appoint a data protection officer (for controllers)
• Take responsibility for processing activities of third-party vendors
• Create personal data protection impact report
• Ensure adequacy or appropriate safeguards for data transfers
• Keep records (in most circumstances) and demonstrate compliance
• Comply with international data transfer requirements
What regulators may do
• Ask for records of compliance
• Apply sanctions, e.g., warnings and corrective measures, publicizing the infraction, suspension or
prohibition of processing activities
• Enforce penalties up to two percent of a company’s annual revenue in Brazil to a maximum of 50
million reais per infraction

82
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

83
Chat

In your experience
What commonalities do privacy/data
protection laws share?

Module 3: Privacy program framework: Applicable laws and regulations

Chat: In your experience

What commonalities do privacy/data protection laws share?

83
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Common elements across jurisdictions

84
Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Common elements across jurisdictions
• Avoid duplication of efforts by shifting from jurisdiction-by-jurisdiction privacy approach to more
holistic approach
• Commonalities between many privacy and data protection laws, regulations and standards
• Example: Fair information practices appear in various forms and applications:
• Rights of individuals (notice, choice and consent, data subject access)
• Controls on information (information security, information quality)
• Information life cycle (collection, use and retention, disclosure)
• Management (management and administration, monitoring and enforcement)
• Organisation for Economic Co-operation and Development’s Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data
• Perhaps most widely recognized framework for FIPs
• Define purpose specification, openness, individual participation, collection limitation,
use limitation, security safeguards, data quality and accountability
• Other considerations
• Contractual requirements
• Audit protocol
• Self-regulatory regimes
• Marketplace expectations
• Regulators’ viewpoints/motivations
• Additional local requirements (political dimension, data localization, local notifications
and approval requirements and regulators’ audit rights)

84
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy law by industry

85
Health care Financial

Human
Telecom
resources Sector-based
and
contextual
laws
Energy Online

Marketing Government

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
European privacy specialists may not be familiar with sector-specific laws.

Privacy law by industry

• Beyond sector-specific laws, each of these industries have privacy-related concerns with
implications for consumers
• Choose one or two of the pictured industries and discuss some of the specific privacy laws and
regulations for that industry (e.g., U.S. health care/HIPAA)
• Health care: Special protections, HIPAA, EU special categories of data, billing,
research
• Financial: Confidentiality, financial laws (particularly GLBA), terrorism (anti-
laundering laws)
• Telecom: Categories of telecommunications records (content, to/from, stored
records), law enforcement, location information
• Online: Issues presented by online transactions, the lure of detailed information (to
law enforcement and criminals) available on the web, global nature of online privacy
concepts
• Government: Public vs. private privacy, reasons for concern about records
governments hold, definitions of “public records” — different throughout the world
• Marketing: Collection, defaults, revision, NAI code (you must allow people to opt out
of having their purchase history used for targeted online marketing), cookies and
online behavioral advertising, CAN-SPAM, FTC telemarketing
• Energy (an emerging issue): Smart grid, smart houses
• Human resources: Confidentiality required, considerations for multinational
companies, technology in the work environment

85
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Understanding the

86
regulatory environment

The privacy team needs to understand:

• Fines and penalties for noncompliance
• Scope and authority of oversight agencies
• Changes in privacy law

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Fines and penalties for noncompliance
• Organizations may be subject to fines and/or penalties
• These risks can be used to make a business case for a privacy program/budget and to determine
priorities for remediation of a program
• As laws and regulations change, penalties may change (e.g., GDPR-related fines can reach up to
20 million euros/4 percent of annual revenue, whichever is highest)

Scope and authority of oversight agencies

• Know which regulators oversee which processing activities within your organization (the Data
Protection Authorities under GDPR)
• Use the IAPP’s directory of DPAs to determine oversight and find contact information/websites:
https://iapp.org/resources/dpa/
• Regulators sanctions (e.g. restricting data processing) and penalties, including fines
• Some circumstances may require regulator notification (e.g., following a data breach)

Changes in privacy law

• Privacy laws and regulations may change frequently; be aware of evolving legislation and rules
impacting the business
• Know when new legislation is scheduled to take effect; proactively plan to adjust privacy
program appropriately
• Changes to compliance requirements may touch every aspect of privacy program and business
operations – communicating with business partners early is important
• Strategies for staying current
• Subscribing to news feeds, such as IAPP publications
• Privacy organizations: Sources for information and opportunities for collaboration
with privacy community

86
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

87
Chat

Brainstorm
Changes within an organization that may
affect its privacy legal obligations.

Module 3: Privacy program framework: Applicable laws and regulations

Chat: Brainstorm
Changes within an organization that may affect its privacy legal obligations.

87
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

U.S. state comprehensive privacy laws

88
California

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
The U.S. does not yet have a comprehensive federal privacy law, but many states have enacted their
own comprehensive privacy laws.
• 2018: California signed into law a landmark privacy bill, the California Consumer Privacy Act,
creating new privacy rights for residents of Californian and significant new data protection
obligations for businesses interacting with residents of California
• 2020: The California Privacy Rights Act ballot initiative was passed, amending the CCPA and
adding additional privacy protections that began on 1 Jan. 2023. CPRA amends the CCPA; it does
not create a separate, new law, and CCPA provisions remain intact

Given California’s distinction as the fifth largest economy in the world, the CCPA/CPRA has a far-
reaching, global impact. Additionally, it has inspired other U.S. states to pass comprehensive privacy
laws, including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New
Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia.

See the IAPP’s “U.S. State Privacy Legislation Tracker”: https://iapp.org/resources/article/us-state-

privacy-legislation-tracker/

Resources
IAPP, California Consumer Privacy Act, https://iapp.org/resources/topics/california-consumer-
privacy-act/.
“California Consumer Privacy Act (CCPA),” Office of the Attorney General, State of California
Department of Justice, updated January 20, 2023, https://oag.ca.gov/privacy/ccpa.

88
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

U.S. state comprehensive privacy laws

89
Common elements: consumer rights

Right to opt out of Right to opt in

Right to access for sensitive
certain processing
data processing

Right against
Right to
Right to correct automated
portability
decision-making

Right to opt out Private right of

Right to delete
of sales action

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Common elements: consumer rights
Many states' comprehensive privacy laws share commonalities in consumer rights and business
obligations.

• Right to access: The right for a consumer to access from a business/data controller the
information or categories of information collected about a consumer, the information or
categories of information shared with third parties, or the specific third parties or categories of
third parties to which the information was shared, or some combination of similar information.

• Right to correct: The right for a consumer to request that incorrect or outdated personal
information be corrected but not deleted.

• Right to delete: The right for a consumer to request deletion of their personal information under
certain conditions.

• Right to opt out of certain processing: The right for a consumer to restrict a business’s ability to
process their personal information.

• Right to portability: The right for a consumer to request their personal information be disclosed
in a common file format, to transfer it to another company.

• Right to opt out of sales: The right for a consumer to opt out of the sale of their personal
information to third parties.

• Right to opt in for sensitive data processing: The right for a consumer to opt in before a
business can process their sensitive data.

• Right against automated decision-making: A prohibition against a business making decisions

about a consumer based solely on an automated process without human input.

• Private right of action: The right for a consumer to seek civil damages from a business for
violations of a statute.

Resource

IAPP, “U.S. State Privacy Legislation Tracker,” https://iapp.org/resources/article/us-state-privacy-

legislation-tracker/

89
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

U.S. state comprehensive privacy laws

90
Common elements: business obligations

Opt-in default
(requirement age)

Notice/transparency
requirement

Risk assessments

Prohibition on
discrimination

Purpose/processing
limitation

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Common elements: business obligations
Many states' comprehensive privacy laws share commonalities in consumer rights and business
obligations.
• Opt-in default (requirement age): A restriction placed on a business to prevent them from
treating consumers under a certain age with an opt-in default for the sale of their personal
information.
• Notice/transparency requirement: An obligation placed on a business to provide notice to
consumers about certain data practices, privacy operations and privacy programs.
• Risk assessments: An obligation placed on a business to conduct formal risk assessments of
privacy and/or security projects or procedures.
• Prohibition on discrimination (exercising rights): A prohibition against a business treating a
consumer who exercises a consumer right differently than a consumer who does not exercise a
right.
• Purpose/processing limitation: A similar, restrictive structure to the EU's GDPR that prohibits the
collection/processing of personal information except for a specific purpose.

90
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

91
Chat

Focus
What will One Earth Medical need to
determine about the way they conduct
business to be sure they fit under the
CPRA’s jurisdiction?

Module 3: Privacy program framework: Applicable laws and regulations

Chat: Focus
What will One Earth Medical need to determine about the way they conduct business to be sure
they fit under the CPRA’s jurisdiction?

91
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Countries with differing privacy laws

92
Understanding scope

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
There is no international privacy law that applies regardless of the territory or region. However,
there are territorial privacy laws that are applicable within certain countries or regions and may
apply extraterritorially. These laws provide a legal framework on how to collect, use and store
personal data.

• The privacy team must be aware of laws and regulations applicable to their industry, and all
jurisdictions in which the business, and their partners, affiliates, and third parties operate
• Article 3 of the GDPR outlines the territorial scope of the law:
1. This Regulation applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union, regardless
of whether the processing takes place in the Union or not
2. This Regulation applies to the processing of personal data of data subjects who are in
the Union by a controller or processor not established in the Union, where the
processing activities are related to:
a. the offering of goods or services, irrespective of whether a payment of the
data subject is required, to such data subjects in the Union; or
b. the monitoring of their behavior as far as their behavior takes place within the
Union
3. This Regulation applies to the processing of personal data by a controller not
established in the Union, but in a place where Member State law applies by virtue of
public international law

Resource
https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_sc
ope_after_public_consultation_en_1.pdf

92
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Countries with differing privacy laws

93
Examples of scope

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
Scope of several comprehensive privacy laws around the world:
• GDPR — EU: The GDPR applies to all companies processing the personal data of data subjects
residing in the EU/EEA, regardless of the company’s location.
• PIPL — China: The Personal Information Protection Law is not only applicable to organizations
and individuals who process personally identifiable information in China, but also those who
process data of China citizens' PII outside of China.
• LGPD — Brazil: LPGD covers all companies that offer services or have operations involving data
handling in Brazil.
• DPDPA— India: The Digital Personal Data Protection Act covers any entity that processes digital
personal data within Indian territory. Data in nondigitized forms are excluded. The act also
imposes extraterritorial jurisdiction and covers data processed outside of India, if done with the
intent to offer goods and services to individuals within India.
• CCPA — U.S.: Generally, the CCPA applies to businesses that collect and/or use the personal
information of California residents.

93
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

International data transfers

94
Options

?
• Adequacy decisions
• Appropriate safeguards
• Derogations

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
International data transfers
International data transfers can be complex because you need to comply with relevant laws across
jurisdictions, and there must be a legal basis for transferring the data.

Options:
• Adequacy decisions
• Appropriate safeguards:
• Standard data protection clauses: Adopted by the Commission or adopted by a supervisory
authority and approved by the Commission
• Standard contractual clauses (SCCs) are a manifestation of these standard data
protection clauses
• To align the SCCs with the GDPR, meet changing needs and address the specific
issues raised by “Schrems II,” the European Commission has adopted revised
SCCs, which are modular in nature
• Companies must still conduct case-by-case assessments (commonly referred to
as a “transfer impact assessment” or “TIA”) on the laws in the recipient country
to ensure essential equivalence to EU law for personal data being transferred
under SCCs or BCRs
• If the laws are not essentially equivalent, companies must provide additional
safeguards or suspend transfers
• Codes of conduct/self-certification mechanisms
• Ad hoc contractual clauses
• Binding corporate rules (BCRs)
• BCRs are legally binding internal corporate privacy rules for transferring personal
information within a corporate group
• Derogations

94
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

International data transfers

95
Tips for compliance

Adjust the privacy program to the most stringent

legal requirements to which the processing is subject

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
• An organization sharing personal information across borders (e.g., HR data being moved to a
centralized headquarters) may be subject to various national and local privacy/data protection
laws and regulations (e.g., APEC)
• Example from the OPC of Canada: “Individuals should expect that their personal
information is protected, regardless of where it is processed. Organizations
transferring personal information to third parties are ultimately responsible for
safeguarding that information. Individuals should expect transparency on the part of
organizations when it comes to transferring to foreign jurisdictions.”
Tips for compliance
• Pay particular attention to personal information access of:
• Domestic and international security agencies
• Law enforcement
• Foreign courts
• General good practice:
• Adjust privacy program to most stringent legal requirements to which processing is
subject
• Definitions of key concepts may differ between jurisdictions
• Examples: Controller, processor, sensitive data, processing, data transfer
• Know implications of doing business with countries with inadequate/no privacy laws
• Risks may not outweigh benefits
• Localization laws may pose issue (e.g., Russia)
• Data flow maps can assist the privacy office and legal to recognize international data collection,
processing and transfers
• Further discussed in following module
• If you are transferring personal information between affiliated or subsidiary companies, a data
sharing agreement may be established to codify how data may be used by the receiving
organization. This may not eliminate the need for a legal basis for transferring personal
information if it is crossing jurisdictional borders.
Resource
OPC, “Guidelines for Processing Personal Data Across Borders,” January 2009,
https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-
borders/gl_dab_090127/.

95
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

96
1. Privacy Officer Garcia works

Chat with legal to create an

inventory of laws and
regulations applicable to
Review AtlantiPulse’s processing
activities. What requirements
question are common across
jurisdictions?

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
1. Privacy Officer Garcia works with legal to create an inventory of laws and regulations
applicable to AtlantiPulse’s processing activities. What requirements are common across
jurisdictions?

96
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

97
Chat 2. Garcia should be aware of
privacy law specific to health
care. What other types of
Review organizations and
departments are bound by
question industry-specific privacy laws?

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
2. Garcia should be aware of privacy law specific to health care. What other types of
organizations and departments are bound by industry-specific privacy laws?

97
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

98
3. There must be a legal basis

Chat for all international data

transfers. What are potential
options for legally
transferring personal
Review information between
question jurisdictions?

Module 3: Privacy program framework: Applicable laws and regulations

Session notes
3. There must be a legal basis for all international data transfers. What are potential options
for legally transferring personal information between jurisdictions?

98
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives

99
Module 4
• Recognize functions of data inventory and mapping.
• Identify strategies for creating a data inventory and

Privacy map.
• Outline reasons for and steps involved in creating a gap

operational analysis of applicable privacy requirements.

• Analyze purposes and methods for conducting privacy
life cycle — assessments.
• Understand the role of a privacy threshold analysis.
Assess: • Define PIAs/DPIAs.
• Determine triggers for conducting PIAs/DPIAs.
• Outline components of PIAs/DPIAs.

Data • Define TIAs and LIAs.

• Identify the role of attestations.

assessments • Determine the processes that mergers, acquisitions and

divestitures should evaluate.
• Analyze points to consider for a vendor assessment.
• Identify methods for assessing vendor risk.
• Determine focus points related to assessing cloud
computing vendors.

Module 4 learning objectives

• Recognize functions of data inventory and mapping.
• Identify strategies for creating a data inventory and map.
• Outline reasons for and steps involved in creating a gap analysis of applicable privacy
requirements.
• Analyze purposes and methods for conducting privacy assessments.
• Understand the role of a privacy threshold analysis.
• Define PIAs/DPIAs.
• Determine triggers for conducting PIAs/DPIAs.
• Outline components of PIAs/DPIAs.
• Define TIAs and LIAs.
• Identify the role of attestations.
• Determine the processes that mergers, acquisitions and divestitures should evaluate.
• Analyze points to consider for a vendor assessment.
• Identify methods for assessing vendor risk.
• Determine focus points related to assessing cloud computing vendors.

99
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data inventory and mapping

100
Definition

• Map data inventories

• Create a record of authority of systems
• Map and document data flow
• Analyze and classify types and uses of data

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
• A data inventory, or data map, is a complete record of all the personal information your
organization stores, uses and processes. It can be used:
• As a precursor to regulatory compliance and risk analysis
• To assess data, systems and processes
• To inform data assessments, priorities, data life cycle management and data
classification

• A data map should involve at least the following:

• Understanding how applicable laws and regulations define personal information
• Determining what personal information the organization collects and uses
• Documenting where the information is stored, including third-party systems that
house it, and where, geographically, the servers are located
• Mapping the flow of the information: where it goes from point of collection
throughout the organization and externally to vendors or other third parties
• Determining how long the information is retained and in what formats, including
whether it is “structured” (saved in relational databases) or “unstructured” (not
saved in a relational database)
• Assigning categories to the information and risk levels to those categories
• Classify data to the applicable classification scheme (e.g., public,
confidential, restricted)
• Creating a record of the authority of organizational systems that process the personal
information

100
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data inventory and mapping

101
Getting started

• Determine who is responsible for

creating the data inventory/map
• Identify departments that hold and use
personal information
• Plan intake questions

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Data inventory and mapping: Getting started
• Determine who is responsible for creating the data inventory/map
• Often privacy office and/or IT department
• Budget typically shared between these departments
• Identity departments that hold and use personal information
• Such as human resources, finance, marketing and IT
• May be accomplished through internal audit or outside consultancy assessment
• Plan intake questions
• May be organized around data life cycle
• Collection, usage, transfers, retention, destruction and security
• Internal policies and procedures, laws, regulations and standards may be used to
develop questions
• While not exactly the same as data inventory/mapping because it is more
process driven, Article 30 of GDPR asks for register of “processing activities”
• Questions should be specific to the organization’s line(s) of business

Resources
IAPP and OneTrust, “PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design,”
recorded August 24, 2016, Web Conference, https://iapp.org/resources/article/pias-and-data-
mapping-operationalizing-gdpr-and-privacy-by-design/.

IAPP and TRUSTe, “Preparing for the GDPR: DPOs, PIAs, and Data Mapping,” 2016,
https://iapp.org/resources/article/preparing-for-the-gdpr-dpos-pias-and-data-mapping/.

101
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

102
Chat

In your experience
What intake questions would be useful for
building a data inventory/map?

Module 4: Privacy operational life cycle — Assess: Data assessments

Chat: In your experience

What intake questions would be useful for building a data inventory/map?

102
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data inventory and mapping

103
Using tools and staying updated

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
When building your data inventory, select the tool that will enable your organization to update it
easily.
• Some privacy professionals begin with a questionnaire and have follow-up meetings with
departments
• In other cases, vendor tools may be used (see the IAPP Privacy Tech Vendor Report:
https://iapp.org/resources/article/privacy-tech-vendor-report/)

Data inventory/mapping may be conducted using:

• Questionnaires
• Email
• Spreadsheets
• An internally developed system
• A GRC software system
• Privacy tech vendor tools

Once the data inventory has been completed and documented, the information can be used
to address incidents and standard risk assessments.
• The inventory process helps set organizational priorities for privacy initiatives by providing data
locations, use, storage and access
• Allows the privacy team to justify priorities and understand the scope of data usage in the
organization

Staying updated
• Data inventories/maps: information is maintained and kept updated/accurate
• Can be a challenge
• Approach to updating data inventories often manual and relies on various departments

103
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

104
Chat

Brainstorm
What are some changes within the
organization that would trigger the need to
update data inventories?

Module 4: Privacy operational life cycle — Assess: Data assessments

Chat: Brainstorm
What are some changes within the organization that would trigger the need to update data
inventories?

104
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Sample gap analysis

105
REG REG ID Requirement Rule Domain Conclusion

Security Management Process –

Sanction policy. Apply
appropriate sanctions against
164.308
workforce members who fail to Policies and
HIPAA (a)(1) Security rule No gaps
comply with the security procedures
(i)(C)
policies and procedures of the
covered entity or business
associate.

Data processor agreements:

“Processing by a processor shall
be governed by a contract or Gap exists with
other legal act under Union or processor Smith
Article 28, Member State law, that is Contractual Data & Jones
GDPR
Section 3 binding on the processor with requirement management Insurance; no
regard to the controller and agreement in
that sets out the subject place
matter and duration of the
processing…”

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Laws can overlap, so be sure to involve the legal team in the process.

Steps to establish and maintain inventory of relevant laws/regulations

• Some organizations may decide to use a privacy compliance tool (not always necessary)
• See the IAPP’s Privacy Tech Vendor Report for technology solutions on the market:
https://iapp.org/resources/article/privacy-tech-vendor-report/
• Determine all locations where the organization does business
• Review vendor and customer contractual agreements
• Compile inventory of all relevant applicable laws by countries
• May take months
• Will likely involve privacy function and legal, possibly outside counsel
• Refer to resources with raw data
• Consider changes to laws/regulations following publication
• Examples include…
• DLA Piper’s Data Protection, Privacy & Security Groups’ Data Protection Laws
of the World Handbook
• Baker McKenzie’s Global Privacy Handbook
• Conduct a gap analysis of the regulations
• Most laws have some overlap
• Involve legal in this process
• Subscribe to organizations/associations for up-to-date guidance on laws and regulations,
research, tools and best practices
• Active monitoring of regulatory activity may allow time to prepare for legislative
changes and its direct/ indirect costs
Resource
Eric Dieterich and Ana Rodgers, “Building a Privacy Program from Ground Zero,” Recorded June 22,
2015 at the IAPP Canada Privacy Symposium, Toronto, ON, Reprise Web Conference,
https://iapp.org/resources/article/building-a-privacy-program-from-ground-zero/.

105
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of assessments

106
PRIVACY PRIVACY IMPACT DATA PROTECTION
ASSESSMENT ASSESSMENT IMPACT ASSESSMENT
Measures an Analyzes the activities Performed under the
organization’s of a project and regulations of the GDPR
compliance with laws, determines how those to assess the level of
regulations, adopted activities might pose a risk to personal
standards, and internal risk to the privacy of information in an
policies and individuals in relation undertaking, project,
procedures. to that project. task or data processing
activity.

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Privacy assessments, privacy impact assessments, and data protection impact assessments have the
similar goal of addressing and reducing privacy-related risks to individual rights and organizational
compliance. However, there are key differences between the assessment types.

Main purpose/goal?
Privacy assessment: Measures an organization’s compliance with laws, regulations, adopted
standards, and internal policies and procedures.
Privacy impact assessment: Analyzes the activities of a project and determines how those activities
might pose a risk to the privacy of individuals in relation to that project.
Data protection impact assessment: Performed under the regulations of the GDPR to assess the
level of risk to personal information in an undertaking, project, task or data processing activity.

When to conduct?
Privacy assessment: Conducted internally by the audit function, DPO, business function or
externally by a third party at predefined time periods, in response to a security or privacy event, or
at the request of an enforcement authority.
Privacy impact assessment: For new or improved projects, developments, or undertakings that
might result in privacy risks; when processes involving personal information are changed.
Data protection impact assessment: Before data processing activities occur; if there is a high risk
to rights and freedoms of data subjects; before implementing new technologies for processing or
undertaking any project that entails profiling or includes processing personal data at a large scale.

Required by law?
Privacy assessment: No.
Privacy impact assessment: In certain circumstances. Historically, laws in the USA do not mandate
companies to conduct PIAs, however, recent privacy laws such as those in California, Virginia,
Colorado and Connecticut now require organization to conduct PIAs.
Data protection impact assessment: In certain circumstances. Required under the GDPR when
processing or the use of new technology is likely to cause a high risk to the rights and freedoms of
data subjects.

106
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy assessment

107
Measuring compliance
Legal obligations

Organization’s practices

Stated practices

A privacy assessment is not to be confused

with a privacy impact assessment

Privacy assessments serve as conduits to

PIAs or DPIAs for higher risk processes

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Privacy assessment is not to be confused with privacy impact assessment.
Privacy assessment: measuring compliance
• Measures organizations’ compliance with laws, regulations, adopted standards and internal
policies/procedures in…
• Education and awareness
• Monitoring and responding to regulatory environment
• Data, systems and process assessments
• Risk assessments
• Incident response
• Contracts
• Remediation
• Program assurance, including audits
• May be conducted…
• On regular or scheduled basis
• Ad hoc as result of privacy or security event
• Due to request from enforcement authority
• Methods may include…
• Subjective standards (e.g., employee interviews/questionnaires, complaints received)
• Objective standards (e.g., information system logs, training and awareness
attendance, test scores, technology, such as eDiscovery tools)
• May be conducted by…
• Business process owner along with the privacy professional
• Internal audit function
• Data protection officer
• Self-assessments (business function)
• External third parties
• Results are…
• Documented for management sign-off
• Analyzed to develop recommendations for improvement and remediation plan
• Any risks identified during the assessment should be discussed with the privacy
professional or the privacy office
• Resolution of issues/vulnerabilities then monitored to ensure appropriate corrective action is
taken on timely basis
Resource
Peter P. Swire and Kenesa Ahmad, Foundations of Information Privacy and Data Protection, ed.
Terry McQuay (Portsmouth, NH: IAPP, 2012).

107
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Assessment in practice

108
Eric works for a financial institution that
digitally stores all client records and
destroys paper copies.

He has discovered that, when working

with a client, saving the record to his
desktop makes accessing information
easier and quicker.

A conversation with Eric’s team leader

during their annual privacy assessment
uncovers this practice that is both
noncompliant with the company’s privacy
policy and puts personal information at
risk of a breach.

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Assessment in practice
In addition to identifying areas of noncompliance, assessments may determine other privacy risks.

The following scenario describes a situation that may pose a privacy issue.
• Eric works for a financial institution that digitally stores all client records and destroys paper
copies.
• He has discovered that, when working with a client, saving the record to his desktop makes
accessing information easier and quicker.
• A conversation with Eric’s team leader during their annual privacy assessment uncovers this
practice that is both noncompliant with the company’s privacy policy and puts personal
information at risk of a breach.

Resource
Bob Siegel, “Accountability and Adaptability: Two of the Three ‘A’s of a Successful Privacy
Program,” The Privacy Advisor (IAPP), May 23, 2016, https://iapp.org/news/a/accountability-and-
adaptability-two-of-the-three-as-of-a-successful-privacy-program/.

108
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Assessment in practice

109
What are the privacy implications of this
shortcut?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Assessment in practice
• What are the privacy implications of this shortcut?

109
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Risk assessment

110
• What is the purpose of risk assessment?
• Who conducts risk assessment?
• How is risk assessment effectively executed?

Has personal Personal

Product Risk LOB
information? information

User credentials,
financial
transactions, first
name, last name,
Product 1 Yes High LOB X
IP address, call
details, email,
message content,
home phone

Product 2 No Low LOB Y N/A

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Risk assessment
• What is the purpose of risk assessment?
• Determine risk mitigation priorities and actions
• Who conducts risk assessment?
• Often entire privacy team with involvement from executive leadership, compliance,
legal, IT and risk/auditing; sometimes aided by outside counsel and/or consultants
• How is risk assessment effectively executed?
• Organization buy-in
• Alignment with business goals and practices
• Involvement of all relevant stakeholders
• Budget for risk assessment and mitigation: Outside counsel, security, consultant, cyber
insurance, IT forensics and software
• Realistic timeline: Weeks to months
• Maturity model to rank business practices
• Risk-ranking model
• Consideration of past, present and future states
• Clear goals and documentation of entire process
• Template or automation, as scope and budget allow
• Privacy risk factors
• Types of data held by the organization
• Value of personal information to the business
• Regulators’ enforcement history
• Potential regulatory penalties
• Adverse experiences of comparable organizations
• Inconsistencies in regulations applicable to the organization
• Assessments can also identify adverse effects: Data breaches, perceived “creepiness” causing
brand/reputation damage, actions deemed unfair/deceptive by regulators, lawsuits, loss of
sales/revenue, impact to bottom line

Resource
Eric Dieterich and Ana Rodgers, “Building a Privacy Program from Ground Zero,” Recorded June 22,
2015 at the IAPP Canada Privacy Symposium, Toronto, ON, Reprise Web Conference,
https://iapp.org/resources/article/building-a-privacy-program-from-ground-zero/.

110
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy threshold analysis

111
What do PTAs seek to determine?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
A privacy threshold analysis is a questionnaire or document used to determine if an information
technology system contains personally identifiable information, whether a privacy impact
assessment is required, and if any other privacy requirements apply to the system.

What do PTAs seek to determine?

• From whom data is collected
• What types of personal data are collected
• How such data is shared
• Whether the data has been merged
• Whether any determinations have been made as to the information security aspects of the system

The U.S. Department of Agriculture on PTAs:

“A PTA should be completed when proposing a new information technology system that will collect,
store, or process identifiable information or when starting to develop or significantly modify such a
system, or when a new electronic collection of identifiable information is being proposed.
The purpose of a PTA is to:
1. Identify programs and systems that have privacy implications;
2. Demonstrate the inclusion of privacy considerations during the review of a program or system;
3. Provide a record of the program or system and its privacy requirements at the Department’s
Privacy Office;
4. Demonstrate compliance with privacy laws and regulations.“

Example of a PTA template from the U.S. Department of Homeland Security:

https://www.dhs.gov/xlibrary/assets/privacy/privacy_pta_template.pdf

Resource
“Privacy Threshold Analysis, Privacy Impact Assessments, and System of Records Notices,” U.S.
Department of Agriculture, 24 March 2024,
https://www.aphis.usda.gov/aphis/resources/lawsandregs/privacy-act/pta-pia-sorn/pta-pia-sorn

111
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

What is a PIA?

112
A privacy impact assessment is an
analysis that specifically assesses the
privacy risks associated with processing
personal information in relation to a
project, product or service.

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
What is a PIA?
• A privacy impact assessment is an analysis that specifically assesses the privacy risks
associated with processing personal information in relation to a project, product or service
• Form of risk assessment
• Risk management tool used to identify and reduce privacy risks to individuals and
organizations
• Ensures adherence to legal, regulatory and policy requirements while assessing privacy
risks and considering protective measures
• Part of holistic risk management strategy
• Evaluation of existing controls
• Remedial actions or mitigations necessary to avoid, reduce and minimize risks

• Requirements around PIAs may be mandated by industry, organizational policy, laws and
regulations
• Regions may call out PIAs as essential in some circumstances and/or have specific legal
requirements for conducting them
• Work closely with all stakeholders and relevant functions
• Also consider physical controls
• Example: destroying paper documents, physical access to spaces, etc.

112
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

What is a PIA?

113
A privacy impact
assessment may be
used to facilitate
privacy by design.

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
A privacy impact assessment may be used to facilitate privacy by design.
• PbD is the concept that organizations need to build privacy directly into technology, systems and
practices at the design phase and ensure existence of privacy from outset

Resource
Eric Dieterich and Ana Rodgers, “Building a Privacy Program from Ground Zero,” Recorded June 22,
2015, at the IAPP Canada Privacy Symposium, Toronto, ON, Reprise Web Conference,
https://iapp.org/resources/article/building-a-privacy-program-from-ground-zero/.

113
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

When should a PIA be conducted?

114
Prior to deployment New or revised Changes to methods
of a project, product industry standards, in which personal
or service that organization policy, information is handled
involves the collection law or regulation that create new
of personal privacy risks
information

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
• An organization may not be able to perform a PIA for every product, depending on its resources
• A privacy threshold analysis can be used to determine priorities

When should a PIA be conducted?

• Prior to deployment of a project, product or service that involves the collection of personal
information
• New or revised industry standards, organization policy, law or regulation
• Changes to methods in which personal information is handled that create new privacy risks

114
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

115
Chat

Brainstorm
What events may trigger the need for PIA
(e.g., collection of new information about
individuals)?

Module 4: Privacy operational life cycle — Assess: Data assessments

Chat: Brainstorm
What events may trigger the need for PIA (e.g., collection of new information about individuals)?

115
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

DPIAs

116
Two main values:
1) To help incorporate
privacy
considerations into
organizational planning
2) To help demonstrate
compliance with the law

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Data protection impact assessments serve as a valuable tool to identify and mitigate privacy risks
that could adversely affect or infringe upon the rights and freedoms of data subjects or individuals
during the collection, use, disclosure and processing of their personal data.
• Data protection impact assessments have specific triggers and requirements under some
countries’ laws (e.g., GDPR, LGPD)
• Two main values of a DPIA:
• To help incorporate privacy considerations into organizational planning
• To help demonstrate compliance with the law
• When is a DPIA required?
• Article 35, GDPR: If processing is “likely to result in a high risk to the rights and freedoms
of natural persons”
• Additional considerations: Nature, scope, context, purpose, type of processing, use of
new technologies (Article 35 provides examples that will require a DPIA)
• Use of new technologies whose consequences and risks are less understood may
increase likelihood that a DPIA should be conducted
• Article 5, XVII, LGPD: If the processing of personal data may trigger risks to civil liberties
and fundamental rights of the data subjects
• There are two cases in which the LGPD expressly recommends that the controller create
a DPIA: When the processing of personal data is based on a legitimate interest or involves
sensitive data
• When must the supervisory authority be contacted?
• Prior to processing when a DPIA indicates high risk to data subjects that are not
mitigated
• Communication should include:
• DPIA
• Responsibilities of controllers and processors
• Purposes and means of processing
• Measures and safeguards
• Contact details of DPO

PIAs and DPIAs work in tandem; they are not substitutes for one another.
Resource
Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA), Revised October
4, 2017, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236.

116
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Components of a DPIA

117
Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
What should a DPIA include?
• Description of the processing, including purpose and legitimate interest being pursued
• Necessity of processing, its proportionality, risks that it poses to data subjects
• Measures to address risks

Components of a DPIA
• Components may differ, depending on applicable requirements, line of business, etc.
• UK Information Commissioner’s Office published a template for recording the process and
outcomes of a DPIA: https://iapp.org/media/pdf/resource_center/dpia-template-v04-post-
comms-review-20180308.pdf
• Sample DPIA steps:
1. Identify the need for a DPIA
2. Describe the processing of personal information, including its nature, scope, context
and purposes
3. Consider what consultation you may need
4. Assess necessity and proportionality
5. Identify and assess risks
6. Identify measures to reduce risk
7. Sign off and record outcomes

117
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

TIAs and LIAs

118
• Transfer impact assessment
• Legitimate interests assessment

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Transfer impact assessment:
• A new assessment to ensure adequate level of data protection in a third country
• TIAs consider the sufficiency of foreign protections on a case-by-case basis when data is
transferred using standard contractual clauses, binding corporate rules or other EU-approved
data transfer mechanisms
• Example of a TIA template: https://iapp.org/resources/article/transfer-impact-assessment-
templates/

Legitimate interests assessment:

• A form of risk assessment; should be conducted when personal data processing is based on
legitimate interest
• Legitimate interests are one of the six lawful bases for processing personal data under
the GDPR
• “Processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party”
• LIAs include identifying the legitimate interest and conducting necessity and
balancing tests
• LIAs demonstrate accountability and the lawfulness of processing and confirm compliance to the
supervisory authority
• Example of an LIA template: https://ico.org.uk/media/for-organisations/forms/2258435/gdpr-
guidance-legitimate-interests-sample-lia-template.docx

Resources
“Legitimate interests,” ICO,
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

“How to Conduct a Legitimate Interests Assessment (LIA)?” Data Privacy Manager,

https://dataprivacymanager.net/what-is-lia-legitimate-interests-assessment-and-how-to-conduct-
it/.

118
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Attestation

119
A form of self-assessment

Task: Classify data

Owner: IT
Questions: Has the NIST 800-60
classification system been reviewed to
ensure understanding of each category?
Has each type of data within the
information system been mapped to a
category? Have data types that cannot be
easily categorized been flagged, analyzed
and classified by the CISO?
Evidence: Spreadsheet with data
inventory, categories and classifications

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Attestation: A form of self-assessment
• Tool for ensuring functions outside the privacy team are held accountable for privacy-related
responsibilities
• Once privacy responsibilities of each department have been determined/documented, craft
questions related to each responsibility
• Designated departments are required to answer question(s) and potentially provide evidence
• Questions should be specific and easy to answer — usually yes/no

Example of attestation
• Involves NIST 800-60
• A guide from the National Institute of Standards and Technology/U.S. Department of
Commerce
• On mapping types of information and information systems to security categories
• May not be familiar to participants from outside U.S.
• Should be prefaced with brief explanation
• Task: Classify data
• Owner: IT
• Questions: Has the NIST 800-60 classification system been reviewed to ensure understanding
of each category? Has each type of data within the information system been mapped to a
category? Have data types that cannot be easily categorized been flagged, analyzed and
classified by the CISO?
• Evidence: Spreadsheet with data inventory, categories and classifications

119
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

120
Chat

In your experience
What aspects of an organization’s physical
environment may require risk assessment
(e.g., document destruction)?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
In addition to the digital environment, risk assessment should evaluate the physical environment.
• Many security incidents can be due to theft or loss of equipment, or hard-copy records being lost,
stolen, or incorrectly stored or disposed of
• Physical and environmental security protects an organization’s data, electronic equipment and
personnel

Chat: In your experience

What aspects of an organization’s physical environment may require risk assessment (e.g.,
document destruction)?

120
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Mergers, acquisitions and divestitures

121
Privacy checkpoints

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Key definitions
• Merger: Forms one organization from others
• Acquisition: One organization buys one or many others
• Divestiture: Removes one aspect of an organization — several potential motives, such as selling
off part of the business not integral to the core

Privacy checkpoints
Merger and acquisition processes should include privacy checkpoint that evaluates:
• Applicable new compliance requirements
• Existing client agreements
• New resources, technologies and processes to bring them into alignment
• Standards and sectoral-specific laws
• Comprehensive laws/regulations

It can be difficult to manage shared data immediately after a change in organizational structure. It
is particularly important in this period to consider the governance and accountability requirements.
In particular, you must:
• Check that the data records are accurate and up to date
• Ensure you document what you do with the data
• Adhere to a consistent retention policy for all records
• Ensure appropriate security is in place
• Implement risk mitigation and communications with internal and external stakeholders after
mergers, acquisitions and divestitures

The process of divestiture should include a privacy check to ensure no unauthorized information,
including personal information, remains on the organization’s infrastructure.

Resources
EDBP, Statement on privacy implications on mergers,
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_privacyimplicationsofm
ergers_en.pdf

121
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Vendors

122
Assessing risk

• Type of data being outsourced?

• Location of data?
• Implications of cloud computing
strategies?
• Legal compliance?
• Records retention?
• Contractual requirements?
• Minimum standards for safeguarding
information?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Vendor: Also known as processor (EU), contractor and third-party vendor

Risk assessment should be extended to all areas of the business, including procurement, and should
be performed by the appropriate department or organizational level. The same assessment process
should be followed every time the organization considers using a new vendor.

• Considerations
• Type of data being outsourced
• Location of data
• Implications of cloud computing strategies
• Legal compliance
• Records retention
• Contractual requirements
• Minimum standards for safeguarding information
• Common risks of working with vendors
• Scope creep
• Process/quality standards
• Data breaches
• Oversight
• Laws and regulations

Resource
K Royal and Pedro Pavón, “Third-Party Vendor Management Means Managing Your Own Risk,” 10
vols, The Privacy Advisor (IAPP), 2014–2015, https://iapp.org/resources/article/third-party-vendor-
management-means-managing-your-own-risk-3/.

122
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Vendors

123
Using checklists to assess…

 Processing activities align with privacy program framework

 Policies are consistently followed by all departments
 Relevant teams have had training to handle vendor privacy issues
 Relevant personal information is included in the data inventory/map
 Privacy risks have been identified, assessed and mitigated (where
appropriate), and risk is addressed in the contract, including mitigation
and thresholds
 All privacy and security requirements are addressed in the contract
 There is a consistent process for engaging new vendors
 There is ongoing monitoring and auditing
 There is a process for termination

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
• Article 28, GDPR: Obligations of each processor (and its sub-processors)
• Due-diligence before working with vendor
• Inform data processor agreements
• Controller right to audit processor
• Article 55, China’s PIPL:
• Entities that process personal information must carry out prior personal information
PIAs and retain processing records for at least three years, including “entrusting
vendors to process personal information,” for certain processing activities such as
processing sensitive personal information or transferring personal information
overseas
• Vendor assessment
• Evaluation of privacy/information security policies, access controls, where personal
information will be held and who has access
• Involves all relevant internal/external stakeholders: internal audit, information
security, physical security and regulators
• Same assessment process followed every time the organization considers using new
vendor
• Assessment methods: Privacy/security questionnaires, privacy impact assessments, checklists

Checklists can be used to assess:

• Processing activities align with privacy framework
• Policies are consistently followed by all departments
• Relevant teams have had training to handle vendor privacy issues
• Relevant personal information is included in the data inventory/map
• Privacy risks have been identified, assessed and mitigated (where appropriate), and risk is
addressed in the contract, including mitigation and thresholds
• All privacy and security requirements are addressed in the contract
• There is a consistent process for engaging new vendors
• There is ongoing monitoring and auditing
• There is a process for termination

123
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Assessing cloud computing vendors

124
1. Certifications and standards
2. Technologies and service roadmap
3. Data security, data governance and
business policies
4. Service dependencies and
partnerships
5. Contracts, commercials and SLAs
6. Reliability and performance
7. Migration support, vendor lock in and
exit planning
8. Business health and company profile

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
Any technology that is new to an organization should require an assessment. Assessing cloud
computing vendors before procuring them can be challenging:
• Complexity of their services
• Clients of cloud computing services may not be able to negotiate the contractual terms of use of
the cloud services
• Inspection of their premises is difficult for various logistical reasons
The Cloud Industry Forum indicates eight areas to focus on during a selection assessment of a cloud
service provider (https://cloudindustryforum.org/8-criteria-to-ensure-you-select-the-right-cloud-
service-provider/):
1. Certifications and standards: Providers that comply with recognized standards and quality
frameworks demonstrate an adherence to industry best practices and standards.
2. Technologies and service roadmap: Ensure the provider’s platform and preferred technologies align
with your current environment, workloads and management preferences. Also consider how the
provider plans to continue innovating and growing, and if its road map fits your needs in the long
term.
3. Data security, data governance and business policies: The location where your data will reside and
the local laws it is subject to may be a key part of the selection process. If you have specific
requirements, look for providers that give you choice and control regarding the jurisdiction in which
your data is stored, processed and managed. Be sure to assess the provider's levels of data and system
security and get clarity on security roles and responsibilities.
4. Service dependencies and partnerships: Assess the provider’s vendor relationships. Uncover any
service dependencies and partnerships involved in the provision of the cloud services. You should also
look to understand limitations of liability and service disruption policies related to these
subcomponents.
5. Contracts, commercials and SLAs: Identify the important factors to help clarify risk and suitability.
Considerations should include service delivery, business terms, data assurance and legal protections.
6. Reliability and performance: Several methods can be used to measure the reliability of a service
provider. Check the performance of the service provider against their recent service level
agreements. Evaluate provider plans and processes for managing downtime and ensure monitoring
and reporting tools are sufficient. Understand disaster recovery provisions.
7. Migration support, vendor lock in and exit planning: Cloud services that rely heavily on bespoke or
unique proprietary components may impact your portability to other providers or in-house operations.
Ensure the provider has minimal use of proprietary technology and that there is a clear exit strategy
in place.
8. Business health and company profile: Consider the financial health and profile of the provider.
Providers should have a proven record of stability and the financial health to operate successfully
over the long term.

124
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

125
Chat 1. What steps should Privacy
Officer Garcia and her team
take to assess AtlantiPulse’s
Review privacy policies, practices and
question compliance?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
1. What steps should Privacy Officer Garcia and her team take to assess AtlantiPulse’s privacy
policies, practices and compliance?

125
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

126
Chat 2. What methods may be used
to conduct privacy
Review assessment?
question

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
2. What methods may be used to conduct privacy assessment?

126
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

127
3. Garcia uses a data inventory
Chat of AtlantiPulse’s information
assets and a PII risk ranking
to determine which projects
Review should be evaluated through
question a PIA. In addition to
acquisition/merger, what
other circumstances may
trigger the need for a PIA?

Module 4: Privacy operational life cycle — Assess: Data assessments

Session notes
3. Garcia uses a data inventory of AtlantiPulse’s information assets and a PII risk ranking to
determine which projects should be evaluated through a PIA. In addition to
acquisition/merger, what other circumstances may trigger the need for a PIA?

127
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives
Module 5

128
• Explore the intersection of privacy and
information security.
• Examine ways to better align the privacy and
Privacy information security functions.

operational • Outline drivers behind information security

practices.
life cycle — • Analyze types and categories of controls.
• Review examples of administrative controls.
Protect: • Illustrate types of access controls.
• Determine technical controls for protecting
personal information.
• Define privacy by design and review its seven
Protecting principles.

personal • Define data protection by design and default in

the GDPR.
information • Explore privacy risk models and frameworks.
• Compare process-oriented and data-oriented
privacy design strategies.
• Understand the privacy risks posed by using AI in
the business environment.

Module 5 learning objectives

• Explore the intersection of privacy and information security.
• Examine ways to better align the privacy and information security functions.
• Outline drivers behind information security practices.
• Analyze types and categories of controls.
• Review examples of administrative controls.
• Illustrate types of access controls.
• Determine technical controls for protecting personal information.
• Define privacy by design and review its seven principles.
• Define data protection by design and default in the GDPR.
• Explore privacy risk models and frameworks.
• Compare process-oriented and data-oriented privacy design strategies.
• Understand the privacy risks posed by the use of AI in the business environment.

128
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AtlantiPulse causes a privacy problem

129
AtlantiPulse is now an integral
part of one of the divisions of
One Earth Medical.

AtlantiPulse has well-established

policies and procedures for its nurses
who work from home, including
scheduled periodic audits to be sure
they are operating in accord with
company standards. However, Privacy
Officer Garcia has discovered several
potential privacy weaknesses.

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Read the scenario to answer the question that follows.

129
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AtlantiPulse causes a privacy problem

130
Although printing functions were disabled on remote computers and an
admin password is needed to enable them, it is possible to use the “print as
PDF” function to create copies of patient data.
AtlantiPulse’s database with patient and scheduling data does not restrict
access to the data beyond the initial login, regardless of the user’s location
or role. Coupled with potential breaches due to the computer’s
configuration, this situation could cause serious issues.
Some of the ports on nurses’ laptops are unsecured, making it possible to
transfer data from an AtlantiPulse machine to an external storage device or
computer outside the network.

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Read the scenario to answer the question that follows.

130
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

131
Chat

Activity #3
To resolve the potential security issues
described in the scenario, what must
Privacy Officer Garcia first determine?

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Chat: Activity #3
To resolve the potential security issues described in the scenario, what must Privacy Officer
Garcia first determine?

131
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

132
Privacy v. security… isn’t it the
same thing?
Data privacy is focused on the use and governance of personal
data — things like putting policies in place to ensure that
consumers’ personal information is being collected, shared and
used in appropriate ways. Security focuses more on protecting
data from malicious attacks and the exploitation of stolen data
for profit. While security is necessary for protecting data, it’s
not sufficient for addressing privacy.

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Privacy and security are related concepts, and both focus on information.
• Security: Focuses on the control of information; ensuring its confidentiality, integrity and
availability throughout the data life cycle
• Privacy: Focuses on the information itself and the people represented by the information;
examines what information is revealed and whether there is a risk to the person or their
reputation

Resources
https://iapp.org/about/what-is-privacy/

132
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security

133
Practices

Select and
implement
measures to
mitigate risk

Identify risk Track and

evaluate risk

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security
• Provides administrative, technical and physical controls, or safeguards, to reduce probable
damage, loss, modification or unauthorized data access
• Built upon risk management practices to…
• Identify risk
• Select and implement measures to mitigate risk
• Track and evaluate risk (to validate the first two steps)
• Risk factors driving force behind all information security matters
• Regardless of industry, government affiliation or geographic location
• Existence of risk does not necessarily imply data is not secure

133
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

134
Chat

Your outlook
What are some examples of potential
information security risks?

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Chat: Your outlook

What are some examples of potential information security risks?

134
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security

135
Control categories

Preventative Detective Corrective

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Controls can be divided into several categories based on the control objective:

• Preventive controls: Intended to prevent an incident from occurring

• Firewalls, passwords, procedures, training, etc.
• Detective controls are intended to identify and characterize an incident that has occurred or is
in progress
• Audits, antivirus software, monitoring and logging, etc.
• Corrective controls are intended to limit the extent of any damage caused by an incident
• Business continuity plans, restoration of back-up data, updated policies/lessons learned,
etc.

135
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security

136
Control types
Administrative

Physical

Technical

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security uses controls to manage risk.

• Physical controls govern physical access to hard copies of data and the systems that process and
store electronic copies
• Fences, doors, locks and fire extinguishers, etc.
• Limitations: Can be defeated by physical means (lost keys, cut/broken fences); less
ability to monitor and restrict access
• Technical controls govern software processes and data
• User authentication (login) and logical access controls, antivirus software, firewalls, etc.
• Limitations: Can be difficult to detect and prevent insider attacks; compatibility issues;
false sense of security; does not allow for evolving threats
• Administrative or policy controls govern an organization’s business practices
• Incident response processes, management oversight, security awareness and training,
policies regarding how the organization handles data, etc.
• Limitations: Relies on people doing the right thing (e.g., reporting issues); human error

136
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Technical privacy controls

137
• Obfuscation
• Data minimization

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Obfuscation
Masking: Masking is a means of permitting parts of a sensitive value to be visible while
leaving the remainder of the value shielded from view.
Randomization: Randomization uses random information or randomizes the data to
complicate linking personal information back to an individual.
Noise: Noise adds false data to information to complicate identification of valid personal
information.
Hashing: Hashing is taking user identifications and converting them into an ordered system
to track the user’s activities without directly using personal information.
Data minimization
Data segregation: Data segregation stores data in different areas to prevent aggregation or
access to large amounts of data or linking data.
Compression: Compressing data, such as an audio file, maintains its comprehensibility while
removing characteristics that may distinguish an individual.
Aggregation: Data aggregation is the process of combining data from multiple records so
that the combined data reflects the attributes of a group versus an individual.
Deletion: Deleting unneeded or expired data is one of the best ways to remove the risk that
can come from having too much data.
Deidentification: Deidentification is an action to remove identifying characteristics from
data. Deidentified data is information that does not actually identify an individual. Some
laws require specific identifiers to be removed.

137
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Technical privacy controls

138
• Common security
practices
• Privacy-enhancing
technologies

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Common security practices
Data loss prevention (DLP): DLP helps to ensure that sensitive data is not inadvertently
released to the wrong person or entity.
Destruction: At the end of its life cycle, data should be destroyed.
Encryption: Encryption is the process of obscuring information, often through the use of a
cryptographic scheme, in order to make the information unreadable without special
knowledge, i.e., the use of code keys.
Auditing and testing: Auditing and testing are essential to verify that privacy requirements
are being met and to validate the appropriateness of those requirements.
Access controls for physical and virtual systems: Access control is a mechanism by which
access permission to a resource is managed.
Privacy-enhancing technologies
Differential privacy: Differential privacy is a database technique that permits the analysis
of user data stored within the database without revealing any information about individuals
that is unavailable to those without access to the database.
Homomorphic encryption: Homomorphic encryption is a type of advanced technology that
prevents raw data from being accessed while still allowing for analysis of the data.

Be sure to collaborate with privacy technologists to enable technical controls for obfuscation, data
minimization, security and other privacy-enhancing technologies.

138
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Administrative controls

139
Administrative
Type Source Implementation
Control
Ensure the delete
GDPR: Right to Data must be deleted
Laws and regulations button works
erasure upon request.
properly.
Explicit consent must Require “opt-in”
Generally Accepted
Industry practices be obtained for selection for
Privacy Principles
sensitive data. specified users.
Payment Card Use AES 256
Self-regulatory Cardholder data must
Industry Data Security (Advanced Encryption
regime be encrypted.
Standard Standard) in transit.
Google’s former Search results must Always clearly
Corporate
motto: “Don’t be not be deceptive. identify advertising
ethics/policy
evil.” as a “sponsored link.”

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Administrative controls are the non-technical, “softer” privacy control measures established by
management (e.g., policies and procedures for the correct acquisition, implementation and use of
technology within an enterprise)

• May derive from laws and regulations, industry practices, self-regulatory regimes, and corporate
ethics and policies
• The term “administrative safeguards” is more commonly used in the context of U.S. legislation
(e.g., HIPAA)
• The term “organizational measures” is often used in EU contexts

139
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security controls

140
ISO 27001 control domains
• Information security policies • Communications security
• Organization of information • Systems acquisition,
security development and maintenance
• Human resources security • Supplier relationships
• Asset management • Information security incident
management
• Access control
• Information security aspects of
• Cryptography
business continuity management
• Physical and environmental
• Compliance
security
• Operational security

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security controls
• ISO/IEC 27001 and 27002
• Internationally recognized information security standards
• Published by International Organization for Standardization and International
Electrotechnical Commission
• Types of security controls on slide align with ISO/IEC 27001 and ISO/IEC 27002 standards
• ISO/IEC 27001 Annex A
• Contains summary of security controls
• ISO /IEC 27002
• Examines control objectives and controls in more depth
• ISO/IEC 27701
• Extension of ISO/IEC 27001; first mainstream global privacy management standard
• Defines processes and provides guidance for protecting personal information on an
ongoing, evolving basis
• Specifies the requirements for establishing, implementing, maintaining and continually
improving a privacy-specific information security management system
• Information security controls further categorized as…
• Physical controls
• Administrative controls
• Technical controls

For help mapping ISO 27001 to the GDPR, see the report: IAPP-OneTrust Research: Bridging ISO
27001 to GDPR: https://iapp.org/resources/article/iapp-onetrust-research-bridging-iso-27001-to-
gdpr.

Visit https://iapp.org/news/a/microsoft-launches-open-source-privacy-mapping-tool/ for the IAPP

article about Microsoft’s open-source tool, the “Data Protection/Privacy Mapping Project,” which
maps ISO/IEC 27701 to nine privacy laws around the world, including the GDPR, CCPA and LGPD.

140
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security access controls

141
Role-based
controls

• Segregation of
duties
• Least privilege
• Need-to-know or
-access

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security access controls
• Access control: A type of information security control
• Access control policy should be established, documented and reviewed based on business and
security requirements for access
• Role based access controls — basic security principles
• Segregation of duties: Ensures one person cannot exploit or gain access to information
inappropriately
• Least privilege: Information access should only be given to those who need it to perform
their job responsibilities
• Need-to-know or -access: Access is restricted to only information that is critical to the
performance of an authorized, assigned mission

141
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security access controls

142
Role-based User access
controls management

• Segregation of • Unique user IDs

duties • Level of access
• Least privilege based on purpose
• Need-to-know or • Formal process for
-access access
granting/removal
• Password
management
• Review of access
rights

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security access controls
• User access management (also known as identity access management)
• Unique user IDs
• Credentials for ID (e.g., smart card, password, two-factor authentication, machine
certificate)
• Level of access based on business purpose
• Formal logical access process for granting and removing
• Password management
• Review of user access rights (e.g., privileged accounts, job function changes,
employment termination)

142
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security access controls

143
Role-based User access
User responsibility
controls management

• Segregation of • Unique user IDs • Good security

duties • Level of access practices in
• Least privilege based on purpose selecting and
• Need-to-know or • Formal process for protecting
-access access passwords
granting/removal • Clean desk policy
• Password
management
• Review of access
rights

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Information security access controls
• User responsibility
• Users required to follow good security practices in selecting and protecting passwords
• Clean desk policy for papers and removable storage media

143
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Security policies

144
Physical security

Data classification policies

Data schema

Data retention

Data deletion

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Adequate privacy protection of personal information is contingent on the quality of an internal
security policy and how well it is implemented.
A well-functioning internal security policy prevents unauthorized or unnecessary access to corporate
data or resources, including intellectual property, financial data and personal information.
Physical security measures, such as locks, safes, cameras and fences, offer a first layer of
protection from both internal and external threats.
Other ways to secure data include:
• Data classification policies that should be established, activated and enforced for both granting
and revoking access to assets and information according to their classification
• Database schema separate customer information into relative tables that make it easier to
enable access only to those who need to see the information
• Data retention policies and procedures that are established early in a system’s development
and that need to be clearly communicated to all individuals who handle data
• Data deletion policies that dictate the secure and complete removal of data from all systems
when it is no longer needed for a legitimate business purpose

Additional information
• Organizations should consider going beyond the minimal requirements for security, as well-
managed processes raise customer satisfaction and build consumer trust
• Privacy technologists should leverage organizational policies when designing and implementing
technical privacy solutions so that solutions are appropriate for the organization’s operational
environment

144
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Evaluating security controls

145
Collaborate Don’t reinvent Stay aware Rank and
prioritize

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
When you are evaluating security controls, your goal should be to ensure they are implemented and
operating effectively to support the organization’s privacy practices.

In evaluating controls:
• Collaborate. Data privacy teams should work closely with information security and IT teams.
Building partnerships between stakeholders in the privacy and information security functions is
essential for consistency, visibility and alignment on key elements of the privacy program.
• Don’t reinvent. Leverage existing audits and reviews, such as SOC1 and SOC2 (System and
Organization Controls for Service Organizations) audits and ISO certifications.
• Stay aware. Include relevant security risks in the privacy framework.
• Rank and prioritize. Keep a scorecard of risk factors for high, medium and low risk. Not all
problems can be solved or mitigated at once, so having an agreed-upon ranking of risk factors is
key to prioritizing resources and evaluating outcomes.

145
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

146
Chat

In your experience
What are some key information security
controls that your organization has
prioritized in the past few years?

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Chat: In your experience

What are some key information security controls that your organization has prioritized in the
past few years?

146
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy by design:

147
The philosophy and approach of embedding
privacy into the design of technology,
systems and practices.

Proactive not reactive; Privacy as the default Privacy embedded Full functionality —
preventative not into design Positive-sum, not
remedial zero-sum

Respect for user Visibility and End-to-end security —

privacy transparency life cycle protection

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Privacy by design
• The philosophy and approach of embedding privacy into the design of technology, systems
and practices
• Called out in Article 25 of GDPR, so now more important than ever

As originally conceived of by Privacy Commissioner of Ontario, Ann Cavoukian, privacy by design is

based on seven foundational principles:
1. Proactive not reactive; preventative not remedial
2. Privacy as the default
3. Privacy embedded into design
4. Full functionality — positive-sum, not zero-sum
5. End-to-end security — life cycle protection
6. Visibility and transparency
7. Respect for user privacy

Privacy by design includes embedding privacy throughout the entire life cycle of technologies, from
early design state to deployment, use and disposal.
For example, consideration for privacy principles and other privacy requirements when:
• Designing a vehicle/driver tracking system to adjust insurance premiums based on driver behavior
• Introducing facial recognition in airports, casinos and other commonly visited places
Considerations can include:
• Ensuring only the minimum data required is collected
• Defining data retention periods
• Ensuring data sharing is limited to what is necessary
• Testing for discrimination and bias in algorithms used

Resource
https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles/

147
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

148
Data protection by design and default:

The principle that a data controller “shall

implement appropriate technical and
organizational measures for ensuring that,
by default, only personal data which are
necessary for each specific purpose of the
processing are processed.”
GDPR Article 25

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Data protection by design and default is specifically called out in Article 25 of the GDPR, with
corresponding requirements and consequences for noncompliance.

In the GDPR, the ultimate goal of data protection by design and default is to build information
privacy into the design process (not added on as an afterthought) and protect individuals’ privacy by
default in a product, application or service.

Resources
https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles/

Article 25 of the General Data Protection Regulation,

http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf

148
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy by design and GDPR

149
principles
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization and proportionality
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Privacy by design: GDPR principles (Article 5)
• Lawfulness, fairness and transparency of processing requires honest practices, such as
communicating openly with data subjects about processing activities
• Purpose limitation: Collecting and processing personal data for the specified purpose only
• Compatibility test for further processing: link between purposes, nature of the data,
method of collection, consequences of secondary uses and safeguards
• Data minimization and proportionality: Processing only personal data that is relevant and
necessary for the purpose
• Accuracy: Complete and up-to-date data
• Storage limitation: Retaining only personal data that is relevant and necessary for the purpose.
• Integrity and confidentiality: Security of personal data
• Accountability: Responsibility and demonstration of compliance

Resource
European Union, General Data Protection Regulation, Adopted 2016,
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.

149
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data protection by design and default

150
My Friend Target Predictim
Cayla

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Use the examples in the slide and the information below to discuss real-world examples of how a
failure of data protection by design and default can compromise privacy.

• “My Friend Cayla” doll: This toy used smart technology to carry on conversations with children.
Flaws in the toy’s encryption process allowed hackers to listen in on conversations as well as
speak directly to the child playing with it.
https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-friend-
cayla-doll-spy-on-children

• Target: This retailer used data mining to deliver targeted advertising. In one case, Target
delivered a mailer for baby products to a teenager before her parents were aware she was
pregnant.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-
pregnant-before-her-father-did/#564b2a7f6668

• Predictim: This service scans potential babysitters’ social media postings to provide parents
looking to hire them with risk ratings for things like drug use and bullying, as well as less
objective measures, such as attitude or disrespectfulness.
https://en.softonic.com/articles/predictim-babysitter-scanning

150
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy risk models and frameworks

151
Models
• Compliance
• FIPPs-based
• FAIR

Frameworks/Standards
• NIST
• Risk Management Framework
• Cybersecurity Framework 2.0
• Privacy Framework
• NICE Framework
• ISO/IEC 27701 Standard
• CNIL’s Methodology for Privacy Risk
Management

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Risk management is an integral aspect of developing reliable software.
When analyzing risk one can choose from a number of privacy risk models and frameworks that may
be employed individually or in combination.

Models:
• Compliance: Delineates risks as the failure to do what is required or to avoid what is prohibited
by law or regulation

• FIPPs-based: Prescribes, and in some cases proscribes, specific qualities and behaviors of systems
that handle personal information, based on the Fair Information Practice Principles

• Factor Analysis of Information Risk: Breaks down risk by its constituent parts, then breaks down
those parts to find factors that estimate the overall risk

Frameworks/Standards:
• The National Institute of Standards and Technology Frameworks: Provide standards, guidelines
and best practices for managing cybersecurity-related risks, including:
• Risk Management Framework
• Cybersecurity Framework 2.0
• Privacy Framework
• National Initiative for Cybersecurity Education Framework
• ISO/IEC 27701 Standard: Specifies requirements and provides guidance for establishing,
implementing, maintaining and continually improving a Privacy Information Management System
in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within
the context of the organization
• The CNIL’s (Commission Nationale de l'informatique et des Libertés/French Data Protection
Authority) Methodology for Privacy Risk Management: Uses risk maps to determine the severity
of a breach and its likelihood of occurrence

151
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy design strategies

152
Process-oriented strategies

Enforce
Demonstrate
Inform
Control

Data-oriented strategies

Minimize
Separate
Abstract
Hide

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Process-oriented strategies for data protection are based on an organization’s commitment to
processing personal information in a privacy-friendly way and ensuring that these commitments are
honored.

1. Enforce established policies and processes

2. Demonstrate compliance with policies and processes
3. Inform the individual about how their data will be handled
4. Provide users with control over how their data will be handled

Data-oriented strategies focus on the technical ways that data can be processed with the
maximization of privacy in mind.

1. Separate the processing of data, either logically or physically

2. Minimize how much data is collected and processed
3. Abstract data (by summarizing, grouping or approximating) to limit the amount of detail in the
data
4. Hide data in ways that make it unconnectable or unobservable to others

Resource
Jaap-Henk Hoepman, Privacy Design Strategies (The Little Blue Book), 2020,
http://www.cs.ru.nl/~jhh/publications/pds-booklet.pdf

152
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy risks posed by AI use

153
Top AI risks for
privacy professionals

• Privacy
• Harmful bias
• Bad governance
• Lack of legal
clarity

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Privacy-related risks span across multiple domains and focus on individuals' rights and freedoms.
With the deployment of AI systems, new risk vectors are emerging at the intersection of AI and
privacy.

According to the IAPP-FTI Consulting Privacy and AI Governance Report, new AI risks that are top of
mind for organizations are privacy, harmful bias, bad governance and lack of legal clarity.

• As AI systems become more prevalent, emerging requirements and best practices, like bias
prevention and interpretability of algorithmic outputs, are being incorporated into risk
management frameworks
• These requirements and best practices should consider key privacy and data protection principles
such as data minimization and purpose limitation
• With personal data at the core of AI utility, mitigating privacy risks that may impact individuals is
at the center of responsible AI

Resource
IAPP and FTI Consulting, Privacy and AI Governance Report, January 2023,
https://iapp.org/resources/article/ai-governance-report/

153
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Responsible AI

154
Inclusive growth,
sustainable development Transparency and Accountability
and well-being explainability

Human rights and

Robustness, security and
democratic values,
safety
including fairness
and privacy

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Key principles of responsible AI include privacy, accountability, robustness, security, explainability,
fairness and human oversight.

The Organisation for Economic Co-operation and Development has developed a set of principles
specific to promoting trustworthy AI use:

1) Inclusive growth, sustainable development and well-being

Highlights the potential for trustworthy AI to contribute to overall growth and prosperity for
individuals, society and the planet, and advance global development objectives.
2) Human rights and democratic values, including fairness and privacy
States that AI systems should be designed in a way that respects the rule of law, human rights,
democratic and human-centered values and diversity, and include appropriate safeguards to
ensure fairness and justice.
3) Transparency and explainability
Calls for transparency and responsible disclosure around AI systems so that people understand
when they are engaging with them and can challenge outcomes.
4) Robustness, security and safety
States that AI systems must function in a robust, secure and safe way throughout their lifetimes,
and potential risks should be continually assessed and managed.
5) Accountability
Proposes that organizations and individuals who develop, deploy or operate AI systems should be
held accountable for their proper functioning in line with the OECD’s values-based principles for
AI.

Resource
OECD, “OECD AI Principles Overview,” accessed May 2024, https://oecd.ai/en/ai-principles.

154
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AI: core risks and harms

155
Individuals Groups Society Companies Ecosystems

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
The use of AI can potentially cause a number of harms. These include individual harms, group harms,
societal harms, company/institutional harms and ecosystem harms.

Individuals
• Civil rights
• Economic opportunity
• Safety

Groups
• Discrimination toward sub-groups

Society
• Democratic process
• Public trust in governmental institutions
• Education access
• Jobs redistribution

Companies/institutions (these topics will be discussed in more depth on following slides)

• Privacy risks
• Reputational risks
• Cultural risks
• Economic risks
• Acceleration risks
• Legal and regulatory risks

Ecosystems
• Natural resources
• Environment
• Supply chain

155
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AI: risks for businesses

156
Privacy Reputational Cultural

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Companies and institutions face a number of risks posed by the use of AI in the business
environment.

Privacy
• Data scraping at a mass scale to obtain the vast amounts of data needed for AI training models
creates a risk that private or sensitive personal information could be revealed in the AI's output
• Without incorporating privacy best practices, data sets may include the nonconsensual use of
personal data or secondary uses of data
• Bias resulting in harm to individuals and potential fines for noncompliance
• Using AI systems intensifies traditional regulatory scrutiny over privacy practices, leading to
greater organizational reputational risk and compliance-based risks
• Challenges with integrating AI use into the current risk management framework

Reputational
• Loss of customers and renewals
• Increased queries due to concerns over the AI being used; hesitant new customers with concerns
over AI used
• Negative brand impact
• Share price drop and investor flight
• Company being a target for campaigners

Cultural
• Assumption that AI is more correct than humans, so we are less likely to challenge its outcomes,
even though AI is created by humans
• Built-in bias that AI is technology- and data-driven and therefore can produce a superior
outcome, which is not necessarily the case

156
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AI: risks for businesses

157
Privacy Reputational Cultural

Economic Acceleration Legal and regulatory

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Companies and institutions face a number of risks posed by the use of AI in the business environment
(continued).

Economic
• Costs of internal resources and remediation if something goes wrong with the AI
• Litigation costs, including class actions and punitive damages

Acceleration
• Not all risks can be anticipated from the beginning, due to the volume of data that AI can
process, the speed of processing, and the complexity of the algorithm
• AI impact may be wider and greater than with other software and technology solutions
• Rapid development of generative AI may cause it to be created without necessary controls in
place; can be very difficult to see the warning signs when things move at a quick speed

Legal and regulatory

• Lack of legal clarity brought by the changing regulatory environment
• Industry laws and regulations may apply to AI use (e.g., pharmaceutical, telecommunications,
financial)
• Privacy law implications; competition law; trade; tax
• Breach of legal and regulatory risks can lead to sanctions, fines, and orders to stop processing

157
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

AI: harmful bias risk management

158
Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
Bias in AI systems can cause harm to a person’s civil liberties, rights, safety and economic
opportunity.
• According to the IAPP-FTI Consulting Privacy and AI Governance Report, organizations deploying
AI systems consider harmful bias the top risk they face
• “Our data shows organizations shared the concern that systemic and unconscious bias — reflected
in unrepresentative data collection, models with limited validity, false positives or negatives and
lack of team diversity — leads to distorted results, unethical outcomes and other unintended
consequences.” — IAPP-FYI Consulting Privacy and AI Governance Report

To manage risk around bias appropriately, organizations need:

• Robust and consistent definitions of harms
• Clear guidelines on fairness requirements
• Established risk thresholds or risk indicators for determining bias
• Common tools, standards or best practices for bias detection
• Available benchmarking, i.e., what non-bias means in a specific use case

Resource
IAPP and FTI Consulting, Privacy and AI Governance Report, January 2023,
https://iapp.org/resources/article/ai-governance-report/

158
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

159
1. Privacy Officer Garcia must
ensure that privacy by design
Chat is embedded into a new
medical support service in
development at One Earth
Review Medical. First, she must
question identify all privacy risks.
Which privacy risk models
and frameworks might she
consider using to structure
this work?

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
1. Privacy Officer Garcia must ensure that privacy by design is embedded into a new medical
support service in development at One Earth Medical. First, she must identify all privacy
risks. Which privacy risk models and frameworks might she consider using to structure this
work?

159
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

160
Chat 2. What types of design
strategies should Privacy
Officer Garcia consider in
Review addressing the risks she
question identified? Give two examples
of each strategy.

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
2. What types of design strategies should Privacy Officer Garcia consider in addressing the risks
she identifies? Give two examples of each strategy.

160
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

161
Chat 3. What strategies might Privacy
Officer Garcia use to evaluate
Review the security controls that are
question implemented?

Module 5: Privacy operational life cycle — Protect: Protecting personal information

Session notes
3. What strategies might Privacy Officer Garcia use to evaluate the security controls that are
implemented?

161
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives

162
Module 6 • Identify the qualities and components of
effective privacy policies.
• Review strategies for communicating the privacy
program and its policies to all internal
Privacy stakeholders.
• Outline the phases of the privacy policy life
operational cycle.
life cycle — • Explore different types of privacy policies.
• Outline common goals of internal information
Protect: security policies and review elements of example
policies.
• Examine approaches for assessing vendors from a
Policies privacy perspective, including those specific to
cloud-based vendors.
• Recognize privacy-related HR concerns that may
be addressed through HR policies.
• Determine actions for developing data retention
and data destruction policies.
• Review strategies for motivating employees to
follow privacy-related policies.

Module 6 learning objectives

• Identify the qualities and components of effective privacy policies.
• Review strategies for communicating the privacy program and its policies to all internal
stakeholders.
• Outline the phases of the privacy policy life cycle.
• Explore different types of privacy policies.
• Outline common goals of internal information security policies and review elements of
example policies.
• Examine approaches for assessing vendors from a privacy perspective, including those
specific to cloud-based vendors.
• Recognize privacy-related HR concerns that may be addressed through HR policies.
• Determine actions for developing data retention and data destruction policies.
• Review strategies for motivating employees to follow privacy-related policies.

162
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Communication

163
• Privacy notice vs. policy
• Considerations
– Communications team
– Audience
– Modes
– Messaging across
functions
– Motivating employees

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Communication: One of the most effective tools an organization has for strengthening and
sustaining the operational life cycle of its privacy program
• Two primary types of documents that communicate privacy practices
• Privacy notice
• External communication of privacy practices to customers that explains how the
organization handles their personal information
• Discussed in more depth in module 9
• Privacy policy
• Internal document addressed to employees
• Clearly states how the organization handles personal information
• Strategies for facilitating communication of the privacy program and its internal policies
• Deciding what the policy should achieve (e.g., behavioral change)
• Working with communications team
• Identifying audience and thinking about messaging
• Using existing modes of communication (e.g., company intranet)
• Working with functions whose messages align with privacy program (e.g., IT, security,
HR, etc.)
• Motivating employees and using metrics to demonstrate value of privacy

Resource
Chris Pahl, “Building a Program that Provides Value: Making Your Communication Matter,” The
Privacy Advisor (IAPP), November 29, 2016, https://iapp.org/news/a/building-a-program-that-
provides-value-making-your-communication-matter/.

163
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Creating an effective privacy policy

164
• Clear and easy to
understand
• Accessible to all
employees
• Comprehensive yet
concise
• Action-oriented
• Measurable and
testable

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Topics in this module
• May act as standalone policies or in various combinations
• Components may vary
• Ownership of policies may vary
Qualities of an effective policy
• Clear and easy to understand
• Targeted at audience in language they will understand
• Avoid legal jargon, unless absolutely necessary
• Accessible to all employees
• May need to be one document
• Or could be split into several different documents
• Comprehensive yet concise
• A policy should be a policy, not a detailed process manual better documented in
other ways
• Action-oriented
• Measurable and testable

Considerations when creating privacy policies

1. Understanding the organization's practices around the types of personal data collected, and how
it is collected, used, shared and stored
2. Awareness of the privacy laws and regulations that apply to the organization — many privacy
laws require that certain policies are in place, so it is important to ensure that policies do not
inadvertently put the organization in breach of any laws and regulations
3. Understanding business practices and the privacy laws that apply to the organization will help in
determining where there is a need for a privacy policy, e.g., a new privacy law or regulation, or
a gap identified between the business practices and an existing law or regulation
4. Identifying the need for and the purpose of the policy will assist in shaping its structure

See the IAPP’s online Resource Center section “Organizational Privacy Policies” for templates:
https://iapp.org/resources/topics/organizational-privacy-policies/

164
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

165
Chat

Pop quiz
What is a privacy policy?

Module 6: Privacy operational life cycle — Protect: Policies

Chat: Pop quiz

What is a privacy policy?

165
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy policy components

166
A policy that does not reflect
Policies accurately reflect actual day-to-day practices or
the organization’s operations that is not consistent with
and business practices other policies can lead to
confusion within the
organization, loss of trust, and
regulatory penalties and fines
for non-compliance.
Policies are aligned and
consistent

The organization’s values and

commitment to privacy and Helps build trust and
further demonstrates
data protection are clearly
the organization’s
reflected in policies commitment to
privacy protection.

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy policy components
• Why the policy exists and the organization’s commitment to privacy
• Definition of personal information
• Overview of applicable privacy/data protection laws and regulations
• Policy scope
• What information is collected and what is done with it
• Compliance requirements
• Privacy risks
• Allotment of responsibilities
• General staff guidelines
• Data storage rules
• Data use rules
• Steps for ensuring data accuracy
• Explanations of data subject rights
• Other potential reasons for disclosing personal information
• How data subjects are provided with information about the processing of their personal
information (e.g., privacy notice)
• Data classification

Ensure that:
• Policies accurately reflect the organization’s operations and business practices
• Policies are aligned and consistent
• The organization’s values and commitment to privacy and data protection are clearly reflected in
its policies

Resource
Tech Donut, “Sample Data Protection Policy Template,” Accessed March 19, 2020,
https://iapp.org/resources/article/sample-data-protection-policy-template-2/.

166
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

The policy life cycle

167
1. Draft

5. Review
and revise

2. Get approval

4. Train 3. Disseminate

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy policies are discussed in more depth in module 6.

The policy life cycle: The role of governance in effectively implementing policies
• Draft inward-facing policies that are practical, as simple as possible and easy to
understand/follow
• Work with legal to ensure compliance with legal requirements
• Make sure policies are aligned and consistent
• Ensure policies take into account legal and ethical requirements with regard to data
held, shared, or both
• Identify data collection points
• Transparency (internal and external): Who has access; what notice has been
given to data subjects
• Integrity: What processes are needed to mitigate faulty data
• Get approval from decision-makers and stakeholders
• Disseminate and socialize policies to all employees
• Delivery method(s) should ensure all employees see policies
• Example: Company intranet, email/memo, on-boarding platform
• Take advantage of formal/informal opportunities to spread the word
• Train employees (further discussed in module 8) and enforce policies
• Clear and consistent consequences of noncompliance
• Review and revise policies regularly
• At least annually
• After a breach or another major incident
• When business circumstances change (selling, acquisitions, mergers, new laws, etc.)

Resource
Tech Donut, “Sample Data Protection Policy Template,” Accessed March 16, 2020,
https://iapp.org/resources/article/sample-data-protection-policy-template-2/.

167
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Communicating your privacy policy

168
• What do you want the policy to achieve?
• How can you work with the
communications team?
• Who is the audience?
• What existing communications modes
can you employ?
• Which functional areas most align with
the privacy program?
• How can you motivate employees and
use metrics to help demonstrate the
value of privacy?

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
When launching communications related to the privacy program, consider the following questions:
• What do you want the policy to achieve? Should it, for example, simply spread knowledge? Or
should it attempt to change behavior?
• How can you work with the communications team?
• Who is the audience?
• What existing communication modes — such as a company intranet — can you employ?
• Which functional areas most align with the privacy program? (For example, IT, security or HR.)
• How can you motivate employees and use metrics to help demonstrate the value of privacy?

168
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

169
Chat

Brainstorm
Take a moment to consider the different
privacy-related polices and procedures an
organization may put in place to protect the
personal information it holds.

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Types of policies
• An organization may focus the privacy policy on the handling of personal information, individual
rights, and relevant regulatory concerns and focus the security policy on the security and
protection of personal information
• Small to medium-sized organizations may decide to integrate their security and privacy policy
documents together
• Typical when same staff manages both security and privacy for the organization, or the
security and privacy programs are closely tied together
• Larger organizations may decide to have a security policy focusing on the security and protection
of personal information and a separate privacy policy focusing on the handling of personal
information, individual rights, sharing, transferring and disclosing personal information, and
relevant regulatory concerns

Chat: Brainstorm
Take a moment to consider the different privacy-related policies and procedures an organization
may put in place to protect the personal information it holds.

169
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of privacy-related policies

170
Considerations

Data retention
Data collection Data usage and processing
and disposal

Legal and ethical Specific data Other types of policies

requirements types

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Types of privacy-related policies: considerations
Data collection
• Be sure to understand business practices around key privacy concepts such as data collection
• Consider the specific legal requirements and obligations around data collection such as
transparency, data quality, etc.
• Ensure appropriate policies are in place to protect the data
Data usage and processing
• One of the most important exercises an organization can perform is to gain an understanding of
the various types of data it collects and how that data is processed
• Consider the specific requirements and obligations that apply to the organization and ensure that
policies address them adequately
Data retention and disposal
• This policy details how long data can be held by the organization before it must be properly
disposed of
• Meant to prevent an organization from keeping the data for longer than necessary
• An example of a policy that can address specific obligations imposed by privacy laws
Legal and ethical requirements
• All policies, regardless of the specific type, should consider legal and ethical requirements
• Many privacy regulations require that certain policies are in place
• Ethical requirements are the moral obligations that the organization must protect the privacy of
the personal data it collects, uses, stores, etc.
• An action or process may be technically legal, but not ethical
Specific data types
• Policies may address specific data types such as employee data in an employee data handling
policy or sensitive personal information in a sensitive personal data policy
• Examples: Data quality policies, data classification policies
Other types of policies
• Several other common privacy and security policies and procedures an organization may have
include:
• Acceptable use policy, secondary use policy, information security policy, third-party risk
management policy and standard operating procedure, human resources SOP, and data
destruction SOP

170
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Acceptable use policies

171
Example: guest wireless access

I ACCEPT

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Acceptable use policies
• Explain how an organization’s resources and personal data should be used
• Provide general policies around acceptable and unacceptable uses, plus specific procedures for
transferring, sharing, accessing and storing personal data
• Can also stipulate rules and constraints for people within and outside the organization who access
the network or internet connection
• Employees, partners, vendors, volunteers, students and guests
• IT security function usually plays major role in developing AUPs
Common components
• Others’ privacy
• Legal protections (e.g., copyright)
• Integrity of computer systems (e.g., anti-hacking rules)
• Ethics
• Laws and regulations
• Others’ network access
• Routing patterns
• Unsolicited advertising and intrusive communications
• User responsibilities for damages
Example: Guest wireless access acceptable use policy
• Illustrates goals and components of an acceptable use policy
• Prerequisites for visitors used as gatekeepers to visitor access
• Guests required to accept the policy (e.g., by checking a box) before accessing the wireless
internet connection

171
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Secondary use policies

172
• Personal information
collected for one
purpose then used for
a different purpose

• Article 5(1) of the

GDPR prohibits
secondary processing
of personal data, with
some exceptions

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Secondary use occurs when an organization takes personal information it has collected for one
purpose and uses it for a different purpose.
• As a general privacy rule, personal information should only be used for the purpose for which it
was originally collected, or for a new purpose compatible with the original purpose
• All uses of personal information must be addressed in both the external privacy notice as well as
the internal privacy policies
• Guidelines of the privacy notice and policy should address secondary use of
information, and those principles should be understood by both the individual and the
party collecting the information
• Article 5(1) of the GDPR prohibits the secondary processing of personal data with some
exceptions, such as processing data for archiving purposes in the public interest as well as
statistical, scientific or historical research purposes
• Your organization should determine and implement guidelines for secondary use consistent with
relevant laws

172
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security policies

173
Access and data classification

What’s your • Protect against

password? unauthorized access
• Provide information
efficiently
• Maintain
confidentiality,
integrity and
availability
• Promote compliance
• Promote data quality

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Information security policies: Information access and data classification
• Common information security goals (may be addressed through internal policy)
• Protect against unauthorized access to data and information systems
• Provide stakeholders with information efficiently while simultaneously maintaining
confidentiality, integrity, availability
• Promote compliance with laws, regulations, standards and other organizational
policies
• Promote data quality

173
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Information security policies

174
Access and data classification

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
• Components of two sample policies owned by IT/security that address information access and
data classification
• Northwestern University: http://www.it.northwestern.edu/policies/dataaccess.html
• Audience, definitions and scope
• Policy owners
• Standards for data classification (public info, internal info, legally/contractually
restricted info)
• Association of Washington Public Hospital Districts:
https://iapp.org/media/pdf/resource_center/AWPHD-ISaccess.pdf
• Affected systems and who is affected
• Entity authentication
• Workstation access control system
• Disclosure notice
• System access controls
• Access approval
• Limiting user access
• Need-to-know
• Compliance statements
• Audit trails and logging
• Confidential systems
• Access for non-employees
• Unauthorized access
• Remote access
• Password policy

• Additional examples may be found at the IAPP’s online Resource Center section, “Organizational
Privacy Policies,” https://iapp.org/resources/topics/organizational-privacy-policies/

174
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Procurement

175
Engaging vendors

1. Create a policy
2. Identify vendors, entry
points, personal
information and legal
obligations
3. Evaluate
4. Contract
5. Monitor

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
• Create a policy
• Vendor selection
• Logistics (e.g., where work will be conducted)
• On-boarding and employee training
• Termination (e.g., remote-wiping of devices)
• Identify
• All vendors and potential entry points (e.g., employee signs up to use free survey tool)
• Personal information the vendor can access
• Legal obligations imposed on the organization and on vendors
• Evaluate
• Process for risk assessment, risk profile and categories of vendors based on risk
• Vendor internal policies
• Affiliations/memberships with organizations
• Certifications
• Location of servers
• Contract
• Standard contract language
• Requirement to inform the organization when any privacy/security policies change
• Prohibition to make policy changes that weaken privacy/security protections
• Vendor liability
• Vendor security incident response procedures
• Right to audit
• Data migration/deletion upon termination
• Monitor
• Crossover with audit/compliance function
• Recurring on-site visits
• Attestations
• Periodic reassessments
Resources
K Royal and Pedro Pavón, “Third-Party Vendor Management Means Managing Your Own Risk,” 10
vols, The Privacy Advisor (IAPP), 2014-2015, https://iapp.org/resources/article/third-party-vendor-
management-means-managing-your-own-risk-3/.

175
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Procurement/InfoSec policy

176
Cloud computing acceptable use

Can we use
this free online
survey service?
• Maintain compliance
• Ensure approval of all
cloud computing
agreements
• Maintain privacy and
security
• Mitigate risks

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Vendors that provide cloud computing services may pose distinct privacy challenges, especially
because of compliance requirements and security risks.

Procurement/InfoSec policy: Cloud computing acceptable use

• Policy goals
• Maintain compliance with policies, laws, regulations, standards (such as ISO 27018)
• Ensure all cloud computing agreements are approved by appropriate leadership (e.g.,
CIO)
• Maintain privacy and security of data
• Mitigate risks of processing data using cloud-based applications and tools
• Common components
• Cloud-based applications and tools that may be used
• Restrictions for processing sensitive information using cloud-based applications
• Restrictions on personal use of cloud-based applications and tools
• Data classification and rules for handling

Resources
Loyola University, “Cloud Computing Policy,” Accessed March 19, 2020,
https://luc.edu/its/aboutits/itspoliciesguidelines/cloud_computing_policy.shtml

176
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy-related HR concerns

177
Salary Geolocation
Chat Résumé Phone recordings
Email data Bank account info
Benefits info Background checks
Browser history Video surveillance
Contact lists Performance evaluations

Brainstorm
What are some common types of HR policies that
may address the privacy-related HR concerns
shown above?

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
HR handles diverse employee personal information and will typically have policies to guide
processing.

Chat: Brainstorm
The slide shows some privacy-related HR concerns that may be addressed through HR policies.

What are some common types of HR policies that may address these concerns?

Sample HR policies can be found at the IAPP’s online Resource Center section “Organizational
Privacy Policies”: https://iapp.org/resources/topics/organizational-privacy-policies/.

177
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data retention and destruction

178
policies
Should I delete
these old files on
the server?

The idea that personal

information should only
be retained for as long
as necessary to perform
the stated purpose is
the driving force behind
data retention
strategies and policies.

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Data retention and destruction policies
• The idea that personal information should only be retained for as long as necessary to
perform the stated purpose is the driving force behind data retention strategies/policies.
• Data destruction triggers/methods should be documented and followed consistently by all
employees
• Should align with laws, regulations and standards, such as time limits for which records
must be saved
• Ownership of policy may vary and intersect with privacy, legal, IT, operations, finance, the
business function, etc.

Resource
Trista Perot, “Developing an Effective Data Retention Policy,” 3 vols, Global Data Vault, June 2012,
https://www.globaldatavault.com/blog/data-backup-developing-an-effective-data-retention-
policy/.

178
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

179
Chat

Share
Does your organization have a data
retention policy? What steps did it take to
develop and implement the policy?

Module 6: Privacy operational life cycle — Protect: Policies

Chat: Share
Does your organization have a data retention policy? What steps did it take to develop and
implement the policy?

179
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Implementing

180
policies

1
Align policies with
existing business
procedures

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy-related policies will not be effective if individuals do not care about/follow them.

• Align policies with existing business procedures: Privacy office or other responsible party should
have some procedure for cataloging/tracking documents that reference privacy policy
requirements/guidelines
• HR functions
• Business development: Part of assessment process of proposed projects
• Project management: Privacy by design
• Procurement and contract management
• Risk management
• Incident management
• Performance management

Resource
Kim Bustin, “Practical Strategies for Creating a Privacy Culture in Your Organization,” The Privacy
Advisor (IAPP), September 1, 2010, https://iapp.org/news/a/2010-08-24-strategies-for-creating-a-
privacy-culture-in-your-organization/.

180
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Implementing

181
policies

1
Align policies with
existing business
procedures

2 Raise awareness

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy-related policies will not be effective if individuals do not care about/follow them.

• Raise awareness
• Senior leadership buy-in
• Data Privacy Day
• Infographics, tip sheets, comics, posters, postcards and stickers
• Blogs and wikis
• Brown bags/lunch-and-learns
• Further discussed in module 8

181
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Implementing

182
policies

1
Align policies with
existing business
procedures

2 Raise awareness

3 Train

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy-related policies will not be effective if individuals do not care about/follow them.

• Train
• Classes or simulations
• Discussed in module 8

182
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy policy compliance

183
Actively monitor compliance:
• Metrics
• Assessments
• Attestations
• Audits

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Privacy policy compliance
It is not enough to simply disseminate a privacy policy and assume everyone in the organization will
follow it.
• Actively monitor privacy policy compliance through:
• Metrics
• Assessments
• Attestations
• Audits

• Privacy landscape is rapidly changing

• New laws and regulations
• Interpretations of existing laws
• Customer expectations and requirements on the use of personal information
• Monitor internal and external factors to ensure your privacy policy is continuing to meet these
requirements

183
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Closing the loop

184
Audit on
regular basis?
Consequences
enforced?

Existing
policies work?

Consequences
in place?

Additional
safeguards?

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
Closing the loop
Policies and procedures should be developed not only with compliance and risk management in mind
but also auditability and enforceability.

Consider these questions related to closing the loop in your organization:

• Do we audit the privacy program on a regular basis?
• Do existing policies work as intended?
• Are there additional safeguards that could be put in place?
• What are the consequences for an employee who does not follow a policy? What about a vendor?
• Are consequences regularly enforced?

Your organization may determine that using an independent internal auditor may aid its ongoing
auditing process.

184
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

185
Chat 1. Privacy Officer Garcia works
with relevant functions across
the organization to align One
Review Earth Medical’s policies with
question its privacy requirements.
What components might be
included in the privacy policy?

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
1. Privacy Officer Garcia works with relevant functions across the organization to align One
Earth Medical’s policies with its privacy requirements. What components might be included
in the privacy policy?

185
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

186
Chat 2. Garcia works with the
information security function
to revise One Earth’s cloud
Review computing acceptable use
policy. What are high-level
question goals of such a policy?

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
2. Garcia works with the information security function to revise One Earth’s cloud computing
acceptable use policy. What are high-level goals of such a policy?

186
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

187
Chat 3. What actions will help to
ensure One Earth’s policy for
engaging vendors aligns with
Review its privacy requirements?
question

Module 6: Privacy operational life cycle — Protect: Policies

Session notes
3. What actions will help to ensure One Earth’s policy for engaging vendors aligns with its
privacy requirements?

187
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Module 7

188
Learning objectives
Privacy • Recognize the primary, secondary and tertiary
operational audiences for your organization’s privacy
program analysis.
life cycle — • Review the responsibilities of a metric owner.
Sustain: • Summarize four types of metric analysis.
• Explore various types of privacy program
performance monitoring and examples of each.
Monitoring • Review different forms of privacy program
performance monitoring.
and auditing • Review the definition of a privacy audit.

program • Identify five phases of auditing a privacy

program.
performance • Compare the three types of privacy program
audits.

Module 7 learning objectives

• Recognize the primary, secondary and tertiary audiences for your organization’s privacy
program analysis.
• Review the responsibilities of a metric owner.
• Summarize four types of metric analysis.
• Explore various types of privacy program performance monitoring and examples of each.
• Review different forms of privacy program performance monitoring.
• Review the definition of a privacy audit.
• Identify five phases of auditing a privacy program.
• Compare the three types of privacy program audits.

188
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

189
You can’t improve what
you don’t measure.

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
• You can’t improve what you don’t measure
• A metric is a unit of measurement that provides data to help answer specific questions about
business operations and should be as objective as possible
• Metrics serve as key performance indicators that can be used to set and attain business goals and
objectives
• An organization should focus on developing generic privacy metrics to reflect data privacy
compliance, data-driven decision-making, and the overall impact of the privacy program
• Measurement and metrics allow privacy managers to:
• Report to stakeholders across the business
• View trends to determine if the privacy program is operating as designed

Resource
Angelique Carson, “How to Measure Your Privacy Program, Step-by-Step,” The Privacy Advisor
(IAPP), May 16, 2014, https://iapp.org/news/a/how-to-measure-your-privacy-program-step-by-
step/.

189
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

190
Chat

Brainstorm
What metrics are most critical to your
organization, and why?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Chat: Brainstorm
What metrics are most critical to your organization, and why?

190
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Develop metrics to analyze...

191
• Collection • Employee training
• Responses to data • Privacy impact
subject inquiries assessments
• Use • Privacy risk
• Retention indicators
• Disclosure to third • Percent of functions
parties represented by
• Incidents governance
mechanisms

Can you have too

many metrics?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Develop metrics to analyze…
• Collection
• Responses to data subject inquiries
• Use
• Retention
• Disclosure to third parties
• Incidents
• Employee training
• Privacy impact assessments
• Privacy risk indicators
• Percent of functions represented by governance mechanisms

Can you have too many metrics?

• Yes — when it comes to metrics, quality is more important than quantity
• Data collection, storage and analysis are expensive business functions and are costly when
collecting unnecessary data or creating an extreme number of metrics that provide no value

Resource
Chris Pahl, “Building a Program that Provides Value: Using Meaningful Metrics,” The Privacy Advisor
(IAPP), September 26, 2016, https://iapp.org/news/a/building-a-program-that-provides-value-using-
meaningful-metrics/.

191
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

192
Chat

Identify the intended metric

audiences:
• Who typically makes up the primary, secondary
and tertiary audiences?
• What are the differences among these
audiences?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Chat
As a first step in selecting relevant metrics, identify the intended metric audience — the relevant
stakeholders who will use the data to view, discuss and possibly make organizational strategic
decisions.

Identify the intended metric audiences:

• Who typically makes up the primary, secondary and tertiary audiences?
• What are the differences among these audiences?

192
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Metric owner role

193
Know what is Monitor process Keep process
critical about performance documentation
the metric with the metric up to date

Ensure
improvements
Perform regular
are
reviews
incorporated
and maintained

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Metric owner role
• Process owner, champion and advocate responsible for management of the metric throughout the
metric life cycle
• Tasks
• Know what is critical about the metric: Ask why the output is important and how the
metric fits into the business objectives
• Monitor process performance with the metric
• Keep process documentation up to date to ensure all audiences have a clear definition
of the metric and how it should be used
• Minimize variance within a metric
• Develop documentation of metrics using flowcharts, visual displays, graphics and
other methods
• Champion the metric in meetings, working groups and in other organization
communications
• Perform regular reviews; determine if the metric is still required, capable to meet
goals, and provides value to the organization
• Ensure improvements are incorporated and maintained in the process
• Generally, may not perform the data collection tasks or perform the measurements of
the metric
• Tasks may be directed to the IT department, for example, and the metric owner
simply utilizes the information
• Required skills
• Privacy knowledge
• Training and experience — to limit possible errors within interpretation of privacy related
laws, regulations and practices

193
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Analyzing metrics

194
Return on Privacy program
Trend analysis Business resiliency
investment maturity

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Four common ways to analyze privacy program metrics are:
• Trend analysis
• Return on investment
• Business resiliency
• Business resilience: “The ability to rapidly adapt and respond to business disruptions
and to maintain continuous business operations, be a more trusted partner, and
enable growth.” — IBM
• Measured through metrics associated with data privacy, incident response,
compliance, system outages and other factors as defined by the business case and
organization objectives
• The business continuity or disaster recovery office (if it exists) should be contacted to
assist in the selection and use of data for this metric type
• Program maturity
• You can select from several Privacy Maturity Models or develop a custom one for your
organization
• Whatever PMM you choose, it should define how to determine the maturity level of
your privacy program and operations
• Most maturity models use five maturity levels:
• Level 1 (Ad hoc/initial): Informal, incomplete, undocumented and undefined
• Level 2 (Repeatable): There is structure and consistent focus on improvement
• Level 3 (Defined): Defined and documented with consistency
• Level 4 (Managed): Requirements and controls are in place with metrics
• Level 5 (Optimized): Deliberate and continuous process improvement

Follow-up chat
Have you used any of these forms of analysis? Which ones, and why?

Resource
IBM Business Continuity and Resiliency Services, “Business Resilience: The Best Defense Is a Good
Offense,” January 2009, https://docplayer.net/18554573-Business-resilience-the-best-defense-is-a-
good-offense.html.

194
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Analyzing metrics: trend analysis

195
Trend analysis

Cyclical Irregular
Time series
component component

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Analyzing metrics: trend analysis
One of the easiest statistical methods used for reporting data.

Trend analysis attempts to spot patterns in the data as viewed over a period of time. It ensures data
is interpreted correctly and apparent relationships are meaningful and significant.

Time series: Shows trends in an upward or downward tendency

• Example: number of privacy incidents over time
• Cyclical component: Shows weekly, monthly or yearly data describing any regular fluctuations
• Example: measuring the number of privacy breaches in the month after an organization
rolls out new privacy training — and then every three months to see if the number
steadily increases as distance from training increases
• Irregular component: Also known as “noise” — this is what is left over when the other
components of the series (time and cyclical) have been accounted for and is the most difficult to
detect
• Example: the absence or indication of privacy breaches

Microsoft Excel is a useful tool for analyzing the data.

195
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Analyzing metrics: ROI

196
ROI = (Benefits – Costs)/Costs

Physical assets

Personnel assets

IT assets

Operational management assets

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Analyzing metrics: ROI
Privacy ROI helps provide justification to pay for a good privacy program by defining metrics to
measure the effectiveness of investments and the cost to protect personal data.

Develop a privacy ROI by looking at the risk that has been mitigated and tracking that risk in
financial terms. Consider the costs associated with different types of assets and how the assets
pertain to the privacy program:

• Personnel assets (users): Tracking measures that aim to reduce the chance of accidental or
intentional action by users either inside the organization, like employees and business partners,
or outside the organization, like hackers. Their actions can alter, destroy, misappropriate,
misuse, misconfigure, distribute or make unavailable an organization’s assets and data.
• Information technology assets: Implementation and monitoring of hardware and software assets
with technical features that collectively protect the organizational assets and data, achieving
and sustaining confidentiality, integrity, availability and accountability.
• Operational management assets: Creating and administering policies and standard operating
procedures that define the interaction between users, systems and system resources.

The ROI metric will be a major indicator to stakeholders for measuring investment to privacy
protection.

196
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

197
Chat

Your outlook
What should an organization consider when
determining the value of information
assets?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Chat: Your outlook

To conduct an ROI analysis, you must define the value of an asset.

What should an organization consider when determining the value of information assets?

Session notes
Goal of ROI analysis
• Maximize the benefits of investments that generally do not generate revenue; rather, they
prevent loss
• Provides the quantitative measurement for costs and benefits, strengths and weaknesses of the
organization’s privacy controls

197
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Metrics: Reporting

198
Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Metrics are vital to the privacy program. DPOs and other privacy leaders must report to the board of
directors or senior leadership on privacy matters and metrics can demonstrate compliance.

Explore the link below for a template of a DPO report to management, which identifies several
categories of metrics, including:
• Defending the company’s systems and data
• Complying with legal responsibilities and regulations
• Advising the business

https://iapp.org/media/pdf/resource_center/DPO_Report_Template.pdf

198
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Compliance monitoring

199
Create a plan

STEP
02 04
STEP
05
01
STEP STEP
Establish testing Document all
parameters checks
Implement
Assess remedial
the risk actions
STEP
03
Determine STEP
06 Manage
frequency change

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Compliance monitoring is the continuous assessment of standards, policies and procedures, and
controls to ensure the compliance requirements set by the organization are being met.

Compliance requirements determined by:

• Regulatory requirements
• Industry standards
• Internal risk management

The importance of compliance monitoring:

• Evidence accountability and risk oversight
• Establish security controls and measures to mitigate risk
• Avoid regulatory violations, fines and enforcement actions
• Save time and money by catching violations in real time before they become bigger issues
• Protect the organization from vulnerabilities
• Build trust and confidence with their stakeholders

Compliance monitoring plan:

1. Assess risk of the process or area to which the policy or control refers.
2. Establish testing parameters and procedures and determine what will be done and how — e.g.,
use manual or automated monitoring scans?
3. Determine the frequency of checks (e.g., monthly consent check or quarterly data retention
checks). This should be decided with a risk-based approach prioritizing the greater risks
associated with data.
4. Implement remedial actions (i.e., fix issues to prevent recurrence). This can include improving
processes, increasing employee training, or updating internal policies.
5. Document all checks and corrective actions and provide reporting to the business.
6. Manage change. The privacy program must be current and flexible enough to adapt to evolving
regulatory requirements, business operations and technological advancements.

199
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of monitoring

200
Compliance and
Regulatory and risk Environmental
legislative vulnerabilities
changes
Review the
Track using collection, use and Monitor internal and
publications and/or retention of external threats
external vendors personal
information
throughout the
information life
cycle

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Types of monitoring
• Monitoring regulatory and legislative changes
• Monitor changes and compliance
• Track using publications and/or external vendors
• Compliance and risk monitoring
• Review the collection, use and retention of personal information throughout the
information life cycle
• Approaches: Self-monitoring, audit management (internal and external), security and
systems management, and risk management
• Environmental vulnerabilities monitoring
• Monitor internal and external threats
• Internal monitoring is as crucial as external monitoring and advanced risk management
practices
• Vulnerabilities
• Building access, visitors and data center activity
• Data access and authentication
• Lack of awareness/lack of training
• Insider threats, such as modifying or stealing confidential or sensitive
information for personal gain (“low-tech attacks”); theft of trade secrets
or customer information to be used for business advantage or to give to a
foreign government; technically sophisticated crimes that sabotage the
organization’s data, systems or network
• External monitoring includes vulnerability testing, penetration testing, etc.

200
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Many forms of monitoring

201
Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Many forms of monitoring
• Active scanning tools, such as data loss prevention network, to identify risks to personal
information and monitor for compliance
• Audit activities, such as internal and external reviews of people, processes, technology and
financials
• Breach management practices, including breach monitoring: Driven by laws and regulations;
tracking breach type, severity, and time to remediation are especially important types of
monitoring
• Complaint monitoring: A formal process will track, report, document and provide resolutions to
complaints; protect the organization legally; and provide repeatable processes and tracking
mechanisms to ensure transparency and accountability. Details about the type and location of
complaints can provide early indicators of the potential for regulatory activity.
• Data retention/records management strategies: Should meet legal and business needs for
privacy, security and data archiving; monitor for potential areas for risk in retention schedules or
practices like excessive collection or inadequate controls
• Dashboards: Automated means for organizations to identify, document and manage their existing
risks and controls
• Control-based monitoring: Assesses the design and operational effectiveness of controls. Some
governance, risk and compliance tools provide automated means to undertake some or all of
these checks.
• HR practice monitoring: For example, hiring and termination; monitoring data; and monitoring
building access/use. HR is responsible for ensuring the privacy of employee personal information;
some kinds of workplace monitoring require additional privacy considerations.
• Monitoring internal and external conditions: Risks that exist because of changes in the
environment or changes to the industry; internal shifts such as mergers, acquisitions and
divestitures
• Regulation-based monitoring: For compliance with regulations and requirements
• Suppliers/third parties: Supplier monitoring should include appropriate privacy and security
requirements, as well as provider performance, to ensure compliance to contract specifications,
laws, and policies

201
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Continuous

202
monitoring
Are you…
• Protecting personal
information?
• Following policies, procedures
and programs?
• Minimizing consequences via
early detection and
remediation?
• Providing feedback?
• Demonstrating your
commitment to privacy
management?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Continuous monitoring
Beyond standard security monitoring practices, consider different approaches for continuously
monitoring key aspects of a privacy program.

What is continuous monitoring and why is it required?

• Maintaining ongoing awareness of privacy risks and assessing privacy controls at a frequency
sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks

What is the approach for continuous monitoring?

• Deploy a continuous privacy monitoring program to conduct assessments to determine whether
the controls are implemented correctly, operating as intended, and sufficient

• Are you protecting personal information?

• Ensure program goals for confidential protection of personal information are achieved
• Are you following policies, procedures and programs?
• Determine if policies, procedures and programs are being followed
• Are you minimizing consequences via early detection and remediation?
• Minimize consequences of privacy failures through early detection and remediation
• Are you providing feedback?
• Provide feedback necessary for privacy program improvement
• Are you demonstrating your commitment to privacy management?
• Demonstrate to the workforce and the community at large the organizational
commitment to privacy management

202
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

203
Chat

Share
Do you conduct regular audits of your
privacy program?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Chat: Share
Do you conduct regular audits of your privacy program?

203
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

204
Audit
An ongoing process of evaluating the
effectiveness of controls throughout the
organization’s operations, systems, and
processes … The purpose of a privacy audit is to
determine the degree to which technology,
processes, and people comply with privacy
policies and practices.
— Privacy Program Management, third ed.

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Audit
“Audits are an ongoing process of evaluating the effectiveness of controls throughout the
organization’s operations, systems, and processes … The purpose of a privacy audit is to
determine the degree to which technology, processes, and people comply with privacy policies
and practices.”
— Privacy Program Management, third ed.

Audit sustains the organization through monitoring and measuring privacy practices to comply with
laws, regulations, industry practices and other practices.

An audit is different from an assessment

• Assessment: Less formal, more anecdotal, information-gathering
• Audit: More evidence-based

Privacy audits answer the following questions

• Do the privacy operations do what they were designed to do?
• Are data privacy controls correctly managed?

Reasons to perform privacy audits

• Risks identified through vulnerabilities and weaknesses (opportunities for improvements to
strengthen the organization)
• A security or privacy incident
• Deterioration of a business function
• Indications of an insider threat
• Staffing, cutbacks and changes to priorities
• New subcontractors or third parties
• Unusual changes, such as higher numbers of privacy breaches, complaints or incidents
• New portfolio or industry base

204
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

205
Chat

Let’s talk about…

What are the phases of a privacy program
audit?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Chat: Let’s talk about…

What are the phases of a privacy program audit?

Be sure to maintain a comprehensive audit trail — a critical component of privacy monitoring — to

demonstrate your organization meets regulatory requirements and industry best practices.

205
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Auditing privacy

206
1 Audit planning

2 Audit preparation

3 Audit

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Auditing privacy
The high-level, five-phase audit approach includes:
1. Audit planning: Define the purpose and scope of the audit
• Risk assessment, schedule, selecting auditor, pre-audit questionnaire, preparatory meeting/visit
and checklist
• Understand the regulatory requirements applicable to the audit
• Assess the specific areas or processes to be audited
• Understand data flows to determine the approach and methodology
• Determine the audit team, checklist, resources and timeline

2. Audit preparation: Information gathering and preparation for the audit

• Confirm schedule; confirm and prepare checklists, sampling criteria, and audit plan
• Develop an audit plan
• Identify key risk factors related to privacy
• Prepare audit checklists and assessment criteria
• Collect relevant policies, procedures, evidence and documentation

3. Audit: Assess the organization’s privacy practices

• Meeting and audit execution
• Evaluate the life cycle of data processing and handling
• Review of key documentation
• Interview key stakeholders
• Assess technical systems, controls and processes against best practices
• Sample checking the operational effectiveness of key controls and safeguards
• Assess compliance with regulatory requirements and best practices

Continued on next slide.

206
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Auditing privacy

207
1 Audit planning

2 Audit preparation

3 Audit

4 Report

5 Follow-up

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Auditing privacy (continued from previous slide)
The high-level, five-phase audit approach includes:
4. Reporting: Document findings and communicate results of the audit
• Noncompliance records and categories (major/minor), audit report, closing meeting and
distribution
• Prepare an audit report detailing observations, deficiencies and recommendations
• Highlight areas of noncompliance or privacy risks
• Provide actionable recommendations for improvement
• Share the report with relevant stakeholders, including the board of directors,
management, risk and audit committees

5. Follow-up: Ensure corrective actions are implemented

• Confirm scope, schedule, methodology and closure
• Monitor the implementation of recommended changes
• Verify that non-conformances have been addressed
• Conduct follow-up checks or audit if necessary
• Use audit outcome and actions to continuously improve privacy practices

207
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of audits

208
First party
Internal; self-
evaluation

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Types of audits
• First-party audits
• Act as a self-evaluation to…
• Evaluate the organization’s risk management culture
• Identify privacy risk factors within systems, processes and procedures
• Evaluate control design and implementation to ensure proper risk management
• An internal auditor may develop an audit work plan that will…
• Identify the areas to be audited
• Notify those offices of the plans
• Perform the meetings and reviews
• Provide all communications
• Draft reports and presentations
• Lead all management communications
• Close all audit matters
• Formalize reports and final meetings
• Perform follow-ups
• Why would an organization want to undergo a first-party audit?
• The self-certification process can provide the relevant facts, data,
documentation and standards necessary to reflect consistent, standardized and
valid privacy management that aligns to a particular privacy standard, guideline
or policy

208
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of audits

209
First party
Internal; self-
evaluation

Second party
Org audits its vendors/suppliers

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Types of audits
• Second-party audits
• Include audits for existing suppliers or subcontractors
• Often known as “supplier audits”
• GDPR note
• When a controller (or a processor under the GDPR) outsources any activity,
responsibility is not "outsourced"
• It is important that the entity outsourcing any processing audits the supplier to
ensure the supplier can carry out the processing to the organization’s
requirements and meet the organization’s obligations under the GDPR (especially
in relation to security of the personal data)

209
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Types of audits

210
First party
Internal; self-
evaluation

Third party
Independent;
government
officials, DPAs

Second party
Org audits its vendors/suppliers

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Types of audits
• Third-party audits
• Conducted by independent outside sources (e.g., data protection commissioner,
government officials or independent external assessment by subcontractors)
• May align to various frameworks; for example…
• ISO 19011 provisional standards through joint auditing of environmental
management (ISO 14001) and quality management (ISO 9001) systems
• NIST SP 800-53 Rev 5 (9/23/2020)
• AICPA GAPP
• Provide…
• A formal record of what was audited and when
• Insight into areas that comply/do not comply
• Details to support the findings
• Suggested corrective action, with possible target dates
• Audit findings must be communicated to affiliated stakeholders in the organization, who
will then consider…
• Risk level/degree of compliance
• Accountability for correction (action plan)
• Mitigation costs
• Approval of remediation process (or justification for disapproval)

210
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

External auditors

211
Advantages and disadvantages

• Identify weaknesses • Cost/budget

• Lend credibility • Time/schedule
• Expert recommendations • Confidentiality
• Greater confidence • Time it takes to learn
about the organization

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
What are some advantages and disadvantages to using external auditors?

Advantages
• Identifying weaknesses of internal controls
• Lending credibility to internal audit program
• Providing a level of unbiased, expert recommendations
• May give investors, regulators and the public greater confidence

Disadvantages
• Cost/budget
• Time/schedule
• Confidentiality
• Time is takes to learn about the organization

211
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Periodic review process

212
• When does your governance
structure need revamping?
• What triggers a policy
review?
• How often do audits happen?
• What in an audit triggers a
follow-up action?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
Periodic review process
• When does your governance structure need revamping?
• What triggers a policy review?
• How often do audits happen?
• What in an audit triggers a follow-up action?

212
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

213
Chat
1. One Earth Medical’s primary
Review metric audience likely
question includes whom?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
1. One Earth Medical’s primary metric audience likely includes whom?

213
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

214
Chat 2. What type of analysis should
Privacy Officer Garcia
Review conduct to determine
question whether data relationships
are significant and not simply
chance occurrences?

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
2. What type of analysis should Privacy Officer Garcia conduct to determine whether data
relationships are significant and not simply chance occurrences?

214
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

215
Chat
Review 3. Name the five high-level
question phases of a privacy audit.

Module 7: Privacy operational life cycle — Sustain: Monitoring and auditing program performance

Session notes
3. Name the five high-level phases of a privacy audit.

215
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives

216
Module 8
• Recognize potential consequences of inadequate
privacy training and awareness programs.
Privacy • Differentiate between privacy training and
awareness.
operational • Identify method and delivery options for privacy
life cycle — training and awareness programs.
• Determine which internal employees require
Sustain: privacy training.
• Review operational actions for ensuring ongoing
privacy awareness.
Training and • Determine strategies for creating a privacy

awareness training program.

• Consider approaches for presenting training in
engaging and motivating ways.
• Explore the ways that establishing a privacy
training program can help your organization.

Module 8 learning objectives

• Recognize potential consequences of inadequate privacy training and awareness programs.
• Differentiate between privacy training and awareness.
• Identify method and delivery options for privacy training and awareness programs.
• Determine which internal employees require privacy training.
• Review operational actions for ensuring ongoing privacy awareness.
• Determine strategies for creating a privacy training program.
• Consider approaches for presenting training in engaging and motivating ways.
• Explore the ways that establishing a privacy training program can help your organization.

216
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

217
Inadequate training/awareness
of just one employee can lead
to big consequences.

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
If people are not aware of what information they are processing, they are also unaware of the
consequences and liabilities that may result from mishandling data.

217
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Training and awareness

218
Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
Both training and awareness are essential but play different roles.

218
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

219
Chat

Share
How does your organization educate
employees on privacy?

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Chat: Share
How does your organization educate employees on privacy?

219
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

220
Chat

Brainstorm
Methods and delivery options for training
and awareness activities.

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Chat: Brainstorm
Methods and delivery options for training and awareness activities.

220
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Training and awareness

221
Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
Training communicates the organization’s privacy message, policies and processes — including for
data usage and retention, access control, and incident reporting — and motivates individuals to
retain and follow that information

• Incorporates measurable outputs and outcomes, via attendance and assessment metrics

Awareness programs serve to reinforce lessons learned in training through diverse methods

Employees want to concentrate on their job functions, so privacy is not usually as much of a focus
for them as it is for privacy professionals who need to find ways to make privacy relevant to
employees.
• Executives should provide the funding for good training
• Management should support the privacy team in their training efforts and ensure that others view
it as a priority
• Managers should hold employees accountable for participating in training and handling personal
data properly
• Training should help drive cultural change around the use of personal data

221
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Awareness

222
UPDATES SPECIFIC

Identify, catalog and maintain all Make training specific

documents requiring updates. to employees’ roles.

FLEXIBILITY PRACTICAL

Ensure policy flexibility for OPERATIONAL Don’t make training and awareness
incorporating changes to
compliance requirements. ACTIONS theoretical; make it practical.

LEARN ACTIONABLE
Always send a privacy-related Make training actionable.
communication after a major incident.

COMMUNICATE ACCOUNTABILITY
Communicate information about Develop and use communication plans
the organization’s privacy program. to ingrain organizational accountability.

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
The privacy team, along with all relevant departments, can take the following operational actions
to ensure ongoing awareness.
• Make training specific to employees’ roles. Use their terminology and relevant examples.
• Don’t make training and awareness theoretical; make it practical. Most employees prefer to be
shown or guided on what to do rather than apply concepts or abstract ideas.
• Make training actionable.
• Develop and use internal and external communication plans to ingrain organizational
accountability.
• Communicate information about the organization’s privacy program.
• Always send a privacy-related communication after a major incident so all employees can learn
from it.
• Ensure policy flexibility for incorporating changes to compliance requirements (e.g., laws,
regulations and standards).
• Identify, catalog and maintain all documents requiring updates as privacy requirements change.

222
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Who needs training?

223
Anyone who processes personal information

William works for a division of One Earth

Medical.

His role as a customer services

representative requires fielding customer
phone calls, which are recorded to ensure
employee accountability.

William may assist callers with updating

account information, including passwords;
paying bills; and accessing information
about their account, including services
and transactions.

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
Who needs training? Anyone who processes personal information

An organization needs to identify who will be required to take privacy training (e.g., staff,
management, contractors, other third parties).
• By default, the training should include anyone who handles personal information on behalf of the
organization
• Targeted training implies there may be a variety of training programs, depending on the
department, the type of information that is being handled, how that information is processed
and who handles it

• William works for a division of One Earth Medical.

• His role as a customer services representative requires fielding customer phone calls, which
are recorded to ensure employee accountability.
• William may assist callers with updating account information, including passwords; paying
bills; and accessing information about their account, including services and transactions…

223
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

224
Chat

Let’s talk about…

Given his role, what privacy-related topics
should be covered in William’s training?

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Chat: Let’s talk about…

William is just one individual within a large, global organization, yet his job requires training on
multiple privacy-related policies and procedures.

Given his role, what privacy-related topics should be covered in William’s training?

Follow-up chat
Given William’s tight working schedule, what would be appropriate means to deliver the training to
him?

224
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Creating a privacy training program

225
YOUR PROGRESS

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
The following high-level steps may be used to create a privacy training program:
1. Ensure a privacy policy exists and is up to date
2. Ensure employees are trained on the policy
3. Confirm training records exist
4. Use metrics to measure results; analyze any mistakes and learn from them
5. Update the training based on feedback and changes to compliance obligations
6. Reinforce learning with awareness activities

Strategies for creating a privacy training program

• Partner with the training department/HR
• Make it fun and customized to participants
• Use motivators (e.g., badges/digital icons that indicate achievement, such as completion of
training, that can be displayed on an individual’s internal and/or external professional profile)
• Ensure all new employees, contractors, etc., receive consistent training
• Ensure repeat training is provided to all relevant employees (e.g., annually)
• Solicit feedback for improvement

Don’t forget to create privacy champions — executives who serve as privacy program sponsors and
act as advocates to further foster privacy as a core organization concept. Incorporating privacy into
company culture helps reinforce what is learned in privacy training and helps training programs to
be successful. Privacy champions:
• Help organizations maximize resources
• Make privacy concerns relevant
• Can help fellow employees understand the rules for processing personal data

225
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning opportunities

226
Teachable moments

• When mistakes
happen with personal
data, consider
teachable moments
• Find opportunities to
provide constructive
suggestions

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
When mistakes happen with personal data and the situation isn’t an incident, consider teachable
moments. Look for every opportunity to provide constructive suggestions regarding employees’ use
of personal data.

• “Perhaps we shouldn’t have sent the entire mailing list to ACME Corp; I think they only needed
one department.”
• “You know, I don’t think ABC department needs access to the product environment; let’s look at
ways we can reduce who can access all our client information.”
• “Let’s think about whether we need to always collect a mailing address. If a customer will come
here to pick up their order and the information they need can be emailed, we probably don’t
need a mailing address.”

226
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

The impact of privacy training

227
1. Establishes a common understanding of privacy

2. Reduces human error

3. Considers privacy up front

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
The following are some ways that establishing a privacy training program can help your
organization think about privacy and meet obligations to protect personal information:
1. Establishes a common understanding of privacy
Perspectives on privacy may vary by differing backgrounds, such as culture and generation.
Within an organization, however, there must be a common privacy definition and framework for
handling personal information. It establishes the value an organization puts on protecting
personal information and how proper behavior will support organizational goals.

2. Reduces human error

Increased knowledge of proper policies and procedures provided by privacy training encourage
staff to properly handle personal information. Even if they don’t remember exact details, they
will be more likely to consult the policy or ask a coworker when questions arise.

3. Considers privacy up front

A privacy team should be involved as early as possible when new applications or processes
are being developed. Training can be used to discuss how the privacy team can support
development efforts and provide teams a foundation to recognize when personal information
is being handled outside of organizational policy.

227
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

The impact of privacy training

228
1. Establishes a common understanding of privacy

2. Reduces human error

3. Considers privacy up front

4. Improves customer interactions

5. Expands the privacy office’s eyes and ears

6. Changes conversations

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
The following are some ways that establishing a privacy training program can help your
organization think about privacy and meet obligations to protect personal information:
4. Improves customer interactions
Privacy training can provide guidance about when it is appropriate to collect personal
information and can familiarize staff with the concept of data minimization. Additionally,
privacy training encourages staff who interact with customers to be more respectful of their
privacy.

5. Expands the privacy office’s eyes and ears

Privacy professionals are often a scarce resource in organizations. Privacy training can
help alleviate some of this workload, as the employees of a privacy-aware organization
can address some privacy concerns independently. In addition, trained staff is
knowledgeable enough to contact the privacy office when something does not seem
right.

6. Changes conversations
The ultimate goal for privacy training is to change conversations to those where privacy is a key
consideration. Conversations that should, and often are, driving businesses today consider the
question: How can we make smarter decisions about which customers want which products and
services, without invading their privacy and damaging relationships?

228
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

229
1. Privacy Officer Garcia is
Chat working with her training
team to revitalize One Earth
Medical’s employee privacy
Review training and awareness
question programs. What method and
delivery options might they
consider?

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
1. Privacy Officer Garcia is working with her training team to revitalize One Earth Medical’s
employee privacy training and awareness programs. What method and delivery options might
they consider?

229
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

230
Chat 2. What operational actions
could the training and other
Review relevant teams take to ensure
ongoing privacy awareness?
question

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
2. What operational actions could the training and other relevant teams take to ensure ongoing
privacy awareness?

230
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

231
Chat 3. What recommendations
would you give Privacy Officer
Review Garcia for creating a training
question program?

Module 8: Privacy operational life cycle — Sustain: Training and awareness

Session notes
3. What recommendations would you give Privacy Officer Garcia for creating a training
program?

231
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives

232
• Recognize the functions of an outward-facing privacy
Module 9 notice.
• Outline common elements of a privacy notice.
• Review design solutions to privacy notice challenges.

Privacy • Explore key communication considerations for providing

privacy notice.

operational • Explore the concept of consent and how it relates to

privacy notices.
life cycle — • Define key considerations for opt-in vs. opt-out.
• Examine methods for tailoring privacy notices to children
Respond: and ensuring parental consent when required.
• Analyze procedural strategies for responding to
individuals’ requests for withdrawal of consent, access
and rectification.
Data subject • Review examples of different countries’ requirements for
responding to data subject rights.
rights • Analyze procedural strategies for responding to requests
that exercise EU-specific data subject rights.
• Explore what organizations must do to comply with
requests related to the rights of data portability,
objection and erasure under the GDPR.
• Explore the goals of privacy-related complaint-handling
procedures.

Module 9 learning objectives

• Recognize the functions of an outward-facing privacy notice.
• Outline common elements of a privacy notice.
• Review design solutions to privacy notice challenges.
• Explore key communication considerations for providing privacy notice.
• Explore the concept of consent and how it relates to privacy notices.
• Define key considerations for opt-in vs. opt-out.
• Examine methods for tailoring privacy notices to children and ensuring parental consent
when required.
• Analyze procedural strategies for responding to individuals’ requests for withdrawal of
consent, access and rectification.
• Review examples of different countries’ requirements for responding to data subject rights.
• Analyze procedural strategies for responding to requests that exercise EU-specific data
subject rights.
• Explore what organizations must do to comply with requests related to the rights of data
portability, objection and erasure under the GDPR.
• Explore the goals of privacy-related complaint-handling procedures.

232
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

233
Privacy notice
“All the privacy information that
you make available or provide to
individuals when you collect
information about them”
— ICO, “Privacy Notices”

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Privacy notice
• “All the privacy information that you make available or provide to individuals when you
collect information about them”
— ICO, “Privacy Notices”

Privacy notices should be part of an external communication plan used to ingrain organizational
accountability.

Resource
Information Commissioner’s Office (UK), Privacy Notices, Transparency and Control: A Code of
Practice on Communicating Privacy Information to Individuals, October 7, 2016, accessed March 19,
2020, https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/for-
organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf.

233
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

234
Chat

Let’s talk about…

What is the purpose of a privacy notice?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Let’s talk about…

What is the purpose of a privacy notice?

234
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy notice

235
Must describe…

PRIVACY NOTICE

WHO WHAT
are we? information are
we collecting?

HOW WITH
are we going to
use the
WHOM
information? will we share the
information?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Resource
Information Commissioner’s Office (UK), Privacy Notices, Transparency and Control: A Code of
Practice on Communicating Privacy Information to Individuals, October 7, 2016, Accessed March 19,
2020, https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/for-
organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf.

235
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy notice design

236
Challenge Solution

A lot to say Layered approach

Not a lot of space Just-in-time notice

Clarity Icons/symbols

Accessibility Privacy dashboard

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Privacy notice design strategies
• More than one document/delivery style
• Layered approach
• Short notice with key information
• Expandable links
• Website search leads to the full notice
• Just-in-time notice: Type of layered approach
• Notice appears at time of data input
• More information available through link or by hovering
• Alerts/notifications on smartphone
• Icons/symbols: Type of layered approach
• Indicators/reminders of types of processing
• Hyperlinks or hover states may provide more information
• Clear design
• Icon/symbol key
• Privacy dashboard that is easy to access/navigate
• Summary of privacy-related information and metrics
• Easy to access and navigate
• Responsive web design
• Short video
Resource
Information Commissioner’s Office (UK), Privacy Notices, Transparency and Control: A Code of
Practice on Communicating Privacy Information to Individuals, October 7, 2016, Accessed March 19,
2020, https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/for-
organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf.

236
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy notice

237
Communication
considerations

• Channels
• Language
• Content
• Active delivery

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Privacy notice: Communication considerations
• Channels should align with how data is collected: Electronic (text messaging, website, email,
app), face-to-face or phone (documented conversation), writing (e.g., forms) and signage
• Language should be easy to understand, especially considering vulnerable individuals, such as
children and non-native language speakers
• Content should be honest/transparent
• Active delivery of privacy notice may be required when…
• Personal information is observed, derived or inferred (e.g., marketing based on social
media activity)
• Processing changes
• Laws and regulations require notice
• Collecting sensitive information
• Using information in a way that may be unexpected/objectionable
• Sharing information with other companies in unexpected ways
• If sharing/not sharing information will significantly affect individuals

Methods include: Letter/email, scripted phone call, interactive online form and text-based
notifications when hovering

Resource
Information Commissioner’s Office (UK), Privacy Notices, Transparency and Control: A Code of
Practice on Communicating Privacy Information to Individuals, October 7, 2016, Accessed Mar 19,
2020, https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/for-
organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf.

237
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

238
Chat

Brainstorm
What are the differences between privacy
notices and consent?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Brainstorm
What are the differences between privacy notices and consent?

238
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Choice and consent

239
• Collect and record
• Allow revocation
• Documentation of
privacy notice
• Regular reviews

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Privacy notices often tied to consent options
• If consent is required by law or regulation, there must be a method to get and record it.
• Individuals who have a choice about the processing of their personal information must be given
the ability to exercise that choice.
• In addition, they must be able to revoke that decision
• If individuals do not have a choice, they should not be led to believe that they do
• Procedures should be implemented and documented. In addition to a record of consent,
documentation of the privacy notice provided at the time of consent should be kept.
• Consents should be regularly reviewed to determine if a refresh is necessary (e.g., changes to
processing operations) or if consents should be automatically refreshed (if not too intrusive).

Resources
Information Commissioner’s Office (UK), Privacy Notices, Transparency and Control: A Code of
Practice on Communicating Privacy Information to Individuals, October 7, 2016, Accessed Mar 19,
2020, https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/for-
organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf.

Information Commissioner’s Office (UK), Consultation: GDPR Consent Guidance, March 2–31, 2017,
https://iapp.org/media/pdf/resource_center/ICO-gdpr-consent-guidance.pdf.

239
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Opt-in vs. opt-out

240
Click here to
subscribe to
Opt-in marketing emails
and other content.

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Opt-in vs. opt-out
• Opt-in is a clear, positive way for an individual to indicate wishes
• It is an action, such as a check box next to text that says, “I agree”
• The choice should be clear and easy to execute
• Rules may differ depending on the type of data, such as sensitive personal information, and the
type of processing, such as telemarketing, membership application or email marketing
• For example, an organization that wants to send email marketing to individuals may be
subject to various laws and regulations — some that may require express consent (opt-in)
and/or opt-out notice and have varying time limits for processing opt-outs
• For instance, while many jurisdictions require opt-in for this type of processing,
the U.S. does not
• If there are to be different types of processing, an individual may be given the option to agree to
the activities separately
• For example, one might be asked to check “Yes” or “No” beside each method for direct
marketing: Email, phone, etc.

240
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Opt-in vs. opt-out

241
Click here to
subscribe to
Opt-in marketing emails
and other content.

Opt-out

Would you like to

receive additional Please add me
 Click here to to your mailing
information? unsubscribe.
list!
 Yes  No

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
A data subject can give their consent to processing by opting in or opting out — two central concepts
of choice.
• Opting in means an individual makes an active, affirmative indication of choice — for example,
by checking a box to signal a desire to share information with third parties. This choice should be
clear and easy to execute.
• Opting out means that an individual’s lack of action implies a choice — for example, unless an
individual checks “no” or unchecks a box, their information will be shared with third parties.

241
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Privacy notice for children and

242
consent
• Compliance
• Language and delivery
• Age
• Purpose of processing

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Privacy notice for children and consent
• Compliance
• U.S. Children’s Online Privacy Protection Act and the GDPR set out specific rules
regarding privacy notice to children and obtaining consent for processing their personal
information
• Children’s information may be considered sensitive information, which warrants
heightened protections
• Language and delivery
• Generally, privacy notices geared toward children should be presented in ways children
can understand (e.g., the Office of the Privacy Commissioner of Canada states,
“Organizations should implement innovative ways of presenting privacy information to
children and youth that take into account their cognitive and emotional development and
life experience.”)
• Age
• Laws and regulations may establish an age threshold for consent
• In practice, a website may ask for the user to enter their age before accessing content,
or a web application for children may require consent via a parent’s email account
before collecting and processing the personal information of a child under 13 years old
• The age threshold may vary depending on jurisdiction
• The intended purpose of processing may trigger certain rules
• For example, organizations may be prohibited from tracking children for online
behavioral advertising purposes

Follow-up chat
What steps can organizations take to help ensure parental consent for children under the age
threshold?
Resource
Office of the Privacy Commissioner of Canada, “Guidelines for Obtaining Meaningful Consent,” May
2018, https://www.priv.gc.ca/en/privacy-topics/collecting-personal-
information/consent/gl_omc_201805/.

242
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Responding to withdrawals of consent

243
I can remove the
To whom it may account from our
concern: marketing
platform, but is
Please remove there a procedure I
should follow?
my account from
your system.

I no longer wish
to receive
marketing emails
from your
organization.

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Responding to withdrawals of consent
• Choice and control should be offered to individuals beyond opt-in
• If an organization relies on consent to process personal information, it may want to (or be
required to) state in the privacy notice that the individual can withdraw consent
• An organization’s procedures around withdrawal of consent may address:
• When and how consent may be withdrawn
• Rules for communicating with individuals
• Methods for withdrawing consent
• Documentation of requests and actions taken

Resource
Information Commissioner’s Office (UK), Consultation: GDPR Consent Guidance, March 2–31, 2017,
https://iapp.org/media/pdf/resource_center/ICO-gdpr-consent-guidance.pdf.

243
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Responding to withdrawals of consent

244
Procedures may address:
• When and how consent may be
withdrawn
• Rules for communicating with
individuals
• Methods for withdrawing
consent
• Documentation

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Responding to withdrawals of consent continued
Laws, regulations and best practices may call for enabling individuals to withdraw consent…
• As easily as it was to give it
• At any time
• As soon as possible (must be procedures in place to respond to the individual and to cease
processing)
• Without penalty
• In the same method that was used to give consent
• Via more than one option (for those uncomfortable using technology)
• Via anytime opt-out (e.g., privacy dashboard) or opt-out by reply (e.g., link in an email)

The process for withdrawing consent should be publicized to inform individuals on the steps they
should take (via privacy notices, consent requests, email reminders, etc.).

Follow-up chat
What are some procedural strategies an organization may use to implement requirements around
withdrawal of consent?

244
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Responding to data subject access

245
and rectification requests
How do I access
my employee
performance
evaluation? And if
I disagree with it,
can it be revised?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Responding to data subject access and rectification requests
• Access/rectification is one the most common aspects of privacy program management that
triggers audits from EU authorities if they receive complaints
• For example, under the EU’s Data Protection Directive and GDPR, the right of access is
seen as a fundamental right; supervisory authorities and courts see numerous instances of
failures by organizations to comply with this right
• Under certain circumstances, laws and regulations may require an organization to provide
individuals with access to their personal information (and information about the processing
performed on it) upon request, and/or correct/complete information…
• Completely (e.g., all numbered pages)
• In a timely manner
• Without charge to the individual
• In the same form that the request was made
• May be limits to this right, such as protections for the rights and freedoms of others

245
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Responding to data subject access

246
and rectification requests

Procedures may address:

• When, what and how
access and rectification
must be provided
• Completeness
• Authentication
• Documentation
• Disagreements

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Responding to data subject access and rectification requests continued
• The privacy team should work with legal to establish policies/procedures that align with legal
requirements
• Have a documented process (or processes — for example, if customer and staff information is
handled differently by different teams) and follow them
• The process may be the first thing a regulator asks about in the event of an issue
• Procedural considerations may include…
• Allocation of responsibilities (e.g., customer service staff fielding requests)
• Authentication of the requester (e.g., must provide birthdate and answer to secret
question)
• Recording/documenting requests and actions
• Mechanism(s) for receiving, recording and fulfilling requests (e.g., online form)
• Types of data that may not be disclosed (e.g., others’ personal information)
• Time limits for responding (e.g., 30 days) and extensions
• Special circumstances (e.g., court order)
• Various details about the processing that must be provided upon request (e.g., third
parties that have received the information)
• Providing the most up-to-date information
• Making corrections across all systems and with third parties
• Procedures when the individual and organization do not agree on an amendment request

246
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Selling AtlantiPulse services to

other companies

247
One Earth has decided to market AtlantiPulse’s service and
systems to companies inside and outside the U.S.

One Earth maintains a corporate-

wide data warehouse that pulls data
from its divisions, including
AtlantiPulse, and aggregates it for
various reporting and data analytics
functions. This data is now being
used by the marketing department
to generate targeted direct
marketing campaigns — without
informing customers.

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Read the scenario to answer the question that follows.

247
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Selling AtlantiPulse services to

other companies

248
Unfortunately, the contracts that AtlantiPulse customers agreed to before the
acquisition do not address the secondary use of this data — One Earth using it for
marketing purposes. All AtlantiPulse contracts were updated to One Earth global
standards when AtlantiPulse was acquired, but it is not clear whether One Earth
contracts allow customers to opt out of these secondary types of data usage.
This issue comes to the attention of Privacy Officer Garcia, who discovers that the
contracts One Earth has with AtlantiPulse customers, whether they were created
before or after the acquisition, cover the primary use of the data for operations,
but do not cover the secondary use of the data in the data warehouse. She also
discovers that the contract language around customer data and opting out in the
One Earth’s standard contracts is unclear.
Privacy Officer Garcia realizes she must resolve these issues before One Earth can
move forward with reselling AtlantiPulse service and systems to companies, since
inconsistencies may cause confusion and potential harm.

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Read the scenario to answer the question that follows.

248
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

249
Chat

Activity #4
What actions can Privacy Officer Garcia
take to resolve this issue?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Activity #4
What actions can Garcia take to resolve this issue?

249
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data subject rights across the world

250
Canada

U.S. China
EU

Brazil
S. Africa Australia

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Many countries in the world have data privacy laws stipulating how an organization in their
jurisdiction must respond to data subject requests.
Australia: Australian privacy law establishes a consumer right to access and correct the personal
information an organization holds about them. Organizations may charge a fee for responding to
data subject requests but may not use the charge to discourage data subjects from making requests.
Organizations must develop procedures for fielding and responding to requests within 30 days from
receiving them.
Brazil: The General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) was largely
inspired by the GDPR. It gives data subjects the right to access, rectify, cancel or exclude their
personal data. Further, data subjects may oppose the processing of their personal data and are
provided the right to data portability. One way the LGPD differs from the GDPR is the addition of
the data subject’s right to have their data anonymized in certain circumstances.
Canada: The Personal Information Protection and Electronic Documents Act provides data subjects
with a general right to access their personal information held by businesses subject to it.
China: The Personal Information Protection Law, enacted in November 2021, aims to “protect the
rights and interests of personal information, regulate personal information processing activities, and
promote the rational use of personal information.” While the PIPL mostly aligns with the GDPR with
respect to personal information rights, it is not as strictly defined — for example, where certain
restrictions or exemptions may apply or what constitutes a timely reply to data subject requests.
The PIPL provides individuals the right to bring lawsuits against processing entities who reject
requests to exercise their rights.

250
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data subject rights across the world

251
Canada

U.S. China
EU

Brazil
S. Africa Australia

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Many countries in the world have data privacy laws stipulating how an organization in their
jurisdiction must respond to data subject requests.
EU: The EU’s GDPR has been in effect since 2018 and has become a global standard for data
protection. It provides rights for data subjects to withdraw consent for processing, request a copy of
all their data, request the ability to move their data to a different organization, request to delete
their data and object to automated decision-making processes.

South Africa: The Protection of Personal Information Act aligns South Africa with global data
protection best practices. It provides data subjects several rights, such as the right to: access and
correct their personal information, object to the processing of their personal information for direct
marketing purposes, and object to automated decision-making processes in certain circumstances.

U.S.: The U.S. has no comprehensive federal data privacy law yet, but several state privacy laws, as
well as industry-specific regulations, have requirements regarding data subject rights.
Comprehensive state privacy laws include California’s CPRA, Virginia’s CDPA, and Colorado’s CPA
(which takes effect 1 July 2023). These state laws have similar data subject rights, including the
right to access, correct, and delete personal data, and opt out of the sale and certain uses of
personal data.

251
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

EU-specific rights

252
• Data portability
• Erasure and right to be
forgotten
• Restriction of processing
• Right to object
• Right “not to be subject
to a decision based solely
on automated
processing, including
profiling, which produces
legal effects ... or
similarly significant
effects” (Article 22)

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
EU-specific data subjects’ rights
• Will affect organizations within and outside the EU, given the broad scope of the GDPR
• If the organization is subject to the GDPR, the privacy team should work with legal to determine
all the circumstances that may allow for the exercise of these rights, as well as exceptions
• Data portability: Will be discussed in more depth on following slides
• Erasure and right to be forgotten: Will be discussed in more depth on following slides
• Restriction of processing
• Right to object: Will be discussed in more depth on following slides
• Right “not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects … or similarly significant effects” (Article 22)

Note that under the LGPD, the data subject rights are predominantly the same as under the GDPR,
with the addition of the right to have their data anonymized in certain circumstances.

Resource
European Union, General Data Protection Regulation, Adopted 2016,
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.

252
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

253
Chat

Your outlook
What strategies could an organization use
to build GDPR-specific data subject rights
into internal policies and procedures?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Your outlook

What strategies could an organization use to build GDPR-specific data subject rights into internal
policies and procedures?

253
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

EU-specific rights

254
Facilitating data portability

Our The
organization’s competitor’s
data processing data processing
software Interoperability software

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
EU-specific rights: Facilitating data portability
• Data portability is an extension of the right of access
• As with access/rectification, organizations should have procedures in place for responding to
requests, even if the response should consist of a refusal
• Data portability is a right that applies only in some circumstances — processing based on consent
or contractual necessity
• It means that personal information must be interoperable — transferrable from one organization
to the individual, another controller or a third party designated by the individual in a format that
is “structured, commonly used and machine-readable” (Article 20) and without hindrance
• The privacy team should work with legal to determine when this right applies and, if so, work
with IT to ensure this capability is built into technical systems
• Potential difficulties may arise from storing data in proprietary formats
• Organizations that use their own internal data processing software may have difficulty
transferring the personal information in an acceptable format

Resource
European Union, General Data Protection Regulation, Adopted 2016,
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.

254
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

255
Chat

Pop quiz
What is interoperability as it applies to
data portability?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Pop quiz

What is interoperability as it applies to data portability?

255
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

EU-specific rights

256
Right to object

GDPR
Article 21(1)

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
EU-specific rights: Right to object
• Under Article 21(1) of the GDPR, whenever a controller justifies the data processing based on its
legitimate interests, data subjects can object to such processing
• With a valid objection, the controller is no longer allowed to process the data subject’s personal
data unless it can demonstrate compelling, legitimate grounds for the processing
• These grounds must be sufficiently compelling to override the interests, rights and
freedoms of the data subject, such as to establish, exercise or defend against legal
claims
• Under the Data Protection Directive, data subjects already had the right to object to processing
of personal data for the purposes of direct marketing
• Under the GDPR, this now includes profiling
• The data subject also must be explicitly, clearly and separately notified of the right to
object

Resource
European Union, General Data Protection Regulation, Adopted 2016,
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.

256
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

EU-specific rights

257
Erasure Right to be forgotten

1. Cease processing 3. Ensure the data is erased

2. Delete personal by third parties,
information including links, copies
and replications

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
EU-specific rights: Erasure and the right to be forgotten
• Under the GDPR, individuals have the right to request erasure of their personal data under
specific circumstances (e.g., withdrawal of consent)
• If the organization is subject to the GDPR or other laws/regulations regarding erasure, the
privacy team should work with legal to determine all the circumstances that may allow for the
exercise of this right
• Erasure entails…
1. Ceasing processing
2. Deleting data
• Policies/procedures will help to ensure these actions take place across all systems
• Erasure includes the right to be forgotten
• Applies when personal data has been made public by the organization
• Data controller is responsible for taking steps to ensure the personal data is erased by
third parties, including links, copies and replications

Resource
European Union, General Data Protection Regulation, Adopted 2016,
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.

257
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

258
Chat

Brainstorm
What are some potential challenges the
right to be forgotten may pose for
organizations?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Chat: Brainstorm
What are some potential challenges the right to be forgotten may pose for organizations?

Follow-up chat
Discuss strategies to address them.

258
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Handling complaints

259
Procedural considerations

• Sources and types

of complaints
• Recipient(s)
• Centralized intake
process
• Tracking, reporting
and documenting
• File reviews
• Redress

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
Handling complaints: Procedural considerations
• Complaints may come from different sources
• Internal: Employees
• External: Customers, consumers, patients, public, regulators and vendors
• Effective handling of complaints at the earliest opportunity will enhance the complainant’s view
of the organization and allow prompt improvement to practices
• Internal procedures should define and enable mechanisms for…
• Differentiating between sources and types of complaints
• Designating proper recipients
• Implementing a centralized intake process
• Tracking the process
• Conducting file reviews
• Reporting and documenting resolutions
• Redress

259
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

260
Chat 1. Adding information to
AtlantiPulse’s privacy notices
has made them wordy. What
Review strategies could Privacy
question Officer Garcia use to cut
down on length?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
1. Adding information to AtlantiPulse’s privacy notices has made them wordy. What strategies
could Privacy Officer Garcia use to cut down on length?

260
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

261
2. Privacy Officer Garcia must
Chat determine if active delivery of
revised privacy notices
should be provided to
Review customers who already have
question contracts with AtlantiPulse.
Under what circumstances is
this typically required?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
2. Privacy Officer Garcia must determine if active delivery of revised privacy notices should be
provided to customers who already have contracts with AtlantiPulse. Under what
circumstances is this typically required?

261
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

262
3. AtlantiPulse customers must
Chat be able to withdraw consent
to have their personal
information processed. What
Review procedures should be
question established to guide
personnel in ensuring this
data subject right?

Module 9: Privacy operational life cycle — Respond: Data subject rights

Session notes
3. AtlantiPulse customers must be able to withdraw consent to have their personal information
processed. What procedures should be established to guide personnel in ensuring this data
subject right?

262
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Learning objectives

Module 10 • Explain the differences between an incident and a breach.

263
• Understand the risks and potential impacts of a data breach.
• Explore common causes of data breaches.
• Examine measures involved in preparing for a data incident,
Privacy •
including considerations for training and awareness.
Explore considerations and components of an incident
operational •
response plan.
Review departmental responsibilities involved in planning
life cycle — •
and responding to a breach.
Explore considerations for initial breach detection and
Respond: response, including the role of the breach response team
leader.
• Understand the purpose and importance of conducting
incident impact assessments
Data breach • Describe how an organization’s breach-related internal

incident announcements should differ from its external

announcements.

plans • Review what internal and external breach notifications

should each include.
• Determine what a breach investigation involves.
• Review examples of compliance obligations for reporting a
breach.
• Examine factors that impact the cost of a breach.
• Explore ways an organization can learn from a breach.

Module 10 learning objectives

• Explain the differences between an incident and a breach.
• Understand the risks and potential impacts of a data breach.
• Explore common causes of data breaches.
• Examine measures involved in preparing for a data incident, including considerations for
training and awareness.
• Explore considerations and components of an incident response plan.
• Review departmental responsibilities involved in planning and responding to a breach.
• Explore considerations for initial breach detection and response, including the role of the
breach response team leader.
• Understand the purpose and importance of conducting incident impact assessments.
• Describe how an organization’s breach-related internal announcements should differ from its
external announcements.
• Review what internal and external breach notifications should each include.
• Determine what a breach investigation involves.
• Review examples of compliance obligations for reporting a breach.
• Examine factors that impact the cost of a breach.
• Explore ways an organization can learn from a breach.

263
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Security incident vs. breach

264
INCIDENT
Compromises confidentiality,
integrity or availability
May not require notification

BREACH
Results in the confirmed
disclosure of data to an
unauthorized party
Requires notification

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Security incident vs. breach
• Incident
• Comprises confidentiality, integrity or availability
• May not require notification
• Breach
• Results in the confirmed disclosure of data to an unauthorized party
• Requires notification
• Need to understand each to respond appropriately
• All breaches are incidents; not all incidents are breaches
• Only the privacy office or legal office should be able to declare a breach, based on certain
triggers

264
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

What’s at risk?

265
Global average cost of a data
breach = USD4.45 million

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
USD4.45 million — this is the global average cost of a data breach, according to the most recent IBM
Security’s Cost of a Data Breach Report.
• Translating statistics to monetary values can help senior executives see the value of planning for
a data incident or breach

Resource
Cost of a Data Breach Report 2023, IBM Security, https://www.ibm.com/reports/data-breach.

265
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

266
Chat

Your outlook
If a data breach occurs, what’s at risk for
an organization and an affected individual?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Your outlook

If a data breach occurs, what’s at risk for an organization and an affected individual?

266
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Lost investment = (number of customers) x

267
(acquisition cost) x (churn rate)

Lost opportunities = (number of customers)

x (average portfolio value) x (churn rate)

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
• Lost investment = (number of customers) x (acquisition cost) x (churn rate)
• Lost opportunities = (number of customers) x (average portfolio value) x (churn rate)

267
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

268
Chat

How do breaches occur?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat
How do breaches occur?

268
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

269
Chat

Pop quiz
Which category is the top cause of breaches — and the
most expensive type to resolve?
A. Business email compromise
B. Phishing
C. Cloud misconfiguration
D. Stolen or compromised credentials

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Pop quiz

Which category is the top cause of breaches — and most expensive type to resolve?
A. Business email compromise
B. Phishing
C. Cloud misconfiguration
D. Stolen or compromised credentials

Resource
IBM Security, Cost of a Data Breach Report 2023, https://www.ibm.com/reports/data-breach.

269
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

How do breaches occur?

270
WHO?
65% perpetrated by external actors
35% involved internal actors 73% of“Miscellaneous
these fell in the
Errors” category

WAYS IN?

32% involved ransomware or extortion

24% used stolen credentials
22% caused by pretexting and phishing
10% caused by exploited vulnerabilities

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
How do breaches occur?
Who?
• 65% perpetrated by external actors
• 35% involved internal actors
• 73% of these fell in the “Miscellaneous Errors” category
• Miscellaneous Errors: incidents where unintentional actions directly compromised a
security attribute of an information asset
• This does not include lost devices, which were grouped with theft instead

Ways in?
• 32% involved ransomware or extortion
• 24% used stolen credentials
• 22% caused by pretexting and phishing
• 10% caused by exploited vulnerabilities

Resource
Verizon, 2024 Data Breach Investigations Report,
https://verizon.com/business/resources/reports/dbir/.

Follow-up chat
The median time for users to fall for phishing emails is less than 60 seconds.
• On a 1-to-10 scale, how confident are you that you could recognize a phishing attack?
• How confident are you that members of your organization could recognize an attack?

270
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

271
Chat

Brainstorm
What measures can you take to prepare for
an incident?
How can you prepare your team?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Difference between prevention and preparation
• Prevention focuses on tasks and technologies that stop a breach from occurring
• Preparation focuses on measures you can take to respond optimally — in other words, what will
you do when your prevention fails?

Chat: Brainstorm
• What measures can you take to prepare for an incident?
• How can you prepare your team?

271
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Liability

272
• Legal liability
• Liability and contracts
• Notifying affected individuals

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Within your organization, you should know:
• Who is liable for any harm associated with collected data?
• Who should notify affected individuals?

Recognize that liability in law and liability under contract may be different.
• Legal liability
• Under the GDPR, controllers and processors will have legal liability

• Liability and contracts

• In the contract between a controller and processor, the responsibilities of each party
need to be clearly stated in the event of a contract breach (or if a regulator needs to
identify which party is liable for a breach of privacy/data protection legislation)

• Notifying affected individuals

• Notice should be issued through representatives that individuals are likely to recognize
from a prior or current relationship

272
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Incident preparedness

273
What measures can you
take to prepare for an
incident?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
What measures can you take to prepare for an incident?
• Incident response team and plan in place
• Employee training, including tabletop exercises
• Threat-sharing
• Business Continuity Management involvement
• Board-level involvement
• Be sure your team has guidance on breach notification requirements
• Conduct a risk assessment

Note that prevention focuses on tasks and technologies that stop an incident from occurring, while
preparedness and detection focus on measures you can take to respond optimally, i.e., what you
will do when your prevention fails.

273
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Training and awareness

274
• Why train?
• Who should fund training?
• Who should receive training?
• What form should training take (tabletop exercises, etc.)?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Training and awareness

Why train?
• Expose gaps in applications, procedures and plans pre-incident
• Cultivate greater overall security for customers, partners and employees
• Reduce financial liability and regulatory exposure
• Lower breach-related costs, including legal counsel and consumer notification
• Preserve reputation and integrity

Who should fund training?

• Leaders often disagree; consider a shared-cost arrangement (IT, finance, HR)
• Quantify benefits: ROI and savings vs. expense

Who should receive training?

• Different levels/programs for different employee groups
• All employees should have a basic understanding of security procedures and how to report a
suspected incident
• They should also be trained to recognize the severity of an incident and how to notify the
correct people

What form should training take?

• Tabletop exercise: Structured, readiness-testing simulations involving members of multiple
departments
• Reviewing and learning from recent incidents and breaches of the organization and of other
organizations
• Regardless of form, record results and update plan accordingly
• See module 8 for other potential training formats

274
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Incident response plans

275
According to the IBM 2023 Cost of Data Breach Report:
“The most effective incident response strategy for reducing the
duration of a data breach was to combine formation of an IR
team with testing of the IR plan.”

54 days Organizations with both an IR team and IR plan testing identified

and contained breaches 54 days faster than those with neither.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Incident response strategies and tactics have been instrumental in reducing the impact of data
breaches.
According to the IBM 2023 Cost of a Data Breach Report:
“The most effective IR strategy for reducing the duration of a data breach was to combine
formation of an IR team with testing of the IR plan.”

• Organizations with both an IR team and IR plan testing identified and contained breaches 54 days
faster than those with neither
• Testing the IR plan without forming a team was nearly as effective, resulting in a
difference of 48 days

Resource
IBM Security, 2023 Cost of Data Breach Report, https://www.ibm.com/reports/data-breach.

275
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

276
Chat

Creating an incident response plan

• Who should lead plan creation?
• What information will you need?
• What guidelines, processes and procedures will you
need to develop?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Creating an incident response plan is a key step in incident preparation.

Chat: Do you know?

To create an incident response plan
• Who should lead plan creation?
• What information will you need?
• What guidelines, processes and procedures will you need to develop?

276
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Creating an incident response plan

277
Who should lead What information
plan creation? will you need?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Creating an incident response plan
Who should lead plan creation?
• Someone in the organization, or an outside consultant, with experience responding to
incidents
• Can come from the privacy office and legal or the security team
• The important thing is that the person has the correct skills to do the job; this is
one of the most critical preventative actions an organization can take, so you
want the person in charge to be experienced
• Privacy office or legal
• With help from IT, communications, HR, senior management, etc.

What information will you need?

• Your collection of personal information (categories, types, format, laws, etc.)
• Third-party relationships
• Prior incidents
• Responsible parties — who is on your team
• Buy-in from senior leadership
• System inventory
• A way to detect and report incidents
• Breach response law firm on retainer
• Forensic analysis company on retainer
• Business impact analysis
• Other relevant info

277
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Creating an incident response plan

278
 Roles and responsibilities
 Severity ratings and triggers for
escalation
 Team contact info
 How to report suspicious events
 Regulatory requirements
 How to interact with authorities
What guidelines, processes  Info on key vendors and counsel
and procedures will you  Integration with business continuity plan
need to develop?
 Post-incident process

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Creating an incident response plan
What guidelines, processes and procedures will you need to develop?
• Roles and responsibilities across the organization
• Severity ratings and triggers for escalation to legal and senior management
• 24/7/365 contact info for all incident response team members
• Requirements for reporting suspicious emails and other cybersecurity incidents — as well
as how to report
• Policies for handling reports of potential incidents
• Summary of key cybersecurity regulatory requirements for each relevant jurisdiction
• Guidance for interacting with law enforcement and authorities
• Info on key vendors of identity theft protection, forensics, and other technology services
• Information on outside counsel
• Info on how the plan coordinates with the organization’s business continuity plan
• Process for post-incident debriefings and analyses

278
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Team responsibilities

279
Planning During
Information Provide guidance regarding Address data compromises;
security detection, isolation, carry out forensic
removal and preservation of investigations.
affected systems.
Privacy (DPO Ensure IRP is updated with Responsible for working
or CPO) privacy-relevant with legal to determine the
information. Ensure privacy extent of an incident and
incidents are in the annual whether an incident is a
tabletop exercises. breach.
Legal Limit liability and economic Advise on response
consequences. requirements.
Head of Advise of known compliance Perform compliance
compliance risks with plans to address assessment for
them. compromised areas.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
What would you add or remove from this list of activities?
Are any of them handled differently at your organization?

279
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Team responsibilities

280
Planning During
HR Provide an employee Serve as information
perspective. conduit to employees.
Marketing Advise about customer Establish and maintain a
relationship management. positive and consistent
message.
Business Represent knowledge in Notify key accounts.
development handling and keeping the
account.
Public Plan strategic and tactical Assume positions on the
relations communication to inform front line.
and influence.
Union Represent union interests. Communicate and
leadership coordinate with union.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
None

280
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Team responsibilities

281
Planning During
Finance Calculate and manage the Secure resources to fund
bottom-line impact of resolution.
containment and
correction.
CEO/ Show value on preventing Promptly allocate funds and
President breaches through actions. manpower and publicly
comment on breach.
Customer Offer insight on Handle breach-related calls.
care customer/caller behavior.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
None

281
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Breach detection

282
• Privacy is a business
function — not a
technical function
• Relies on other
departments to
execute breach
detection and
response

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Breach detection
• Internal and external groups must work with the privacy office
• Security (physical)
• Human resources
• Investigation teams
• Vendors
• Discuss…
• How do you know there’s been a breach?
• How do you determine whether your organization will classify an event as an incident or
breach?
• How do the internal and external groups to the right work with the privacy office?

282
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

283
Chat

Pop quiz
Which of these breach response steps
should be taken first?
• Secure your operations
• Notify appropriate parties
• Fix vulnerabilities

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Pop quiz

Which of these breach response steps should be taken first?
• Secure your operations
• Notify appropriate parties
• Fix vulnerabilities

283
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Breach response

284
Secure your operations
• Assemble a team of experts:
– Data forensics team
– Legal counsel
– Privacy experts
• Secure physical areas
• Stop additional data loss
• Remove improperly posted info
• Interview people who discovered
the breach
• Forensically protect evidence

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Breach response: Secure your operations
• Assemble a team of experts
• Data forensics team
• Legal counsel
• Privacy experts
• Mobilize breach response team immediately to prevent further loss
• Secure physical areas
• Stop additional data loss
• Remove improperly posted info
• Has personal information been posted on your website?
• Contact search engines, if needed, to ensure personal info is not archived or cached
• Ensure other websites have not stored a copy of personal information
• Interview people who discovered the breach
• Forensically protect evidence
• Other response tasks should not be put on hold until operations are secure
• Still need to be communicating with your organization’s leadership and key stakeholders, logging
and reporting all response activities, etc.

284
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Breach response

285
Fix vulnerabilities

• Service providers
• Forensics experts
• Communications plan

?
What questions
need to be asked
in addressing
each of these
areas?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Fix vulnerabilities
After ensuring any breach is contained, begin analyzing vulnerabilities and addressing third parties
that might have been involved. As early as possible, begin sharing what you know with relevant
audiences.

• Service providers
• Were they involved? Was their access exploited? What steps should they take to prevent
future breaches?
• Forensics experts
• What security measures (e.g., encryption) were enabled?
• Analyze backup data; review logs to see who had access or currently has access
to the data
• Communications plan
• What needs to be communicated and to whom?
• Consider all types of stakeholders and audiences
• Consider creating an easy-to-find breach FAQ on your website
• Internally, manage expectations around communications to executives so they
know they are as informed as possible
• Determine and communicate out the planned frequency of communications

285
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Breach response

286
Notify appropriate parties

• Determine legal requirements

• Determine if electronic health
information involved
• Notify law enforcement
• Affected businesses
• Affected individuals

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Breach response: Notify appropriate parties
If you have already gathered information on business partners and individuals on whom you hold
data, you are better prepared to notify the right parties at the appropriate time during a breach.
Affected individuals who are notified early can take steps to limit the damage.
• Determine legal requirements
• Notify law enforcement
• Electronic health information
• Affected businesses
• If account access information (e.g., of a credit card or bank) was stolen but you do not
maintain the accounts, notify the institution that does so it can monitor accounts for
fraudulent activity
• Consider credit bureaus or other businesses for whom you collect or store personal
information
• Affected individuals
• Consider…
• Applicable laws and regulations
• The nature of the compromise
• The type of information taken
• The likelihood of misuse
• The potential damage if the information is misused

286
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Incident impact assessments

287
When an incident occurs, the only information
that is immediately known is that some asset has
been impacted or disrupted. As the incident
unfolds over time, more and more assets might
become impacted.

A single impacted asset can lead to other

downstream-dependent assets being impacted as
well. Understanding this casualty chain is critical to
effective incident response.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
“When an incident occurs, the only information that is immediately known is that some asset
has been impacted or disrupted. As the incident unfolds over time, more and more assets might
become impacted.

A single impacted asset can lead to other downstream-dependent assets being impacted as well.
Understanding this casualty chain is critical to effective incident response.”

— Ramesh Warrier, eBRP, https://ebrp.net/incident-management-101-assessment/

Incident impact assessments: The incident response process should include an assessment of
impacted assets.

An incident impact assessment is used to identify and rank potential consequences to:
• An organization
• Its stakeholders
• Its reputation
• The individuals impacted as a result of an incident

The incident impact assessment helps prioritize response actions and delegate resources. It
provides:
• Details about the incident
• A list of the identified threats or risks
• A description of the threats
• Current mitigations in place
• A required list of actions/next steps
• Risk scoring

Incident impact assessments should be conducted during an incident, but preparatory work should
be started before an incident occurs. The incident impact assessment should also be referenced and
used in the review of an incident to implement lessons learned and to help prevent or minimize risks
in future incidents.

Sample template:
https://assets.publishing.service.gov.uk/media/5a7b2a3de5274a34770e9dd0/Impact-Assessment-
template-14-Dec-11_0.doc

287
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Breach response: Communications

288
Executive notification

Internal announcements

Regulator notifications

Remediation offer decision

External announcements

Call center prepared

Letter drops

Progress reporting

Response evaluation, modifications

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Breach response: Communications
• Internal announcements
• Delivered around the same time as external announcements
• External announcements
• Engage crisis management/communications firm
• Develop talking points; keep message consistent across channels
• May include notification letters and press releases
• Designate senior executive (media-trained) as spokesperson
• Regulator notifications
• Consult legal counsel to determine which agencies you must notify
• Letter drops
• Partner with printer to manage list data, formatting, etc.
• Consult with law enforcement to ensure letter will not impede any criminal investigation
• Call center launches
• Increase and train staff; draft scripts and identify a call-escalation process
• Remediation offers
• Facilitate dialogue between parties (e.g., credit-monitoring provider, letter print shop
and call center)
• Progress reporting
• Response evaluation and modifications
• Once the initial chaos of a breach has subsided

288
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

289
Chat

What are the potential Why should internal and

consequences of external announcements be
inconsistent messaging? delivered around the same
time?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat
What are the potential consequences of inconsistent messaging?

Why should internal and external announcements be delivered around the same time?

289
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Internal announcements

290
What do employees need to know?

Information that may What to keep confidential Who the designated

affect how they do or internal press contact is
their jobs

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Internal announcements: What do employees need to know?
• Consider transparency
• What they need to do their jobs
• Clarify what information is confidential or internal-only
• Set rules for talking to the press — specify a contact
• Employees should always defer to those authorized to speak about the incident and not provide
information themselves
• An organization may want to create a template that can be quickly modified during a breach

290
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

External announcements

291
To notify or not to notify?

What is the How many Is the Is the breach Can we

nature of the individuals information likely to lead to mitigate the
data elements were affected? accessible and harm? risk of harm?
breached? usable?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
External announcements: To notify or not to notify?
• What is the nature of the data elements breached?
• How many individuals affected?
• Is the information accessible and usable?
• Is the breach likely to lead to harm?
• Can we mitigate the risk of harm?
• Assess likely risk of harm, then assess the level of risk
• U.S. private sector: State privacy breach laws are used in most breach matters, regardless of
jurisdiction, if citizens of a particular state are affected

291
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

292
Chat

Your outlook
Beyond the law, what factors might an
organization consider when determining
whether to notify the public of a breach?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Your outlook

Beyond the law, what factors might an organization consider when determining whether to
notify the public of a breach?

292
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Investigating a breach

293
3. Preserve electronic evidence

2. Contain the 4. Establish a chain

damage of custody

1. Isolate 5. Document any

compromised actions taken
systems

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Investigating a breach
• A subset of overall breach-response tasks
• Once breach investigators conclude that an actual compromise of sensitive information has
occurred
• Professional forensic investigators capture forensic images of affected systems, collect and
analyze evidence, and outline remediation steps
• Tasks are not always discrete and may occur in parallel

Steps
1. Isolate compromised systems
2. Contain the damage
3. Preserve electronic evidence
4. Establish a chain of custody
5. Document any action taken

293
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Reporting obligations

294
For legal compliance

• Vary by jurisdiction
• Principles driving privacy legislation
globally:
– Preventing harm
– Collection limitation
– Accountability
– Monitoring and enforcement
– Mandatory reporting
• Examples: GDPR, PIPA

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Reporting obligations: For legal compliance
• Vary by jurisdiction
• Principles driving privacy legislation globally
• Preventing harm: Affected individuals should have the opportunity to protect themselves
from identity theft or other harm
• Collection limitation: Only what you need
• Accountability: To ensure the organization satisfies regulators and can be assured of
compliance
• In the U.S., if an organization does not publicly disclose an incident, it may not
be held accountable
• Though many organizations fail to comply with state privacy law requirements,
very few are held accountable
• Monitoring and enforcement: Allows an organization to identify systemic issues and
prevent compliance gaps from becoming widespread
• Internal monitoring: Post a dedicated phone number and email address of a
privacy staff member for individuals who handle inquiries, complaints and
disputes
• Document compliance, remedial action plans and disciplinary actions
• Mandatory reporting: Legal counsel and the privacy office should provide guidance on
which applicable regulatory agencies require notification
• Examples: GDPR, PIPA
• GDPR: Controllers and processors have different obligations
• Processors inform controllers
• Controllers inform supervisory authority
• Controllers inform data subject
• Guidelines for notifying the SA and the data subject
• Personal Information Protection Acts of Alberta and British Columbia
• Organizations must notify privacy commissioner of Canada of a breach
• Guidelines for response measures and risk evaluation
• Privacy commissioner determines whether individuals must be notified

294
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Recovering from a breach

295
Progress reporting

Hourly Daily Weekly Monthly

What data do they need,

and when do they need it?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Recovering from a breach: Progress reporting
• Hourly
• Helpful at the beginning of an incident to ensure everyone has the same information
• Occasionally requested (e.g., call center metrics in period immediately following victim
notification: number of calls received, average talk time, abandonment rates and wait
times)
• Daily
• Incident-response team meetings
• Day’s challenges, status of targeted milestones and emerging objectives
• Mail drops reviewed to ensure alignment with approved delivery deadlines
• Mailing and call center activities (to adjust staffing levels)
• Enrollments in credit-activity monitoring services or other remediation offers
• Press coverage briefings (from PR group) with prepared responses, as needed
• Weekly
• Updates to senior management, investors and other external stakeholders
• Monthly
• Updates to senior managers and functional heads regarding status and impact of response
efforts
• Continued information to employees (productivity and morale)

295
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Quantifying the cost

296
Legal costs

First-party costs

Remediation
costs

Intangible costs

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Quantifying the cost
Categories of breach-related expenses in cases where costs can be tracked to specific activities

Legal costs
• Punitive costs

First-party costs
• Legal counsel
• Crisis management/PR
• Forensic investigators
• Call center support
• Equipment replacement and security enhancements
• Insurance
• Card replacement
• Employee training

Remediation costs
• Victim notification
• Remediation offers and oversight
• Victim damages

Intangible costs
• Lost revenue and stock value
• Customer retention
• Opportunity costs

Can cyber liability insurance help?

Cyber liability insurance may be a viable funding source for helping to offset breach response and
recovery costs, such as forensic investigators, outside counsel fees, crisis management services,
public relations experts, breach notification, call center costs, credit monitoring and fraud
resolution services.

296
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Impact of key factors on the average total cost of a data breach

297
DevSecOps approach-$249,278
Employee training -$232,867
IR plan and testing -$232,008
AI, machine learning-driven insights -$225,627
IR team -$221,794
Encryption -$221,593
Security information and event management -$202,347
SOAR tools -$202,232
Proactive threat hunting -$201,111
Threat intelligence -$196,936
Insurance protection -$196,452
Offensive security testing -$187,703
Identity and access management -$180,358
EDR tools -$174,267
Data security and protection software -$170,412
Board-level oversight -$167,818
ASM tools -$162,278
CISO appointed -$130,086
Managed security service providers -$73,082
Remote workforce $173,074
Supply chain breach $192,485
IoT or OT environment impacted $195,428
Third-party involvement $216,441
Mitigation to the cloud $218,362
Noncompliance with regulations $218,915
Security skills shortage $238,637
Security system complexity $240,889

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Factors that impact the average total cost of a data breach
Knowing what factors have the greatest impact on the cost of a data breach can help organizations
prioritize their spending.

The chart shows the average cost difference of breaches at organizations with these cost-influencing
factors compared to the mean cost of a data breach of USD4.45 million. The chart is divided into
those factors that are associated with a lower-than-average breach cost, which are cost mitigators,
and those factors that are associated with a higher-than-average breach cost, or cost amplifiers.

Cost amplifiers
• Out of a selection of 27 cost factors that either amplify or mitigate data breach costs, security
system complexity was the top amplifying factor
• Organizations with high levels of security system complexity had breach costs 17
percent higher than the average cost of a data breach

Cost mitigators
• A major factor in mitigating breach costs is the adoption of a DevSecOps approach (integrated
security testing in the software development process)
• Organizations with high DevSecOps adoption saved USD1.68 million compared to those
with low or no adoption
• Another large mitigating factor is employee training

Follow-up chat
What has your organization implemented?

Resource
IBM Security, Cost of a Data Breach Report 2023, https://www.ibm.com/reports/data-breach.

297
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

298
Benefiting from a breach
Failure breeds opportunity for organizational
change and growth

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Benefiting from a breach: Failure breeds opportunity for organizational change and growth
• Conduct breach incident response review or a post-incident assessment; at minimum, review…
• Staffing and resourcing the incident
• Containment: Timing, processes
• C-suite commitment: Sign off on new measures and allocation of resources
• Clarity of roles: Response team and others
• Notification process: Individuals, regulatory bodies, etc.
• Ways to improve the effectiveness of the response plan
• Objectives for breach management change after an incident
• Renew funding
• Renew focus
• Renew commitment
• Wait until threat containment, investigation and notification before reflecting on organizational
funding, focus or commitment to breach management
• Do not wait longer than three months to conduct the review/assessment

298
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data breach at AtlantiPulse

299
Privacy Officer Garcia has been
working to make One Earth
Medical’s privacy policy more
robust and consistent.
One Earth maintains a centralized
procurement function that writes and
manages all contracts for the global
organization. Garcia has encouraged
procurement to incorporate consistent
template language regarding privacy into
every contract. However…

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Read the scenario to answer the questions that follow.

299
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Data breach at AtlantiPulse

300
At the time of its acquisition by One Earth, AtlantiPulse was not large enough to have a
centralized procurement function. Individual contracts were handled at the specific
functional levels within AtlantiPulse, and the contracts for the functional areas did not all
include the same privacy language. While most contracts outside AtlantiPulse’s information
technology department did incorporate a level of appropriate privacy language that
protected the company in cases of data breach, the contract language was inconsistent. In
the case of the IT department’s services contracts, the language around data privacy was
particularly vague and weak.
Privacy Officer Garcia has received a disturbing email from AtlantiPulse’s chief operating
officer. AtlantiPulse is just now reporting that about 90 days ago, before the acquisition, a
third-party vendor who supplied some of AtlantiPulse’s database management services had
an attack mounted on its system. As a result, the third-party vendor believes there was a
data breach involving a significant amount of current AtlantiPulse patient data. AtlantiPulse
would like to terminate the vendor outright but is unsure of its rights and responsibilities
since the contract signed with the vendor was one of the special IT services contracts.
The fact that this all took place before One Earth acquired AtlantiPulse adds another layer
of complexity as to who is responsible for the data breach and its resolution.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
Read the scenario to answer the questions that follow.

300
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

301
Chat

Activity #5, Part I

Using the processes outlined earlier in this
module, list some of the most critical questions
Privacy Officer Garcia must ask to begin
investigating and resolving this potential breach.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Activity #5, Part I

Using the processes outlined earlier in this module, list some of the most critical questions
Privacy Officer Garcia must ask to begin investigating and resolving this potential breach.

301
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

302
Chat

Activity #5, Part II

With the breach response process underway,
what questions should Privacy Officer Garcia be
asking about AtlantiPulse’s contract process to
help avoid future incidents?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Chat: Activity #5, Part II

With the breach response process underway, what questions should Privacy Officer Garcia be
asking about AtlantiPulse’s contract process to help avoid future incidents?

302
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

303
Chat
1. One Earth needs to revisit its
definitions of an incident and
Review a breach. Broadly, what are
question the differences?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
1. One Earth needs to revisit its definitions of an incident and a breach. Broadly, what are the
differences?

303
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

304
Chat
2. Name a key duty of One
Earth’s marketing team in the
Review aftermath of the AtlantiPulse
question data breach.

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
2. Name a key duty of One Earth’s marketing team in the aftermath of the AtlantiPulse data
breach.

304
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

305
Chat 3. In order to refine its incident
response plan, what does
Review One Earth need to know
question about the personal
information AtlantiPulse
collects?

Module 10: Privacy operational life cycle — Respond: Data breach incident plans

Session notes
3. In order to refine its breach response plan, what does One Earth need to know about the
personal information AtlantiPulse collects?

305
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

306
Questions?

306
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Privacy Program Management

Thank you!

307

307
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Appendix

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
PRIVACY PROGRAM MANAGEMENT
ANSWER KEY
MODULE 1
1. To whom may One Earth Medical be held accountable for privacy?
• Customers/clients/patients
• The public
• Regulators/DPAs
• Professional organizations and associations
• Employees
• Investors
• Industry watchdogs
• The media

2. To garner support and budget, Privacy Officer Garcia must understand One Earth
Medical’s motivators for initiating a global privacy program. What reasons should be
considered and prioritized?
• Regulatory and legal compliance
• Contractual obligations
• Meeting expectations of customers
• Supporting the organization’s ethical values
• Enabling business growth and strategic goals

3. Garcia will need to work across functions to align the privacy program with all
departments. Which key functions should be involved?
• HR
• Marketing/business development
• Finance
• IT operations and development
• Information security
• Legal and compliance
• C-suite/board
• Communications
• Business continuity and disaster recovery planning
• Mergers
• Acquisitions and divestitures
• Compliance and ethics
• Risk management and internal audit
• Public relations

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• Procurement/sourcing
• Security/emergency services
• Product development

MODULE 2
1. The GDPR requires One Earth Medical to appoint a DPO. What skills should this
individual possess?
• Risk/IT
• Legal expertise/independence
• Communication
• Leadership/broad exposure
• Self-starter/board level
• Common touch/teaching
• No conflicts/credibility

2. Privacy Officer Garcia needs to assess One Earth Medical’s former privacy governance
model, which delegates decision-making to lower levels of the organization. What type
of model is this? Name at least two additional options.
A) Local/decentralized model
B) Two other options: Centralized model, Hybrid model

3. Privacy Officer Garcia must get support internally for developing and implementing a
new privacy program. How might she accomplish this?
• Building relationships with key internal stakeholders, especially executives
• Aligning business and executive objectives with privacy objectives
• Demonstrating where privacy can be a benefit
• Steering committee/working group of key internal stakeholders

MODULE 3
1. Privacy Officer Garcia works with legal to create an inventory of laws and regulations
applicable to AtlantiPulse’s processing activities. What requirements are common across
jurisdictions?
• Purpose specification
• Openness
• Individual participation
• Collection limitation
• Use limitation
• Security safeguards
• Data quality
• Accountability

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
2. Garcia should be aware of privacy law specific to healthcare. What other types of
organizations and departments are bound by industry-specific privacy laws?
• Financial
• Telecom
• Marketing
• Human resources
• Energy
• Government
• Online

3. There must be a legal basis for all international data transfers. What are potential
options for legally transferring personal information between jurisdictions?
• Adequacy decisions
• Appropriate safeguards (standard contractual clauses, codes of conduct/self-
certification mechanisms, ad-hoc contractual clauses, binding corporate rules)
• Derogations

MODULE 4
1. What steps should Privacy Officer Garcia and her team take to assess AtlantiPulse’s
privacy policies, practices and compliance?
• Create a data inventory/map and gap analysis
• Conduct privacy assessment of the organization
• Complete a privacy threshold analysis
• Impact assessments: PIAs/DPIAs/TIAs/LIAs where needed
• Assessments of AtlantiPulse’s vendors

2. What methods may be used to conduct privacy assessment?

• Subjective standards
o Employee interviews/questionnaires
o Complaints received
• Objective standards
o Information system logs
o Training and awareness attendance
o Test scores
o Technology

3. Garcia uses a data inventory of AtlantiPulse’s information assets and a PII risk ranking
to determine which projects should be evaluated through a PIA. In addition to
acquisition/merger, what other circumstances may trigger the need for a PIA?
• Prior to deployment of a project, product or service that involves the collection of
personal information

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• New or revised industry standards
• Organization policy
• Law or regulation
• Changes to methods in which personal information is handled that create new
privacy risks

MODULE 5
1. Privacy Officer Garcia must ensure that privacy by design is embedded into a new
medical support service in development at One Earth Medical. First, she must identify all
privacy risks. Which privacy risk models and frameworks might she consider using to
structure this work?
• Models:
• Compliance
• FIPPs-based
• Factor Analysis of Information Risk (FAIR)
• Frameworks/Standards:
• NIST
• ISO/IEC 27701 Standard
• CNIL’s Methodology for Privacy Risk Management

2. What types of design strategies should Privacy Officer Garcia consider in addressing the
risks she identifies? Give two examples of each strategy.
• Process-oriented:
• Enforce
• Demonstrate
• Inform
• Control
• Data-oriented:
• Separate
• Minimize
• Abstract
• Hide

3. What strategies might Privacy Officer Garcia use to evaluate the security controls that
are implemented?
• Work closely with IT/information security
• Leverage audits/reviews that are already being conducted
• Include relevant security risks in the privacy risk framework
• Keep a scorecard of risk factors: High, medium, low risk

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
MODULE 6
1. Privacy Officer Garcia works with relevant functions across the organization to align One
Earth Medical’s policies with its privacy requirements. What components might be
included in the privacy policy?
Answers will vary and may include:
• Why the policy exists and the organization’s commitment to privacy
• Definition of personal information
• Overview of applicable privacy/data protection laws and regulations
• Policy scope
• What information is collected and what is done with it
• Compliance requirements
• Privacy risks
• Allotment of responsibilities
• General staff guidelines
• Data storage rules
• Data use rules
• Steps for ensuring data accuracy
• Explanations of data subject rights
• Other potential reasons for disclosing personal information
• How data subjects are provided with information about the processing of their
personal information (e.g., privacy notice)
• Data classification

2. Garcia works with the information security function to revise One Earth’s cloud
computing acceptable use policy. What are high-level goals of such a policy?
• Maintain compliance with policies, laws, regulations and standards
• Ensure all cloud computing agreements are approved by appropriate leadership
• Maintain privacy and security of data
• Mitigate risks of processing data using cloud-based applications and tools

3. What actions will help to ensure One Earth’s policy for engaging vendors aligns with its
privacy requirements?
• Have a policy
• Identify vendors, entry points, personal information and legal obligations
• Evaluate vendors based on risk
• Have a contract
• Monitor vendors

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
MODULE 7
1. One Earth Medical’s primary metric audience likely includes whom?
• Legal and privacy officers, senior leadership, chief information officer (CIO),
program managers (PM), information system owners, chief information security
officer (CISO), and chief privacy officers (CPO).

2. What type of analysis should Privacy Officer Garcia conduct to determine whether data
relationships are significant and not simply chance occurrences?
• Trend analysis

3. Name the five high-level phases of a privacy audit.

• Planning, preparation, audit, reporting and follow-up

MODULE 8
1. Privacy Officer Garcia is working with her training team to revitalize One Earth Medical’s
employee privacy training and awareness programs. What method and delivery options
might they consider?
• Training methods: Instructor-led, self-led, simulation, just-in-time
• Awareness methods: Announcement, reminder, meeting, Data Privacy Day
• Training deliveries: Classroom, virtual, blended/hybrid, online, wiki, manual, tip
sheet, infographic/comic
• Awareness deliveries: Newsletter, email, text, website, poster, postcard, sticker,
informal talking points, in-person meeting, remote meeting

2. What operational actions could the training and other relevant teams take to ensure
ongoing privacy awareness?
• Use communication plans
• Communicate internally and externally
• Ensure policy flexibility
• Maintain all documents

3. What recommendations would you give Privacy Officer Garcia for creating a training
program?
• Partner with the training department
• Make it fun and customized to participants
• Use motivators
• Keep track of who has trained
• Get feedback for improvement
• Use metrics to measure results

MODULE 9

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
1. Adding information to AtlantiPulse’s privacy notices has made them wordy. What
strategies could Privacy Officer Garcia use to cut down on length?
• Layered approach
• Just-in-time notices
• Icons/symbols

2. Privacy Officer Garcia must determine if active delivery of revised privacy notices should
be provided to customers who already have contracts with AtlantiPulse. Under what
circumstances is this typically required?
• When personal information is observed, derived or inferred (e.g., marketing
based on social media activity)
• When processing changes
• When laws and regulations require notice
• When collecting sensitive information
• When using information in a way that may be unexpected/objectionable
• When sharing information with other companies in unexpected ways
• When sharing/not sharing information will significantly affect individuals

3. AtlantiPulse customers must be able to withdraw consent to have their personal

information processed. What procedures should be established to guide personnel in
ensuring this data subject right?
• When and how consent may be withdrawn
• Rules for communicating with individuals
• Methods for withdrawing consent
• Documentation

MODULE 10
1. One Earth needs to revisit its definitions of an incident and a breach. Broadly, what are
the differences?
• Typically, an incident compromises the confidentiality, integrity or availability of
an information asset and may not require notification; a breach results in the
confirmed disclosure — not just potential exposure — of data to an unauthorized
party and requires notification.

2. Name a key duty of One Earth’s marketing team in the aftermath of the AtlantiPulse
data breach.
• Establish and maintain a positive and consistent message.

3. In order to refine its breach response plan, what does One Earth need to know about the
personal information AtlantiPulse collects?

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• Categories of individuals; types of personal information collected; format of
information; applicable laws and regulations; third-party relationships; prior
incidents; etc.

***
The following pages provide sample answers to scenario-based practice activities
embedded throughout the training.

CHAT: ACTIVITY #1 (slide 14)

Generally speaking, what are a privacy program manager’s responsibilities?
FEEDBACK:
General responsibilities of the privacy program manager
• Identify privacy obligations
• Identify business, employee and customer privacy risks
• Identify existing documentation, policies and procedures
• Create, revise and implement policies and procedures that effect positive practices
and together comprise a privacy program
• Goals of a privacy program include …
• At a minimum, demonstrate compliance with applicable laws and
regulations
• “Promote trust and confidence ... of consumers”
• “Enhance competitive and reputational advantage”
• Facilitate privacy program awareness, where relevant, of employees, customers,
partners and service providers
• Respond effectively to privacy breaches
• Continuously “maintain and improve” the privacy program

CHAT: ACTIVITY #2 (slide 78)

To ensure compliance with all applicable laws, regulations and standards, what
does Global Privacy Officer Garcia need to do before the acquisition?
FEEDBACK:
Before the acquisition can take place, Officer Garcia needs to…
• Identify all applicable laws and regulations
• Not all location-based (e.g., if AtlantiPulse works with U.S. cloud provider,
subject to FISA, independent of location of data center)
• Location of customers also very important (e.g., if customers live in Japan or
EU, those jurisdictions are triggered regardless of where AtlantiPulse is
located)
• Create data inventory/map of current data assets, data collection, data usage and
data processing at AtlantiPulse

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• Identify international data transfers, including remote support on a system, and any
other jurisdiction-specific regulatory or compliance issues that need to be addressed
• Determine what privacy practices AtlantiPulse follows
• Perform complete enterprise privacy impact assessment (PIA) for AtlantiPulse
operations and their impact on current One Earth processes (not same as DPIA as
set out in Article 35 of GDPR)

In addition, the privacy officer must…

• Ascertain what privacy notices are currently supplied to employees and customers
• Determine customer privacy-related contractual requirements under which
AtlantiPulse is currently operating
• Validate that appropriate privacy-related controls have been incorporated into all
contracts for AtlantiPulse’s customers

CHAT: ACTIVITY #3 (slide 131)

To resolve the potential security issues described in the scenario, what must
Privacy Officer Garcia first determine?
FEEDBACK:
• Is the minimum necessary amount of data being collected from each patient?
• What is the minimum necessary amount of data each nurse should have access to?
• What other functional roles within AtlantiPulse need access to data?
• How should access to the data be restricted?
• How is accountability established for access to the data? For example, is there an
audit trail or other tracking mechanism in place (including who, when, through which
service, and from what location/IP address was the patient data accessed)?
• How are appropriate work-from-home processes defined and implemented?
• How is compliance with these processes tracked?
• How should information security and IT be involved to ensure that the correct
technical controls are in place to implement the policies?
• What policies and procedures are in place to keep data in the remote, work-at-home
environment as secure as it is in the on-site work environment?

CHAT: ACTIVITY #4 (slide 249)

What actions can Privacy Officer Garcia take to resolve this issue?
FEEDBACK:
Before One Earth can move forward with reselling AtlantiPulse services and systems to new
companies, Officer Garcia needs to …
• Make sure all privacy notices reflect that use of customer data is for marketing
purposes as well as operational ones

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• Consult with One Earth’s legal and compliance personnel to identify and resolve any
potential legal consequences or issues caused by the unauthorized data usage
• Update all contracts, including those with vendors, to reflect One Earth’s intention to
use the data in other ways
• Provide a mechanism for customers to opt out of the secondary use of data
• Some laws/regulations may instead require customers to opt in to certain
processing of their personal information
• Work with IT to ensure that data from opted-out customers is not pulled into the
data warehouse and that any tainted data in the corporate data warehouse is
removed
• Make sure that marketing, as well as all other functional areas within One Earth, has
appropriate policies and procedures designed with respect to privacy
• Communicate the issue and resolution to internal stakeholders (executives, IT,
marketing) and external stakeholders (shareholders, media, regulators)

CHAT: ACTIVITY #5, Part 1 (slide 301)

Using the processes outlined earlier in this module, list some of the most critical
questions Privacy Officer Garcia must ask to begin investigating and resolving this
potential breach.

FEEDBACK:
• Was there indeed a data breach?
• What is the definition of a data breach at AtlantiPulse and/or One Earth?
• If so, what data was exposed?
• Has the original vulnerability at the third-party vendor been resolved?
• Does AtlantiPulse have an incident management process in place?
• Does One Earth have an incident management process in place?
• Is there a decision tree for notifications and actions in the event of a data breach?
• What data has been impacted, where was data located and how much data was
affected?
• Which stakeholders need to be notified?
• Who else needs to be notified: Regulators, media and/or AtlantiPulse customers?
• What recourse will AtlantiPulse, through One Earth, need to offer to affected parties
as compensation?

CHAT: ACTIVITY #5, Part 2 (slide 302)

With the breach response process underway, what questions should Privacy
Officer Garcia be asking about AtlantiPulse’s contract process to help avoid future
incidents?

FEEDBACK:

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
• Was there privacy-related language in the contract between AtlantiPulse and the
third-party vendor with which the third-party vendor did not comply?
• Did Garcia adequately assess AtlantiPulse’s vendor privacy issues with third-party
vendors during the acquisition process?
• Do all existing AtlantiPulse third-party contracts include consistent language around
privacy?
• If not, how does One Earth bring these contracts into compliance with the consistent
template privacy language required by One Earth’s global privacy policy?
• How does One Earth bring the specialized AtlantiPulse IT contracting process into
One Earth’s global one?
• Does One Earth need to terminate this vendor because of the data breach?
• If so, what are One Earth’s procedures for the return of and destruction of any
AtlantiPulse (now One Earth-owned) data the vendor has?

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
PRIVACY PROGRAM MANAGEMENT
ADDITIONAL REVIEW QUESTIONS

1. All of the following are factors in determining whether an organization can craft a
common solution to the privacy requirements of multiple jurisdictions EXCEPT:

A. Effective date of most restrictive law.

B. Implementation complexity.
C. Legal regulations.
D. Expense considerations.

2. When responding to a data subject access request under the GDPR, which of the following
is a limit to the individual’s right to access their data?

A. Rights to obtain copies of their data.

B. Rights and freedoms of others.
C. Right to confirm data processing.
D. Rights to rectification and erasure.

3. Which of the following is NOT a good reason to perform a privacy audit on a supplier?

A. The vendor management team is validating the supplier as part of a regular

onboarding process.
B. The finance team has concerns that their supplier is inflating their pass-through
expense costs.
C. The legal team received notification of a personal data breach caused by the supplier.
D. The IT team received a notice that the supplier is changing their cloud-storage sub-
processors.

4. A healthcare organization began integrating the concept of privacy into all facets of their
organization, to include targeted and specialized training for handling of sensitive
information, along with the adoption within the conceptual and design phases of new
business processes, IT systems, contractual agreements, devices and policies. What is this
concept of applying privacy solutions into early phases of development known as?

A. Pseudonymization.
B. Data minimization.
C. Privacy by design.
D. Security by design.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
5. Data remanence is the data that remains after deletion, which creates an operational risk.
Which of the following methods is the strongest way to mitigate the risk?

A. Disposal.
B. Clearing.
C. Destruction.
D. Purging.

6. What role would data loss prevention software have in a privacy program?

A. Prevention of all data breaches caused through human error by employees.

B. Protection from an external hacker trying to infiltrate an organization’s networks.
C. Training for staff on data governance and proper data classification procedures.
D. Monitoring of certain types of personal data disclosures to outside entities.

7. When should stakeholders be identified in the development of a privacy framework?

A. After the privacy team has established its agenda.

B. After the data inventory is complete.
C. During the business case development process.
D. During the review of written policies.

8. Which of the following is NOT one of the four principles an organization should consider
when aligning information privacy and information security technologies?

A. Prioritize the expense of the technology and supplement any shortfalls with alternate
programs (Cost-based priority).
B. Ensure privacy, information security and development teams work together to
evaluate controls (Collaborate).
C. Ensure security risks are part of the privacy risk framework to include correctly
implemented controls (Stay aware).
D. Prioritize risks and allocate resources accordingly so higher risk concerns are
addressed first (Rank and prioritize).

9. Access to an organization’s information systems should be tied to an employee’s role and,

therefore, determined by basic security principles for role-based access controls (RBAC).
Which of the following contains the correct role-based access controls principles?

A. Least privilege, segregation of duties, need-to-know access.

B. Right-to-access, need-to-know access, segregation of duties.
C. Functional role access, segregation of duties, least privilege.
D. Segregation of duties, need-to-know access, access privilege.

10. Where should an organization’s procedures for resolving consumer complaints about
privacy protection be found?

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
A. In the emergency response plan.
B. In memoranda from the CEO.
C. In written policies regarding privacy.
D. In the minutes of organizational board meetings.

11. Each of the following organizations could consider developing a highly centralized privacy
team structure EXCEPT:

A. Grape2Table, a small to medium-sized enterprise sourcing fine wines direct from

vineyards for its customers, with multiple offices throughout France.
B. SudsLow, a large franchise of tradespeople performing cleaning services across the
United States with all executive management based in the central HQ in Ohio.
C. DiverzityCorp, an industrial conglomerate with multiple product and service lines with
separate divisions based in the U.S., Brazil and China, each with its own management
team.
D. Hoopdehoop, an online retail company that sells children’s toys and games throughout
multiple countries in the EU, through a variety of different websites, but is based in
the Netherlands.

12. What is business resiliency?

A. How quickly a business accomplishes a merger.

B. How well a business responds to and adapts after a disaster.
C. How successful a business's auditing process is.
D. How well a business rewards and retains its employees.

13. Each of the following are actions an organization should take when developing a data
retention policy EXCEPT:

A. Work with legal advisors to determine applicable legal data retention requirements.
B. Instruct processors to keep information based on approved legal requirements.
C. Estimate what business impacts are of retaining versus destroying the data.
D. Brainstorm with appropriate personnel scenarios that would require data retention.

14. What is the value of a privacy workshop for an organization's stakeholders?

A. A workshop ensures compliance to policies at all levels of an organization.

B. A workshop ensures all stakeholders commit resources to the privacy program.
C. A workshop ensures common baseline understanding of the risks and challenges.
D. A workshop ensures there is a single privacy policy across the organization.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
15. Acme Co. wants to develop a new mobile application that will allow users to find friends
by continuously tracking the locations of the devices on which the application is installed.
Which one of the following should Acme Co. do before developing the application to
minimize its privacy risks?

A. Determine how to communicate breach notifications.

B. Test the accuracy of the continuous location mechanism.
C. Calculate the return on investment.
D. Conduct a privacy (or data protection) impact assessment.

16. When conducting a baseline assessment of your privacy program, you should:

A. Ensure your documentation reflects the expected future state of the program.
B. Document areas of remediation that are currently in progress.
C. Quantify the costs of existing and needed technical controls.
D. Establish a system for implementing privacy by design.

SCENARIO I
Use the following to answer questions 17-21:

Country Fresh Sundries started in the kitchen of its founder, Margaret Holmes, as she
made soap following a traditional family recipe. It is a much different business today,
having grown first through product placement in health and beauty retail outlets, then
through a thriving catalog business. The company was slow to launch an online store, but
once it did so, the online business grew rapidly. Online sales now account for 65 percent
of business, which is increasingly international in scope. In fact, Country Fresh is now a
leading seller of luxury soaps in Europe and South America, as well as continuing its strong
record of growth in the United States. Despite its rapid ascent, Country Fresh prides itself
on maintaining its homey atmosphere, as symbolized by its company headquarters with a
farmhouse in front of a factory in a rural region of Maine, in the U.S. The company is
notably “employee friendly,” allowing, for instance, employees to use their personal
computers for conducting business and encouraging people to work at home to spend
more time with their families.

As the incoming Director of Privacy, you are the company’s first dedicated privacy
professional. During the interview process, you found that while the people you talked to,
including Shelly Holmes, CEO and daughter of the founder, and Jim Greene, Vice
President for Operations, meant well, they did not possess a sophisticated knowledge of
privacy practices and regulations and were unsure of exactly where the company stood in
relation to compliance and security. Jim candidly admitted, “We know there is a lot we
need to be thinking about and doing regarding privacy, but none of us know much about
it. We have put some safeguards in place, but we are not even sure they are effective. We
need someone to build a privacy program from the ground up.”

The final interview ended after the close of business. The cleaning crew had started its
nightly work. As you walked through the office, you noticed that computers had been left

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
on at employee workstations and the only shredder you saw was marked with a sign that
said, “Out of Order. Do Not Use.”
You have accepted the job offer and are about to report to work on Monday. You are now
on a plane headed toward your new office, considering your course of action in this
position and jotting down some notes.

17. How can you discover where personal data resides at Country Fresh?

A. By focusing solely on emerging technologies, as they present the greatest risks.

B. By checking all public interfaces for breaches of personal data.
C. By performing a gap analysis and creating a plan to bridge those gaps.
D. By conducting a data inventory and mapping data flows.

18. You need a master plan or roadmap to guide your choices in developing and refining
Country Fresh’s privacy program. What is the best action to take?

A. Adopt the privacy program mission statement as a guide to specific actions.

B. Modify industry best practices to fit the organization's needs.
C. Perform a mapping exercise that reveals where personal data resides.
D. Develop an overarching privacy program framework.

19. What step can best help you to identify the specific needs and objectives of Country Fresh
regarding privacy protection?

A. Assess Country Fresh’s privacy maturity.

B. Review privacy laws and standards.
C. Identify the key stakeholders.
D. Physical audit of the facility.

20. In analyzing Country Fresh’s existing privacy program, you find procedures that are
informal and incomplete. What stage does this represent in the AICPA/CICA Privacy
Maturity Model?

A. Early.
B. Ad hoc.
C. Nonrepeatable.
D. Pre-program.

21. Which of the following best describes who at Country Fresh needs to be trained on privacy
protection?
A. Members of the privacy team, exclusively.
B. Department heads and key supervisors who can then train their personnel.
C. New hires only, as experienced employees should be familiar with the procedures.
D. Personnel in all departments who have any contact with personal data.

(end of Scenario I questions)

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
SCENARIO II
Use the following to answer questions 22-25:

Bentley Gems, a high-end United States retail firm that specializes in custom-made
jewelry, creates an opt-in program to provide personalized attention to its customers. On
their first visit, customers are invited to use a kiosk in the retail store to enter their
shopping preferences, as well as personal data such as credit card numbers, banking
information, birthdays, anniversary dates, etc. In an effort to make the customer
experience even richer, the program also collects facial recognition data. This way, when
a customer enters the store, a staff member can call the customer by name and speak
knowledgeably about their preferences, and perhaps even direct them to a particular
item. All the customer preference data, including facial recognition data, is encrypted
and stored on a computer system within the store. This computer system is also secured
physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer
experience, Bentley Gems’ owners do not recognize that this collection of data has the
potential to become a data privacy issue. They do not develop policies or procedures to
address how this data is used or whether it can be resold; they simply assume that if a
customer does not want to participate, they won’t enter data into the kiosk.

One of Bentley’s employees, Matilda, has full access to the data because she is the most
computer-knowledgeable employee. Matilda has a friend, Jacob, who works for Investors,
Inc., a wealth management firm. Wishing to do Jacob a business favor, she copies an
unencrypted set of Bentley Gems’ customer names, preferences, and facial recognition
data onto a hard drive. She sends the data to her friend to use in marketing his wealth
management services to the customers. He intends to use the customer data in a way
similar to the jewelers: to provide highly personalized service. Since she is not selling the
data to him, Matilda does not think there is anything wrong with what she has done.

The owners of Investors, Inc. buy another list of customer’ data legitimately from an
outside vendor which includes some of Bentley Gems customers. This data includes
financial information, as well as names, addresses, and number and brand of automobiles
owned. The owners of Investors, Inc. are unaware the customer list from Bentley Gems
was given informally, and collate it with the list from outside vendor. Now Investors, Inc.
has a very valuable list that contains a deep level of personal data about potential
customers and their buying preferences.

Jacob puts the combined list on an unencrypted public website so Matilda can copy it back
and enhance Bentley Gems’ original data set. Investors, Inc. becomes the victim of an
online attack and the combined collection of unencrypted customer data is stolen. The
owners of Investors, Inc. only find this out when several customers report that their
vehicles were stolen. Further investigation of the crimes by the police links the data
breach to home burglaries. The criminals used the stolen facial recognition data to
identify potential victims, then used address data to find their primary residences. The
owners of Bentley Gems have no knowledge any of this has happened until several months
later, when Matilda quits and informs them of the data breach.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
22. All of the following would protect Bentley Gems’ owners from future employee misuse of
customer data EXCEPT:
A. An updated privacy notice that reflects how customer data may be used.
B. A notice to the customers of Investors, Inc. about customer data mingling.
C. An employment policy that calls for the removal of anyone who shares customer data.
D. A better, policy-driven process for limiting access to customer data.

23. After the breach is made known to Bentley Gems, which task should it accomplish first?
A. Coordinate with Investors, Inc. to limit the damage.
B. Sue Investors, Inc. for the breach.
C. Determine whether notification is legally required.
D. Update its privacy notices to allow customers to opt out of the data use.

24. After the data breach, what data can Investors, Inc. use legally?
A. The combined data from Bentley Gems and the outside vendor.
B. Only the purchased data from the outside vendor.
C. None of the data.
D. The original data from Bentley Gems.

25. What would be the best way for the Investors, Inc. to respond to its customers’
complaints?
A. Assess the relative liabilities of all parties involved.
B. Develop a formal opt-out procedure.
C. Establish a formal complaint and resolution procedure.
D. Create an ombudsman and refer complaints there.

(end of Scenario II questions)

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
Answers and Rationale

1. The correct answer is A.

Determining the best approach for meeting the requirements of multiple jurisdictions will
depend upon a number of factors, including which laws your organization is subject to,
how complex the solution will be to develop, the budgetary allowance, and what personal
information is collected and how that personal information is used and/or shared. There
are various methods of creating a common solution, such as using the strictest standard
from each law for all similar compliance requirements or having common requirements
that are materially aligned but setting up case-by-case solutions for outlying ones. There
is no one-size fits all solution, the chosen approach must align to the organization’s
objectives and goals.

2. The correct answer is B.

According to GDPR recital 63, the right should not adversely affect the rights or freedoms
of others, including trade secrets or intellectual property and in particular the copyright
protecting the software.

3. The correct answer is B.

While financial irregularities are a good reason to perform a financial audit, they are not a
reason to perform a privacy audit. The purpose of a privacy audit is to determine the
degree to which technology, processes and people comply with privacy policies and
practices. Audits are evidence-based procedures to help measure how well the programs
put in place meet the organization’s goals; show compliance with legal, regulatory and
internal requirements; increase general awareness; reveal gaps; and provide a basis for
remediation planning.

4. The correct answer is C.

Privacy by Design” (“PbD”) is an approach to systems engineering originally developed by
Ann Cavoukian in the mid-1990s. PbD is a framework that dictates that privacy and data
protection are embedded throughout the entire lifecycle of technologies, from the early
design stage through deployment, use and ultimate disposal or disposition.

PbD may incorporate security by design, data minimization and pseudonymization

techniques at various stages of data processing to facilitate privacy programs and policies

5. The correct answer is C.

Disposal is the most basic form of sanitization, where media is tossed out with no special
disposition given to them.
Clearing is a strong method of data removal, typically it involves wiping or overwriting the
data with zeroes or ones; data may be recoverable under this method.
Purging is a stronger permanent method that can include methods such
as sanitizing or degaussing; data is not considered recoverable by any known methods.
Destruction is the strongest method and includes shredding, pulverizing, burning,
and encryption.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
6. The correct answer is D.
Data loss prevention software can be a useful tool to monitor certain types of disclosures
outside of an organization, both authorized and nonauthorized. It can be used to check
the effectiveness of policies and controls. But it cannot prevent all data breaches. Even if
you have it configured so that it forbids the external disclosure of personal data via email,
for example, a determined person could still circumvent this. It does not prevent a data
thief from hacking into your network. It is only one tool amongst many, not a panacea.

7. The correct answer is C.

Many organizations create a privacy committee or council composed of the stakeholders
(or representatives of functions) that were identified at the start of the privacy program
implementation process. These individuals and functions will launch the privacy program,
and their expertise and involvement will continue to be tapped as remediation needs—
some of which may sit within their areas of responsibility—are identified. They will be
instrumental in making strategic decisions and driving them through their own
departments.

8. The correct answer is A.

To maximize efficiency and productivity while minimizing financial burden, privacy and
security teams must work together. Technology has adapted to fill this organizational
need. However, not all technology is created equal, and organizations must ensure the
needs of both privacy and security are met. By working closely to evaluate security
controls, leveraging existing reviews and review processes, ensuring security risks relevant
to the organization are part of the privacy risk framework, and agreeing upon how risk-
factors are ranked, information privacy and information technology teams can determine
which technologies best meet their aligned needs.

9. The correct answer is A.

The privacy team should work with information security and IT, as well as HR, to ensure
effective access controls. Role-based access controls (RBAC) includes the following:
 Least privilege: Grant access at the lowest possible level required to perform the
function.
 Segregation of duties: Ensure one person cannot exploit or gain access to
information inappropriately.
 Need-to-know access: Restrict access to only information that is critical to the
performance of an authorized, assigned mission.

10. The correct answer is C.

A privacy policy is a high-level policy that supports documents such as standards and
guidelines that focus on technology and methodologies for meeting policy goals through
manuals, handbooks and/or directives. The privacy policy also supports a variety of
documents which are then communicated internally and externally, that (a) explain to
customers how the organization handles their personal information (referred to as a
privacy notice), (b) explain to employees how the organization handles personal
information, (c) describe steps for employees handling personal information, and (d)
outline how personal data will be processed.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
11. The correct answer is C.
The choice about how to structure the privacy team is individual to each different
company. Having a highly centralized team has a lot of advantages for creating
consistency and the efficient development of privacy policies and tools, but in some
companies the centralization can be a disadvantage. The centralization could be at odds
with the management structure of the company, making it difficult to get decisions made
across all divisions and departments. Alternatively, if the needs of the various parts of the
business are diverse, a one-size-fits-all approach may not work.

For a smaller company, centralization is often the default because there are not enough
resources to have a large privacy team or representatives in multiple departments. Even
in larger global companies, if the business is focused on a core activity, then a central
privacy team can usually accommodate local variances in the laws. It is important,
though, that the privacy team can accommodate the cultural and linguistic differences as
well as the legal ones. Therefore, in a very diverse organization, too much centralization
may not be a good thing as employees may feel more comfortable talking to someone who
speaks the same language and is more accessible for them in their time zone.

12. The correct answer is B.

To the privacy professional, business resiliency is measured through metrics associated
with data privacy, system outages and other factors as defined by the business case and
organization’s objectives. Focusing solely on disasters will lead an organization to be
defensive, but using a proactive approach enables the organization to respond to an
unexpected event more quickly and more cost effectively. In addition to disaster
situations, a strong business resilience program can help your organization prepare for
audits and demonstrate compliance with regulatory requirements.

13. The correct answer is B.

Data management requires answers to questions such as why we have the data, why we
are keeping it, and how long we need to keep it. During the building and review of a data
retention policy, the process begins with identifying all the data stored in the organization
and determine how it is used. Business unit needs regarding how long information is
retained must be considered but must be balanced against legal requirements, to ensure
information is not kept too long or dispositioned before legally allowed. Instructing
employees on approved processes occurs after the policy has been created.

14. The correct answer is C.

Do not assume that all stakeholders have the same level of understanding about the
regulatory environment or the complexity of the undertaking—there will invariably be
different levels of privacy knowledge among the group. This is an opportunity to ensure
everyone has the same baseline understanding of the risks and challenges the organization
faces, the data privacy obligations that are imposed on it and the increasing expectations
in the marketplace regarding the protection of personal information.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
15. The correct answer is D.
A privacy impact assessment (PIA), also known as a data protection assessment, is an
analysis of the privacy risks associated with processing personal information in relation to
a project, product or service. To be an effective tool, a PIA also should suggest or provide
remedial actions or mitigations necessary to avoid, reduce or minimize those risks.
Requirements regarding PIAs emanate from industry codes, organizational policy, laws,
regulations and supervisory authorities.

When an organization collects, stores or uses personal data, the individuals whose data is
being processed are exposed to risks. These risks range from personal data being stolen or
inadvertently released and used by criminals to impersonate the individual, to causing
individuals to worry that their data will be used by the organization for unknown
purposes. A data protection impact assessment (DPIA) describes a process designed to
identify risks arising out of the processing of personal data and to minimize these risks as
much and as early as possible. DPIAs are important tools for negating risk and for
demonstrating compliance with the GDPR.

16. The correct answer is B.

It may be tempting to avoid creating a record of where there are deficiencies in existing
programs, especially if those deficiencies are being addressed. However, if you fail to
document deficiencies, you create an assessment based on hypotheticals that may not
prove true over time and will not provide a true baseline. In addition, if ongoing
remediations are not included, the new privacy program will appear to have more
deficiencies than actually exist and may result in resources being diverted to solve
problems that are already being resolved.

17. The correct answer is D.

The data inventory, also known as a data map, provides answers to these questions by
identifying the data as it moves across various systems, and thus indicating how it is
shared and organized and where it is located. That data is then categorized by subject
area, which identifies inconsistent data versions, enabling identification and mitigation of
data disparities, which in turn serves to identify the most and least valuable data and
reveal how it is accessed, used and stored.

18. The correct answer is D.

Implementing and managing a program that addresses the various rights and obligations of
each privacy regulation on a one-off basis is a nearly impossible task. Instead, using an
appropriate privacy framework to build an effective privacy program can: (a) help achieve
material compliance with the various privacy laws and regulations in-scope for your
organization; (b) serve as a competitive advantage by reflecting the value the
organization places on the protection of personal information, thereby generating trust;
and (c) support business commitment and objectives to stakeholders, customers, partners
and vendors.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
19. The correct answer is C.
While many factors go into identifying specific needs and outlining objectives, the most
critical part is ensuring you have the appropriate individuals identified and included in the
process. Creating a privacy committee or counsel of stakeholders who represent different
functions and perspectives within the organization will enable you to establish Country
Fresh’s objectives based on its privacy needs. These stakeholders can then help maintain
the privacy program, communicate the privacy policy to employees, and adapt the
program to the constantly changing privacy landscape.

20. The correct answer is B.

The Privacy Maturity Model (PMM) is a well-established model that sets out maturity levels
for privacy programs and operations. Maturity is a useful metric because it focuses on a
scale as opposed to an endpoint. PMM uses five maturity levels described. Maturity level
one, “ad hoc,” is used to describe a situation where the procedures or processes are
generally informal, incomplete and inconsistently applied.

21. The correct answer is D D.

Everyone who handles personal information needs to be trained in privacy policies and
how to deploy them within their area to ensure compliance with all policy requirements.
This applies to employees, management, contractors and other entities with which your
organization might share personal information. Training programs dealing with privacy
policies should be based on clear policies and standards and have ongoing mechanisms and
processes to educate and guide employees in implementation.

22. The correct answer is B.

ISACA defines controls as “the means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can be of an administrative,
technical, management, or legal nature.”

A privacy policy is a form of administrative control. It is an internal document addressed

to employees and data users. This document clearly states how personal information will
be handled, stored and transmitted to meet organizational needs as well as any laws or
regulations. It will define all aspects of data privacy for the organization, including how
the privacy notice will be formed, if necessary, and what it will contain.

However, a privacy notice is an external communication to individuals, customers or data

subjects that describes how the organization collects, uses, shares, retains and discloses
its personal information based on the organization’s privacy policy. While required under
most privacy laws, an external privacy notice does not protect against misuse of data.

23. The correct answer is C.

Notification is the process of informing affected individuals that their personal data has
been breached. Many laws and regulations prescribe specific time frames for providing
notification—either to impacted individuals and/or relevant regulators. The legal
requirements change regularly. For planning purposes, however, it is enough to know that
when investigating an incident, time is of the essence. Timing is even more critical once

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
the incident has been confirmed to be a breach. An organization’s privacy professionals,
and those charged with incident response planning and notification, should be intimately
familiar with the prevailing notification requirements and guidelines and should work with
qualified legal counsel to assist in making the legal determination about the need to give
notice.

24. The correct answer is B.

Though Matilda is an employee of the company who is the data controller, it is unlikely
that she would have the authority to disclose the jewelry store’s customer data merely
because she is “the most computer-knowledgeable employee” and has access to this
information. As such, she would not be legally authorized to share this information with
Investors, Inc. In turn, this means that Investors, Inc. only has authority to use the
customer data legitimately purchased from the outside vendor. Employee error or
negligence is one of the biggest causes of privacy breaches. Matilda’s decision to disclose
personal information to Jacob constitutes a breach, and therefore, Investors, Inc. has no
legal right to keep this data.

25. The correct answer is C.

Complaints about how the organization manages data subject rights may come from both
internal sources, such as employees, and from external sources, such as customers,
consumers, competitors, patients, the public, regulators and vendors. Complaints from
data subjects should go through some centralized process. There needs to be a central
point of control that deals with data subject complaints. Because you have limited time to
respond, and may need cooperation from other parties (e.g., other controllers,
processors), having an efficient and consistent process is critical.

©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
PRIVACY PROGRAM MANAGEMENT
RESOURCES AND BODY OF KNOWLEDGE
Many resources linked from this training are available to IAPP members only. Reviewing the
supplemental, linked content provides the user with additional depth and detail but is not
required for completing the course. To learn more about IAPP membership, click here.

GENERAL

CIPM Exam Resources: https://iapp.org/certify/get-certified/cipm.

Densmore, Russell, ed. Privacy Program Management: Tools for Managing Privacy Within
Your Organization. 3rd ed. Portsmouth: IAPP, 2022.

MODULE 1

Article 29 Data Protection Working Party. “Opinion 2/2017 on data processing at work.”
https://iapp.org/media/pdf/resource_center/wp249_data-processing-at-work_06-
2107.pdf.

European Data Protection Supervisor. “Accountability on the ground Part I: Records,

Registers and when to do Data Protection Impact Assessments.” July 2019, pg. 4.
https://edps.europa.eu/sites/edp/files/publication/19-07-
17_accountability_on_the_ground_part_i_en.pdf.

Fieldfisher’s EU e-marketing requirements. Accessed May 11, 2020.

https://res.cloudinary.com/fieldfisher/image/upload/v1585817516/PDFs/EU_e-
marketing_requirements_updated_March_2020_g6jh2u.pdf.

IAPP. IAPP-EY Annual Privacy Governance Report 2019.

https://iapp.org/media/pdf/resource_center/IAPP_EY_Governance_Report_2019.pdf.

OPC and OIPCs of Alberta and British Columbia. Getting Accountability Right with a Privacy
Management Program. Accessed April 25, 2017.
https://iapp.org/media/pdf/knowledge_center/Canada-
Getting_Accountability_Right(Apr2012).pdf.

MODULE 2

Article 29 Data Protection Working Party. Guidelines on Data Protection Officers (‘DPOs’).
Revised April 5, 2017. http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612048.
Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” Recorded
June 22, 2015 at the IAPP Canada Privacy Symposium, Toronto, ON. IAPP: Portsmouth,
NH. Reprise web conference. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
©2024 International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
DPO Network Europe. “Should your company appoint a data protection officer (DPO) under
the GDPR?”
https://www.dponetwork.eu/uploads/3/1/7/3/31732293/gdpr_dpo_decisiontree.pdf.

European Data Protection Supervisor. “Accountability on the ground Part I: Records,

IAPP Westin Research Center. From Here to DPO: Building a Data Protection Officer. January
25, 2017. https://iapp.org/resources/article/from-here-to-dpo-building-a-data-
protection-officer.

IAPP. 2018 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2018TechVendorReport.pdf.

IAPP. 2019 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2019TechVendorReport.pdf.

IAPP. 2020 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2020TechVendorReport.pdf.

IAPP. “Global Comprehensive Privacy Law Mapping Chart.” April 2022.

https://iapp.org/media/pdf/resource_center/global_comprehensive_privacy_law_mappin
g.pdf.

IAPP. “Glossary of Privacy Terms.” https://iapp.org/resources/glossary/.

IAPP. IAPP-EY Annual Privacy Governance Report 2019.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/

IAPP. IAPP-FTI Consulting Privacy Governance Report 2020.

https://iapp.org/media/pdf/resource_center/IAPP_FTIConsulting_2020PrivacyGovernanc
eReport.pdf.

IAPP. Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-

report/.

IAPP. “Top-5 Operational Impacts of China’s PIPL.” March 2022.

https://iapp.org/resources/article/top-5-operational-impacts-of-chinas-pipl/.
Ke, Xu, Vicky Liu, Yan Luo, and Zhijing Yu. “Analyzing China’s PIPL and how it compares to
the EU’s GDPR.” IAPP. August 24, 2021. https://iapp.org/news/a/analyzing-chinas-pipl-
and-how-it-compares-to-the-eus-gdpr/.

“Mission Statement.” An Coimisiún um Chosaint Sonraí | Data Protection Commission.

www.dataprotection.ie/en/who-we-are/mission-statement.

Monteiro, Renato. “The new Brazilian General Data Protection Law—A detailed analysis.”
IAPP. August 15, 2018. https://iapp.org/news/a/the-new-brazilian-general-data-
protection-law-a-detailed-analysis/.

OCEG. “What is GRC?” Accessed March 18, 2020. http://www.oceg.org/about/what-is-grc.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Rippy, Sarah. “Top-5 operational impacts of Brazil’s LGPD: Part 4 – DPOs”, Privacy Tracker
(IAPP), November 12, 2020, https://iapp.org/news/a/top-5-operational-impacts-of-
brazils-lgpd-part-4-data-protection-officers/.

Shaw, Thomas. “What Skills Should Your DPO Absolutely Have?” The Privacy Advisor (IAPP),
January 24, 2017. https://iapp.org/news/a/what-skills-should-your-dpo-absolutely-
have.

Tech Donut. “Sample Data Protection Policy Template.” Accessed March 16, 2020.
https://iapp.org/resources/article/sample-data-protection-policy-template-2/.
Transcend. “RACI Framework for Effective Privacy Programs.” Accessed October 17, 2023.
https://transcend.io/raci-framework-privacy-programs.

“What is the difference between a mission and a vision statement?” Mission Statements.
Accessed January 19, 2022. https://www.missionstatements.com/guide-to-mission-and-
vision-statements/what-is-the-difference-between-vision-and-mission.html.

MODULE 3
“California Consumer Privacy Act (CCPA).” Office of the Attorney General, State of California
Department of Justice. Updated January 20, 2023. https://oag.ca.gov/privacy/ccpa.
Comparing Privacy Laws: GDPR v. LGPD. DataGuidance by OneTrust.
https://www.dataguidance.com/sites/default/files/gdpr_v_lgpd_revised_edition.pdf.
Cosgrove, Cathy. “Top-10 Operational Impacts of the CPRA: Part 2—Defining ‘business’
under the law.” Privacy Advisor, IAPP, December 22, 2020.
https://iapp.org/news/a/cpras-top-operational-impacts-part-2-defining-business/.
EDBP. “Recommendations 01/2020 on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data.” June 18, 2021.
https://edpb.europa.eu/our-work-tools/our-
documents/recommendations/recommendations-012020-measures-supplement-
transfer_en.
European Commission. “Standard contractual clauses for international transfers.” June 4,
2021. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-
data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-
international-transfers_en.

“Global Comprehensive Privacy Law Mapping Chart.” IAPP.

https://iapp.org/resources/article/global-comprehensive-privacy-law-mapping-chart/.

https://ethics.berkeley.edu/privacy/international-privacy-laws

https://gdpr-info.eu/art-3-gdpr/

https://iapp.org/news/a/what-does-ai-need-a-comprehensive-federal-data-privacy-and-
security-law/

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-
processors/controllers-and-processors/what-are-controllers-and-processors/

https://secureprivacy.ai/blog/what-are-the-international-privacy-laws

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territori
al_scope_after_public_consultation_en_1.pdf

IAPP. Privacy and AI Governance Report. January 2023.

https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf.

IAPP. “CCPA and CPRA.” https://iapp.org/resources/topics/ccpa-and-cpra/.

IAPP. California Privacy Rights Act infographic.

https://iapp.org/media/pdf/resource_center/iapp_top_10_impactful_provsions_cpra_ball
ot_initiative.pdf.

IAPP. CCPA Online Training. “Module 6: GDPR Compliance and the CCPA.”

IAPP. Directory of DPAs. https://iapp.org/resources/dpa/.

IAPP. GDPR Awareness Guide. September 27, 2017.

https://iapp.org/resources/article/gdpr-awareness-guide.

OneTrust. PrivacyConnect: CCPA & GDPR Community. U.S. Reference Handbook, 2019.
https://www.onetrust.com/.

Office of the Privacy Commissioner of Canada. “Guidelines for Processing Personal Data
Across Borders.” January 2009. https://www.priv.gc.ca/en/privacy-topics/personal-
information-transferred-across-borders/gl_dab_090127.

Rodriguez, Deidre. “10 Steps to a Quality Privacy Program: Part One.” 10 vols. The Privacy
Advisor (IAPP), June 24, 2013. https://iapp.org/news/a/10-steps-to-a-quality-privacy-
program-part-one/.

Renato Leite Monteiro. “GDPR Matchup: Brazil’s General Data Protection Law.” Privacy
Tracker, IAPP, October 4, 2018. https://iapp.org/news/a/gdpr-matchup-brazils-general-
data-protection-law/.

Siegel, Bob. “For a Successful Privacy Program, Use These Three A’s.” The Privacy Advisor
(IAPP), February 22, 2016. https://iapp.org/news/a/for-a-successful-privacy-program-
use-these-three-as.

MODULE 4

“8 Criteria to Ensure You Select the Right Cloud Service Provider.” Cloud Industry Forum.
Accessed April 2021. https://cloudindustryforum.org/8-criteria-to-ensure-you-select-
the-right-cloud-service-provider/.

Article 29 Working Party. Guidelines on Data Protection Impact Assessment (DPIA). Revised
October 4, 2017. http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=611236.

Campello, Tatiana, Eduardo Magrani, and Kelvin Williamson. “Brazilian SGD publishes
guidelines for compliance with LGPD.” IAPP. February 19, 2021.
https://iapp.org/news/a/brazilian-sgd-publishes-guidelines-for-compliance-with-the-
lgpd/.

Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” Recorded
June 22, 2015 at the IAPP Canada Privacy Symposium, Toronto, ON. IAPP: Portsmouth,

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
NH. Reprise web conference. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

EDBP. Statement of the EDPB on the data protection impacts of economic concentration.
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentra
tion_en.pdf

EDBP. Statement on privacy implications on mergers.

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_privacyimplica
tionsofmergers_en.pdf

“How to Conduct a Legitimate Interests Assessment (LIA)?” Data Privacy Manager.

https://dataprivacymanager.net/what-is-lia-legitimate-interests-assessment-and-how-
to-conduct-it/.

https://bigid.com/blog/pia-vs-dpia/

https://carbidesecure.com/resources/pia-v-dpia-what-is-the-difference-under-gdpr/

https://www.aphis.usda.gov/aphis/resources/lawsandregs/privacy-act/pta-pia-sorn/pta-pia-
sorn

IAPP. 2022 Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-

vendor-report/.

IAPP. Data Protection and Privacy Impact Assessments.

https://iapp.org/resources/topics/privacy-impact-assessment-2/#samples,-templates-
and-forms.

IAPP and OneTrust. “PIAs and Data Mapping – Operationalizing GDPR and Privacy by
Design.” Web Conference. Recorded August 24, 2016.
https://iapp.org/resources/article/pias-and-data-mapping-operationalizing-gdpr-and-
privacy-by-design.

IAPP and TRUSTe. “Preparing for the GDPR: DPOs, PIAs, and Data Mapping.” 2016.
https://iapp.org/resources/article/preparing-for-the-gdpr-dpos-pias-and-data-mapping/.

“Legitimate interests.” ICO. https://ico.org.uk/for-organisations/guide-to-data-

protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-
processing/legitimate-interests/.
Royal, K and Pedro Pavón. “Third-Party Vendor Management Means Managing Your Own
Risk.” 10 vols. The Privacy Advisor (IAPP), 2014–2015.
https://iapp.org/resources/article/third-party-vendor-management-means-managing-
your-own-risk-3/.
“Sample LIA Template.” ICO. https://ico.org.uk/media/for-
organisations/forms/2258435/gdpr-guidance-legitimate-interests-sample-lia-
template.docx

Siegel, Bob. “Accountability and Adaptability: Two of the Three ‘A’s of a Successful Privacy
Program.” The Privacy Advisor (IAPP), May 23, 2016.
https://iapp.org/news/a/accountability-and-adaptability-two-of-the-three-as-of-a-
successful-privacy-program/.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Swire, Peter P., and Kenesa Ahmad. Foundations of Information Privacy and Data
Protection. Edited by Terry McQuay. Portsmouth: IAPP, 2012.

“Transfer Impact Assessment Templates.” IAPP. https://iapp.org/resources/article/transfer-

impact-assessment-templates/.

MODULE 5

Bracy, Jedidiah. “World’s first global privacy management standard hits the mainstream.”
IAPP. August 20, 2019. https://iapp.org/news/a/worlds-first-global-privacy-
management-standard-hits-the-mainstream/.

Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” Recorded
June 22, 2015 at the IAPP Canada Privacy Symposium, Toronto, ON. IAPP: Portsmouth,
NH. Reprise web conference. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

European Union. General Data Protection Regulation. Adopted 2016. http://eur-

lex.europa.eu/eli/reg/2016/679/oj.

Fennessy, Caitlin. “Microsoft launches open-source privacy mapping tool.” IAPP. February
21, 2020. https://iapp.org/news/a/microsoft-launches-open-source-privacy-mapping-
tool/.

Hill, Kashmir. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.”
Forbes. February 16, 2012. https://www.forbes.com/sites/kashmirhill/2012/02/16/how-
target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#564b2a7f6668

Hoepman, Jaap-Henk. Privacy Design Strategies (The Little Blue Book). 2020.
http://www.cs.ru.nl/~jhh/publications/pds-booklet.pdf.

https://oecd.ai/en/ai-principles

IAPP. https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles/

IAPP. “What does privacy mean?” https://iapp.org/about/what-is-privacy/.

IAPP and OneTrust Research. “Bridging ISO 27001 to GDPR.” March 2018.
https://iapp.org/resources/article/iapp-onetrust-research-bridging-iso-27001-to-gdpr/

IAPP and TRUSTe. “How IT and InfoSec Value Privacy.” March 2016.
https://iapp.org/resources/article/how-it-and-infosec-value-privacy/.
Oltermann, Philip. “German Parents Told to Destroy Doll That Can Spy on Children.”
Guardian. February 17, 2017.
https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-
friend-cayla-doll-spy-on-children

“Succeeding at the Intersection of Security and Privacy.” Virtru. 2019.

https://iapp.org/media/pdf/resource_center/virtru_whitepaper_intersection_security_pri
vacy.pdf

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Sweeney, Grace. “Privacy-invading Software Scans Your Babysitter’s Social History.”
Softonic. January 22, 2019. https://en.softonic.com/articles/predictim-babysitter-
scanning

Tang, Andrea. “Privacy Risk Management.” ISACA Journal 4 (June 30, 2020).
https://www.isaca.org/resources/isaca-journal/issues/2020/volume-4/privacy-risk-
management#f14.

Thierer, Adam. “CES 2015 Dispatch: Challenges Multiply for Privacy Professionals, Part
One.” Privacy Perspectives (IAPP), January 13, 2015. https://iapp.org/news/a/ces-2015-
dispatch-challenges-multiply-for-privacy-professionals-part-one/.

MODULE 6
Association of Washington Public Hospital Districts. Information Systems Access Policy.
https://iapp.org/media/pdf/resource_center/AWPHD-ISaccess.pdf

Bustin, Kim. “Practical Strategies for Creating a Privacy Culture in Your Organization.” The
Privacy Advisor (IAPP), September 1, 2010. Accessed May 22, 2017.
https://iapp.org/news/a/2010-08-24-strategies-for-creating-a-privacy-culture-in-your-
organization/.

IAPP. California Consumer Privacy Act. https://iapp.org/resources/topics/california-

consumer-privacy-act/.

IAPP. Organizational Privacy Policies. https://iapp.org/resources/topics/organizational-

privacy-policies/.

Loyola University. “Cloud Computing Policy.” Accessed March 19, 2020.

https://luc.edu/its/aboutits/itspoliciesguidelines/cloud_computing_policy.shtml.

Northwestern University. Data Access Policy.

http://www.it.northwestern.edu/policies/dataaccess.html.

Pahl, Chris. “Building a Program that Provides Value: Making Your Communication Matter.”
4 vols. The Privacy Advisor (IAPP), November 29, 2016.
https://iapp.org/news/a/building-a-program-that-provides-value-making-your-
communication-matter/.

Perot, Trista. “Developing an Effective Data Retention Policy.” 3 vols. Global Data Vault.
June 2012. https://www.globaldatavault.com/blog/data-backup-developing-an-effective-
data-retention-policy/.

Royal, K, and Pedro Pavon. “Third-Party Vendor Management Means Managing Your Own
Risk.” 10 vols. The Privacy Advisor (IAPP), 2014–2015.
https://iapp.org/resources/article/third-party-vendor-management-means-managing-
your-own-risk-3/.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Tech Donut. “Sample Data Protection Policy Template.” Accessed May 3, 2017.
https://iapp.org/resources/article/sample-data-protection-policy-template-2/.

MODULE 7

Carson, Angelique. “How to Measure Your Privacy Program, Step-by-Step.” The Privacy
Advisor (IAPP), May 16, 2014. https://iapp.org/news/a/how-to-measure-your-privacy-
program-step-by-step/.

IBM. “Business Resilience: The Best Defense Is a Good Offense.” January 2009.
https://docplayer.net/18554573-Business-resilience-the-best-defense-is-a-good-
offense.html.

IAPP. Template: DPO Report to Management.

https://iapp.org/media/pdf/resource_center/DPO_Report_Template.pdf.

Pahl, Chris. “Building a Program that Provides Value: Using Meaningful Metrics.” 3 vols. The
Privacy Advisor (IAPP), September 26, 2016. https://iapp.org/news/a/building-a-
program-that-provides-value-using-meaningful-metrics/.

MODULE 8
Siegel, Bob. “6 Ways Privacy Awareness Training Will Transform Your Staff.” IAPP. February
2018. https://iapp.org/resources/article/6-ways-privacy-awareness-training-will-
transform-your-staff/.

MODULE 9

Bowen, Nerushka. “After 7-year wait, South Africa’s Data Protection Act enters into force.”
IAPP. July 1, 2020. https://iapp.org/news/a/after-a-7-year-wait-south-africas-data-
protection-act-enters-into-force/.

Bryant, Jennifer. “China’s PIPL takes effect, compliance ‘a challenge.’” IAPP. November 1,
2021. https://iapp.org/news/a/chinas-pipl-takes-effect-compliance-a-challenge/.

European Union. General Data Protection Regulation. Adopted 2016. http://eur-

lex.europa.eu/eli/reg/2016/679/oj.

IAPP. “CCPA and CPRA.” https://iapp.org/resources/topics/ccpa-and-cpra/.

IAPP. “Understanding China’s New Personal Information Protection Law.” September 2,

2021. https://iapp.org/news/a/understanding-chinas-new-personal-information-
protection-law/.

Information Commissioner’s Office (UK). Consultation: GDPR Consent Guidance. March 2 –

31, 2017. https://iapp.org/media/pdf/resource_center/ICO-gdpr-consent-guidance.pdf.

Information Commissioner’s Office (UK). Lawfulness, fairness and transparency.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/principles/lawfulness-fairness-and-transparency.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Information Commissioner’s Office (UK). Privacy Notices, Transparency and Control: A Code
of Practice on Communicating Privacy Information to Individuals. October 7, 2016.
Accessed Mar 19, 2020.
https://webarchive.nationalarchives.gov.uk/20180524152948/https://ico.org.uk/media/f
or-organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-
0.pdf.
Ke, Xu, Vicky Liu, Yan Luo, and Zhijing Yu. “Analyzing China’s PIPL and how it compares to
the EU’s GDPR.” IAPP. August 24, 2021. https://iapp.org/news/a/analyzing-chinas-pipl-
and-how-it-compares-to-the-eus-gdpr/.

National Cybersecurity Alliance. https://staysafeonline.org/.

Office of the Privacy Commissioner of Canada. “Guidelines for Obtaining Meaningful

Consent.” May 2018. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-
information/consent/gl_omc_201805/.

“POPIA: Protection of Personal Information Act.” https://popia.co.za/section-5-rights-of-

data-subjects/.

MODULE 10

Holmes, Dennis. “Managing Your Data Breach: Seven Steps to Breach Preparedness.” IAPP
Resource Center. https://iapp.org/resources/article/managing-your-data-breach-seven-
steps-to-breach-preparedness/.

https://assets.publishing.service.gov.uk/media/5a7b2a3de5274a34770e9dd0/Impact-
Assessment-template-14-Dec-11_0.doc

https://ebrp.net/incident-management-101-assessment/

IBM Security. Cost of a Data Breach Report 2023. https://www.ibm.com/reports/data-

breach.

Verizon. 2024 Data Breach Investigations Report.

https://verizon.com/business/resources/reports/dbir/.

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
PRIVACY PROGRAM MANAGEMENT
Body of Knowledge Mapping

Min Max
Domain I: Privacy Program: Developing a Framework

Domain I –Privacy Program: Developing a Framework documents the

preliminary tasks required to create a solid foundation for the privacy
program, the purposes of the program and who is responsible for the
14 18 program. It focuses on establishing the privacy program governance model
within the context of the organization’s privacy strategy. As each
organization may have its own needs, the model could vary among
organizations.

Competencies Performance Indicators Module

Choose applicable governance model 2

Identify the source, types and uses of personal information 2

Define program (PI) within the organization
scope &
4 6 I.A develop a Define the structure of the privacy team 2
privacy
strategy Identify stakeholders and internal partners 2

Understand the organization’s business strategy and risk 2

appetite

Create awareness of the organization's privacy program 2, 6

Communicate internally and externally
organizational
Ensure employees have access to policies and procedures 2, 6
4 6 I.B vision and
and updates relative to their role(s)
mission
statement Adopt privacy program vocabulary (e.g., incident vs 2
breach)

Indicate in- Understand territorial, sectoral and industry regulations, 3, 9

scope laws, laws, codes of practice and/or self-certification
regulations and mechanisms.
5 7 I.C
standards
Understand penalties for non-compliance 3, 9
applicable to
the program Understand scope and authority of oversight agencies 3

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Understand privacy implications and territorial scope when 3
doing business or basing operations in other countries with
differing privacy laws

Understand the privacy risks posed by the use of AI in the 5

business environment

Min Max Domain II: Privacy Program: Establishing Program Governance

Domain II - Privacy Program: Establishing Program Governance identifies how the

privacy requirements will be implemented across the organization through
12 16 all stages of the privacy life cycle. The Domain focuses on the roles,
responsibilities and training requirements of the various stakeholders, and
the policies and procedures that will be followed to ensure continuous
compliance.

Competencies Performance Indicators Module

Establish the organizational model, responsibilities, and 2

reporting structure appropriate to size of organization

Define policies appropriate for the data processed by the 2, 6

Create policies organization, taking into account legal and ethical
and processes requirements.
to be followed
across all Identify collection points considering transparency 2, 6
6 8 II.A requirements and data quality issues around collection of
stages of the
privacy data
program life Create a plan for breach management 10
cycle
Create a plan for complaint handling procedures 9

Create data retention and disposal policies and 6

procedures

Define roles and responsibilities of privacy team and 1

stakeholders
Clarify roles Define the roles and responsibilities for managing the 6
1 3 II.B and sharing and disclosure of data for internal and external
responsibilities use

Define roles and responsibilities for breach response by 10

function, including stakeholders and their accountability

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
to various internal and external partners (e.g., detection
teams, IT, HR, vendors, regulators, oversight teams)

Create metrics per audience and/or identify intended 7

audience for metrics with clear processes describing
purpose, value and reporting of metrics
Define privacy
Understand purposes, types and life cycles of audits in 7
metrics for
2 4 evaluating effectiveness of controls throughout
II.C oversight and
organization’s operations, systems and processes
governance
Establish monitoring and enforcement systems to track 7
multiple jurisdictions for changes in privacy law to ensure
continuous alignment

Develop targeted employee, management, and contractor 4, 8

trainings at all stages of the privacy life cycle
Establish
II.D training and Create continuous privacy program activities (e.g., 6, 7, 8,
1 3
awareness education and awareness, monitoring internal compliance, 9
activities program assurance, including audits, complaint handling
procedures)

Min Max Domain III: Privacy Program Operational Life Cycle: Assessing
Data

Domain III - Privacy Program Operational Life Cycle: Assessing

Data encompasses how to identify and minimize privacy risks and assess
12 16
the privacy impacts associated with an organization’s systems, processes,
and products. Addressing potential problems early will help to establish a
more robust privacy program.

Competencies Performance Indicators Module

Map data inventories, map data flows, map data life 4

cycle and system integrations
Document data
Measure policy compliance against internal and external 6
3 5 III.A governance
requirements
systems
Determine desired state and perform gap analysis 4
against an accepted standard or law

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Identify and assess risks of outsourcing the processing 3, 4
of personal data (e.g., contractual requirements and
Evaluate rules of international data transfers)
processors and
1 3 III.B Carry out assessments at the most appropriate 4
third-party
vendors functional level within the organization (e.g.,
procurement, internal audit, information security,
physical security, data protection authority)

Evaluate Identify operational risks of physical locations (e.g., data 4, 5

physical and centers and offices) and physical controls (e.g.,
0 2 III.C
environmental document retention and destruction, media sanitization
controls and disposal, device forensics and device security)

Identify operational risks of digital processing (e.g., 5

servers, storage, infrastructure and cloud)

Review and set limits on use of personal data (e.g., role- 5

based access)
Evaluate
3 5 III.D technical Review and set limits on records retention 6
controls
Determine the location of data, including cross-border 4
data flows

Collaborate with relevant stakeholders to identify and 5

evaluate technical controls

Evaluate risks Complete due diligence procedures 4

associated with
shared data in Evaluate contractual and data sharing obligations, 4
2 4 III.E including laws, regulations and standards
mergers,
acquisitions, Conduct risk and control alignment 4
and divestitures

Min Max Domain IV: Privacy Program Operational Life Cycle: Protecting
Personal Data

Domain IV - Privacy Program Operational Life Cycle: Protecting

Personal Data outlines how to protect data assets during use through the
9 13 implementation of effective privacy and security controls and technology.
Regardless of size, geographic location, or industry, data must be
physically and virtually secure at all levels of the organization.

Competencies Performance Indicators Module

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Classify data to the applicable classification scheme 4, 6
(e.g., public, confidential, restricted)
Apply
information Understand purposes and limitations of different controls 5
4 6 IV.A security
practices and Identify risks and implement applicable access controls 5
policies
Use appropriate technical, administrative and 5
organizational measures to mitigate any residual risk

Integrate the Integrate privacy throughout the System Development 5

main principles Life Cycle (SDLC)
1 3 IV.B
of Privacy by
Design (PbD) Integrate privacy throughout the business process 5

Verify that guidelines for secondary uses of data are 6, 9

followed
Apply
organizational Verify that the safeguards such as vendor and HR 5
guidelines for policies, procedures and contracts are applied
data use and
3 5 IV.C Ensure applicable employee access controls and data 5
ensure
technical classifications are in use
controls are
Collaborate with privacy technologists to enable 5
enforced
technical controls for obfuscation, data minimization,
security and other privacy-enhancing technologies

Min Max Domain V: Privacy Program Operational Life Cycle: Sustaining

Program Performance

Domain V - Privacy Program Operational Life Cycle: Sustaining

Program Performance details how the privacy program is sustained
using pertinent metrics and auditing procedures. As an organization
7 9
moves through the cycles of managing their privacy program, it is
important to ensure that all processes and procedures are functioning
effectively and are replicable going forward.

Competencies Performance Indicators Module

Use metrics to Determine appropriate metrics for different objectives 7

measure the and analyze data collected through metrics (e.g.,
1 3 V.A performance of trending, ROI, business resiliency, PMM)
the privacy
program Collect metrics to link training and awareness activities 7, 8
to reductions in privacy events and continuously

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
improve the privacy program based on the metrics
collected

Understand the types, purposes, and life cycles of 7

audits in evaluating effectiveness of controls throughout
organization’s operations, systems and processes

Select applicable forms of monitoring based upon 7

Audit the
1 3 V.B program goals (e.g., audits, controls, sub-contractors)
privacy program
Complete compliance monitoring through auditing of 7
privacy policies, controls, and standards, including
against industry standards, regulatory and/or legislative
changes

Conduct risk assessments on systems, applications, 4

processes, and activities
Manage
continuous Understand the purpose and life cycle for each 4
3 5 V.C assessment of assessment type (e.g., PIA, DPIA, TIA, LIA, PTA)
the privacy
program Implement risk mitigation and communications with 4
internal and external stakeholders after mergers,
acquisitions, and divestitures

Min Max Domain VI: Privacy Program Operational Life Cycle: Responding to
Requests and Incidents

Domain VI - Privacy Program Operational Life Cycle: Responding to

Requests and Incidents documents the activities involved in responding
10 14 to privacy incidents and the rights of data subjects. Based upon the
applicable territorial, sectoral and industry laws and regulations,
organizations must ensure proper processes for information requests,
privacy rights and incident responses.

Competencies Performance Indicators Module

Ensure privacy notices and policies are transparent and 9

clearly articulate data subject rights
Respond to data Comply with organization’s privacy policies around 9
subject access consent (e.g., withdrawals of consent, rectification
5 7 VI.A
requests and requests, objections to processing, access to data and
privacy rights complaints)

Understand and comply with established international, 3, 9

federal, and state legislations around data subject’s

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
rights of control over their personal information (e.g.,
GDPR, HIPAA, CAN-SPAM, FOIA, CCPA/CPRA)

Conduct an incident impact assessment 10

Perform containment activities 10

Follow Identify and implement remediation measures 10
organizational
incident Communicate to stakeholders in compliance with 10
3 5 VI.B jurisdictional, global and business requirements
handling and
response
Engage privacy team to review facts, determine actions 10
procedures
and execute plans

Maintain an incident register and associated records of 10

the incident

Evaluate and Carry out post-incident reviews to improve the 10

modify current effectiveness of the plan
1 3 VI.C
incident Implement changes to reduce the likelihood and/or 10
response plan impact of future breaches

©2024, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
Ready to get certified?
Leave the stress and pass the test

Providing you with respected credentials requires a rigorous certification

process that includes demanding exams. IAPP exams have a reputation for
being difficult to pass on the first try. We strongly recommend careful
preparation, even for degreed professionals who have passed other
certification tests.

Preparation makes all the difference. In general, we recommend that you

train and study for a minimum of 30 hours.

We want you to succeed. Please take advantage of this advice and IAPP
resources to get through exams with as little anxiety as possible.

Tips for effective studying

Completing a training course does not guarantee passing an exam.
Additional preparation is essential, so:
• Self-assess—The IAPP offers resources for determining how ready you
are for the exam:
1. The body of knowledge is an outline of the information
covered in the exam. Use it to identify topics you are and are
not familiar with.
2. The exam blueprint, incorporated into the body of knowledge
document, tells you the minimum and maximum number of
questions to expect on each competency, or topic. Use it to
map out a study strategy — allowing more time for topics with
many questions, for example.
You can find a link to the body of knowledge and exam blueprint at
iapp.org/certify/get-certified/cipm/.

• Read the textbook—Textbooks are available in the IAPP store at

store.iapp.org/books/.
Start by reading the table of contents. Note which topics are new to
you. That will give you a feel for how much study and review time
you need. When you start reading:
1. Highlight important points in each chapter.
2. Copy out key passages; it will help you remember them.
3. Review each chapter to make sure you have captured the key
points before moving on.

• Create flashcards — As you read your textbook, articles, web pages,

etc., copy new terms onto notecards. Write their definitions on the
other side. Quiz yourself. Use the IAPP’s glossary of privacy terms to
look up unfamiliar terms and make flash cards of them as well.
• Form a study group — Discussing the material with your coworkers
and colleagues is a great way to remember material and understand it
more deeply.
• Learn in context — It is easier and more interesting to learn a
subject you are going to use in real life. IAPP publications and
resources show how privacy affects our lives and businesses. Get
familiar with news and issues by signing up for the IAPP’s Daily
Dashboard, the Privacy Advisor podcast, or regional newsletters, such
as the Europe Data Protection Digest.
• Use questions to find answers — Every training course comes with
additional review questions to help you review what you have studied
and identify weak areas. Re-read notes and chapters on those
subjects. Ask your study partners questions. Search for articles that
approach the subject from different directions.
• Take a practice exam — Official IAPP Practice Exams provide insight
into how you might perform on your certification exam. Practice
exams consist of 90 questions in the same format as official
certification exams. Practice exams for most designations are
available in the IAPP store.

Find this information, with hyperlinks to the relevant resources mentioned

above, on the IAPP website at iapp.org/certify/prepare. Good luck!
Certified Information Privacy Manager (CIPM)
Certification Exam Details
This information sheet is for anyone interested in participating in CIPM certification.
Registration
Examinations are offered year-round.
• To purchase an exam, visit the IAPP store: https://store.iapp.org/certification/
• Exams must be scheduled AND completed within one year of purchase
• For more information, please visit Pearson Vue’s website:
https://home.pearsonvue.com/iapp
Cost
• First-time test taker: $550
• Retake exams: $375
Preparation
The IAPP offers additional tools to help you prepare for certification at
https://iapp.org/certify/get-certified/cipm/

• Body of Knowledge and Exam Blueprint: Lists possible exam topics and shows relative
weight of topics on the exam
• Glossary of Privacy Terms

Official IAPP practice exams can be purchased here: https://iapp.org/train/practice-

exam/. Developed by subject matter experts selected by the IAPP, practice exams are
the same length and format as certification exams. We also encourage potential test
takers to read our Certification Candidate Handbook here: iapp.org/certify/get-
certified/.

Structure
All examinations consist of multiple-choice questions. Some items require reading a short
scenario, then answering questions relating to that scenario.

• 90 questions
• Two hours 30 minutes allotted time
Scoring
All IAPP Certification Exams are pass-fail. If you do not pass, you will receive a scoring
breakdown by topic to help identify areas requiring increased study should you choose to
retake the exam. A 7-day wait is required from the date of your previous exam before testing
again.
If you have additional questions or concerns, please contact [email protected].
IAPP Member Benefits At-a-Glance
Join over 80,000+ members in 100+ countries and gain access to the ultimate
in resources for the privacy professional with an IAPP individual membership.

• Steep discounts on events, products and News

programs, including study materials for our You are busy. We make it
globally recognized, ANAB/ISO-accredited easy to stay on top of the
certification programs. headlines.

• E-publications delivering top privacy news

straight to your inbox. Certify
IAPP certification is what
• Access to members-only tools, research, articles, employers want. We can
and more in our online Resource Center. help you advance your
career and increase your
• Myriad of networking opportunities, including earning potential.
free KnowledgeNet Chapter meetings helping you
connect locally.
Learn
• Free web conferences on critical issues in data Free web conferences give
privacy. you instant access to the
latest and greatest in
• Sought-after privacy salary surveys benchmarking privacy.
compensation, roles and functions among privacy
departments.
Connect
• The industry’s top privacy job board. It is all about who you
know. Targeted online and
• Cooperative programs — your “in” — with other face-to-face networking
national and international organizations. opportunities give you access
to the people you want to
• Includes your Certification Maintenance Fee, meet.
keeping any IAPP certification in good standing.

• Advocacy for the privacy profession. Resources

The newly revamped
• My IAPP — your personal, customizable
Resource Center is a one-
membership hub.
stop-shop for practical tools
• A 200-person-strong IAPP staff, ready and able to and research to help you
tackle your biggest
help you achieve your professional goals.
challenges.

Talk to us. +1 603.427.9200 / [email protected]

Certificate of

ATTENDANCE For Privacy Program Management Live Training

Presented to:

Number of Credit Hours: 13

Date Attended:

J. Trevor Hughes
IAPP President & CEO
Top 10 ways IAPP certification
benefits you and your enterprise
Advance your career, increase your earning potential, validate your
data protection knowledge and make yourself indispensable at work.
(This next bit is good to share with your boss.)

1 Earn certifications recognised as the global standard in the field of data protection.

2 Demonstrate your understanding of a principles-based framework and knowledge of information privacy.

3 Join more than 25,000 data protection practitioners valued for their knowledge, dedication and skill.

4 Elevate your leadership profile among your colleagues.

Open the door to higher earning potential with top employers hiring and promoting
5
IAPP-certified professionals.

6 Train your functional area teams to prevent data breach incidents and reduce risks.

Improve compliance across your workplace and make it more cost-effective.

8 Avoid costly fixes and rework by applying privacy concepts and practices early in product development
and engineering efforts.

910 Prepare staff to handle and communicate about potential breaches with customers, partners and regulators.

10 Conveniently deliver on-site training with IAPP’s distinguished faculty.

TAKE THE NEXT STEP

Ask for details on how to train and test for your
certification by visiting iapp.org/about/contact/

ata Protection
dD
ifie

Offi
Cert

cer

Talk to us. ASIA PACIFIC

[email protected]
EMEA
[email protected]
NORTH AMERICA
[email protected]
iapp.org/contact +32 (0)2 486 41 66 +1 603.427.9200

CIPM IAPP Privacy Program Management PDF
90% (10)
CIPM IAPP Privacy Program Management PDF
294 pages
CIPM Book
100% (16)
CIPM Book
266 pages
IAPP CIPM Privacy Program Management 2nd Ed
0% (9)
IAPP CIPM Privacy Program Management 2nd Ed
9 pages
Privacy Program Management (Russell Densmore, CIPPE, CIPPUS, CIPM, CIPT Etc.)
No ratings yet
Privacy Program Management (Russell Densmore, CIPPE, CIPPUS, CIPM, CIPT Etc.)
298 pages
Agile Practice Guide
From Everand
Agile Practice Guide
Project Management Institute
4/5 (20)
1.CIPM Onl Mod1Transcript
100% (1)
1.CIPM Onl Mod1Transcript
10 pages
IAPP Privacy Certification Candidate Handbook 3.0.0
0% (1)
IAPP Privacy Certification Candidate Handbook 3.0.0
23 pages
D75KS Manual Partes PDF
100% (3)
D75KS Manual Partes PDF
806 pages
CIPM BoK v4.0.0
50% (2)
CIPM BoK v4.0.0
9 pages
Monthly Statement 3 2022
No ratings yet
Monthly Statement 3 2022
2 pages
Safety+&+Maintenance+Checklist+-+Motor+Graders+V0810 1
No ratings yet
Safety+&+Maintenance+Checklist+-+Motor+Graders+V0810 1
1 page
CIPM
No ratings yet
CIPM
1 page
Cipt FSG Sept 2017 v1
No ratings yet
Cipt FSG Sept 2017 v1
18 pages
Privacy Technologist Certification: Authoritative Resource List
0% (1)
Privacy Technologist Certification: Authoritative Resource List
2 pages
Service Integration and Management (SIAM™) Professional Body of Knowledge (BoK)
From Everand
Service Integration and Management (SIAM™) Professional Body of Knowledge (BoK)
Claire Agutter
No ratings yet
CompTIA Security+ Practice Tests SY0-501: Practice tests in 4 different formats and 6 cheat sheets to help you pass the CompTIA Security+ exam
From Everand
CompTIA Security+ Practice Tests SY0-501: Practice tests in 4 different formats and 6 cheat sheets to help you pass the CompTIA Security+ exam
Ian Neil
No ratings yet
CIPM PGDigital v5.0
No ratings yet
CIPM PGDigital v5.0
348 pages
CIPM PG 5.0
No ratings yet
CIPM PG 5.0
351 pages
Privacy Program Management_IAPP
No ratings yet
Privacy Program Management_IAPP
362 pages
IAPP CIPM Course Content v2
No ratings yet
IAPP CIPM Course Content v2
7 pages
IAPP CIPM FSG Updated Mar 2023 v1
No ratings yet
IAPP CIPM FSG Updated Mar 2023 v1
17 pages
CIPM FSG November - 2018 - v1
No ratings yet
CIPM FSG November - 2018 - v1
17 pages
Cipm FSG 2-2016 Final PDF
No ratings yet
Cipm FSG 2-2016 Final PDF
14 pages
Cipm Notes Giveaway
No ratings yet
Cipm Notes Giveaway
8 pages
Privacy Program Management 1
100% (1)
Privacy Program Management 1
49 pages
CIPM Onl Mod2Transcript
No ratings yet
CIPM Onl Mod2Transcript
20 pages
CIPM Onl ResourcesandBoKMapping
No ratings yet
CIPM Onl ResourcesandBoKMapping
18 pages
Iapp Privacy Certification Candidate Handbook 2020: Procedures and Policies
No ratings yet
Iapp Privacy Certification Candidate Handbook 2020: Procedures and Policies
24 pages
CIPM FSG November - 2018 - v1
No ratings yet
CIPM FSG November - 2018 - v1
11 pages
Relat Rio IAPP EY 1634893365
No ratings yet
Relat Rio IAPP EY 1634893365
107 pages
The Privacy Leader Compas - Valerie Lyons
No ratings yet
The Privacy Leader Compas - Valerie Lyons
476 pages
24 -Domain 01 Lecture Notes BW
No ratings yet
24 -Domain 01 Lecture Notes BW
208 pages
Introduction to Privacy Program Management
No ratings yet
Introduction to Privacy Program Management
1 page
The Skill Set Needed To Implement The NIST Privacy Framework
100% (1)
The Skill Set Needed To Implement The NIST Privacy Framework
40 pages
Cipm Ebp 1.2.3
No ratings yet
Cipm Ebp 1.2.3
1 page
CIPM_BoK_EBP_ 4.1.0_FINAL_PROOFED_CLEAN
No ratings yet
CIPM_BoK_EBP_ 4.1.0_FINAL_PROOFED_CLEAN
11 pages
IAPP Cipm - Instructiuni Tematica Si Examen
No ratings yet
IAPP Cipm - Instructiuni Tematica Si Examen
7 pages
ISO 27701 Whitepaper
No ratings yet
ISO 27701 Whitepaper
30 pages
Privacy Manager Certification
No ratings yet
Privacy Manager Certification
7 pages
20230130-ISACA Privacy in Practice 2023 Report 1675062548
No ratings yet
20230130-ISACA Privacy in Practice 2023 Report 1675062548
22 pages
ISACA Privacy 2024 CO5 FINAL
No ratings yet
ISACA Privacy 2024 CO5 FINAL
23 pages
Privacy Manager Certification: Examination Blueprint For The Certified Information Privacy Manager (CIPM)
No ratings yet
Privacy Manager Certification: Examination Blueprint For The Certified Information Privacy Manager (CIPM)
1 page
IAPP Privacy Certification Candidate Handbook 3.3.1
No ratings yet
IAPP Privacy Certification Candidate Handbook 3.3.1
21 pages
9.CIPM Onl Mod9Transcript
No ratings yet
9.CIPM Onl Mod9Transcript
17 pages
Managing Multiple Compliance Priorities Seris - TrustArc
No ratings yet
Managing Multiple Compliance Priorities Seris - TrustArc
25 pages
Privacy Manager Certification: Examination Blueprint For The Certified Information Privacy Manager (CIPM)
No ratings yet
Privacy Manager Certification: Examination Blueprint For The Certified Information Privacy Manager (CIPM)
2 pages
Participant guide
No ratings yet
Participant guide
295 pages
PWC PH Journey Towards Dpa Compliance
No ratings yet
PWC PH Journey Towards Dpa Compliance
4 pages
CIPM blueprint
No ratings yet
CIPM blueprint
9 pages
Outline of The Body of Knowledge (Bok) For The Certified Information Privacy Manager (Cipm)
No ratings yet
Outline of The Body of Knowledge (Bok) For The Certified Information Privacy Manager (Cipm)
7 pages
IAPP-Certification Handbook Updated
No ratings yet
IAPP-Certification Handbook Updated
20 pages
Nymity Privacy Management Accountability Framework 092023
No ratings yet
Nymity Privacy Management Accountability Framework 092023
5 pages
The State of Privacy 2023
No ratings yet
The State of Privacy 2023
42 pages
A Global Look at Privacy 2020 Res Eng 0520
No ratings yet
A Global Look at Privacy 2020 Res Eng 0520
16 pages
Data Privacy Protection Serivices by INFOCUS-IT - Brochure-1
No ratings yet
Data Privacy Protection Serivices by INFOCUS-IT - Brochure-1
7 pages
Cipm Bok 3.0.0
No ratings yet
Cipm Bok 3.0.0
7 pages
The Growing Role of Data Privacy Engineering On Technology - IEEE IAPP Infographic
No ratings yet
The Growing Role of Data Privacy Engineering On Technology - IEEE IAPP Infographic
1 page
Aligning COSO and Privacy Frameworks - Joa - Eng - 0320
No ratings yet
Aligning COSO and Privacy Frameworks - Joa - Eng - 0320
10 pages
Aicpa Cica Privacy Maturity Model Final-2011 PDF
No ratings yet
Aicpa Cica Privacy Maturity Model Final-2011 PDF
42 pages
10-229 AICPA CICA Privacy Maturity Model Finale Book
No ratings yet
10-229 AICPA CICA Privacy Maturity Model Finale Book
42 pages
CIPM Book - Part 1
No ratings yet
CIPM Book - Part 1
18 pages
Cipm Privacy Program Management Ch4
80% (5)
Cipm Privacy Program Management Ch4
19 pages
Everything you want to know about Agile: How to get Agile results in a less-than-agile organization
From Everand
Everything you want to know about Agile: How to get Agile results in a less-than-agile organization
Jamie Lynn Cooke
3.5/5 (4)
Chapter Wise Question and Answer OOPC
No ratings yet
Chapter Wise Question and Answer OOPC
65 pages
NUTANIX Dumps
No ratings yet
NUTANIX Dumps
77 pages
Why Post-Cognitivism Does Not (Necessarily) Entail Anti-Computationalism
No ratings yet
Why Post-Cognitivism Does Not (Necessarily) Entail Anti-Computationalism
12 pages
20191125220306SC364-A1KOLSOLV1 5elm327USBEN
No ratings yet
20191125220306SC364-A1KOLSOLV1 5elm327USBEN
15 pages
Stillon Sanitary Valves Catalogue
100% (1)
Stillon Sanitary Valves Catalogue
12 pages
Pawns - App How To Share Your Refferal Link On SM
No ratings yet
Pawns - App How To Share Your Refferal Link On SM
15 pages
Final List MBA Candidates 2021-2022
No ratings yet
Final List MBA Candidates 2021-2022
4 pages
Notetaking101v04 @SG PDF
100% (1)
Notetaking101v04 @SG PDF
92 pages
Current Harmonics Reduction Using Sliding Mode Control Based Shunt Active Power Filter
No ratings yet
Current Harmonics Reduction Using Sliding Mode Control Based Shunt Active Power Filter
6 pages
J-11 Programmers Reference Jan82
No ratings yet
J-11 Programmers Reference Jan82
54 pages
Component Maintenance Manual With Illustrated Parts List
100% (8)
Component Maintenance Manual With Illustrated Parts List
62 pages
Pmlog
No ratings yet
Pmlog
30 pages
Professional Fellowship Presentation - Esri - New
No ratings yet
Professional Fellowship Presentation - Esri - New
35 pages
Basic of Network Addressing
No ratings yet
Basic of Network Addressing
4 pages
11-04 CYLINDER HEAD Diagram, 2009 TOYOTA AVANZA
100% (1)
11-04 CYLINDER HEAD Diagram, 2009 TOYOTA AVANZA
2 pages
Justice Basheer Ahmed Sayeed College For Women (Afternoon Session), (Autonomous) Teynampet, Chennai-600 018 2017-2020
No ratings yet
Justice Basheer Ahmed Sayeed College For Women (Afternoon Session), (Autonomous) Teynampet, Chennai-600 018 2017-2020
45 pages
Psicología de La Motivación y La Emoción: January 2002
No ratings yet
Psicología de La Motivación y La Emoción: January 2002
6 pages
Cloudflare Whitepaper Reference Architecture For Internet-Native Transformation
No ratings yet
Cloudflare Whitepaper Reference Architecture For Internet-Native Transformation
10 pages
COM Protocol Manual: For MDC and ADC
No ratings yet
COM Protocol Manual: For MDC and ADC
20 pages
Bebin Field Operator
No ratings yet
Bebin Field Operator
5 pages
211 - Banana PDF
No ratings yet
211 - Banana PDF
3 pages
UD19347B Baseline User-Manual-of-Network-Camera V5.6.5 20200410 PDF
No ratings yet
UD19347B Baseline User-Manual-of-Network-Camera V5.6.5 20200410 PDF
198 pages
37 B splines+NURBS
No ratings yet
37 B splines+NURBS
12 pages
ATM Machine Test Cases
No ratings yet
ATM Machine Test Cases
6 pages
MVC by RN Reddy-Rnrits
No ratings yet
MVC by RN Reddy-Rnrits
155 pages
23 Wjjwe NSJDH
No ratings yet
23 Wjjwe NSJDH
1 page
Tanmay Resume
No ratings yet
Tanmay Resume
1 page