Privacy Program Management 1

Study Guide
Privacy Program Management
Created By: Molinge Teddy, Teaching Assistant
Module 1: Introduction
Lesson 1.1: Introduction
Skills Learned From This Lesson: Develop a Privacy Program, Privacy Program Framework,
Privacy Operational Life Cycle.
● Course Outline
○ Module 1: Introduction.
○ Module 2: Privacy Strategy and Program.
○ Module 3: Privacy Program Operational Elements.
○ Module 4: Summary.
● Introducing the Instructor.
● Learning Objectives
○ Develop a Privacy Program.
○ Understand a Privacy Program Framework.
○ Understand the Privacy Operational Lifecycle.
● Target Audience
○ Chief Privacy Officers.
○ Chief Information or Data Officers.
○ Data Protection Officers.
○ Privacy Managers.
○ Privacy Professionals.
○ Lawyers.
○ Paralegals.
○ Privacy Technicians.
○ Information Technology Professionals.
● WIIFM - What’s In It For Me?
○ Knowledge is Empowering.
○ Confidence.
○ Validation.

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

○ Resources.
○ Meet New People.
● Module Summary.
○ Introduced the Instructor.
○ Reviewed course materials.
○ Discussed learning objectives.
○ Overview of target audience.
○ Explored the WIIFM for course attendees.
Module 2: Privacy Strategy and Program

Lesson 2.1: Role of the Privacy Manager
Skills Learned From This Lesson: Develop a Privacy Program, Understand a Privacy Program
Framework, Functions of a Privacy Program, Responsibilities of a Privacy Manager, Goals of a
Privacy Program.
○ Explore what it means to be a Privacy Manager.
○ Understand the goals and functions of a Privacy Program.
● Responsibilities of a Privacy Manager
○ Identify privacy obligations for the organization.
○ Identify business, employee and customer privacy risks.
○ Identify existing documentation and implement policies.
○ Awareness and training.
○ Incident response.
○ Privacy tech controls and monitoring.
○ Privacy impact assessments.
○ Development of staff.
○ Design and production management.
○ Vendor management.
○ Metrics and audits.
○ Cross-border data transfers.
○ Monitor legislative change.
● What’s Privacy Program Management?


2

○ “Structured approach of combining several disciplines into a framework that

allows an organization to meet legal compliance requirements and expectations
of business clients or customers while reducing the risk of a data breach.” -
Privacy Program Management, Second Edition, by the IAPP.
● Goal of a Privacy Program
○ Promote consumer trust and confidence.
○ Enhance the organization’s reputation.
○ Facilitate program awareness.
○ Respond to privacy breaches.
○ Monitor and maintain the program.
● Functions included in Privacy Program
○ Information Security.
○ Information Technology.
○ Application Development.
○ Communications.
○ Procurement.
○ Internal Audit.
○ Learning and Training.
○ Human Resources.
○ Marketing.
○ Finance and Accounting.
● Why is a Privacy Program needed?
○ Reduce risk of a data breach.
○ Comply with regulations.
○ Brand enhancement and reputation management.
○ Improve value and quality of data.
○ Competitive differentiator.
○ Cross-selling and direct marketing of data responsibly.
○ Reduce risk of employee and consumer lawsuits.
● Lesson Summary
○ Discussed responsibilities of a Privacy Manager.
○ Explored the benefits of a Privacy Program.
○ Reviewed functions of a Privacy Program.


3

Lesson 2.2: Review Privacy Manager Job Description

Skills Learned From This Lesson: Analyze Privacy Manager Job Descriptions -US, Analyze
Privacy Manager Job Descriptions -UK, Analyze Privacy Manager Job Descriptions -AU.
○ Analyze Privacy Manager Job Descriptions -US
○ Analyze Privacy Manager Job Descriptions -UK
○ Analyze Privacy Manager Job Descriptions -AU
● Job Description in Washington DC, US.
○ Privacy Manager (Annual salary: $100,000 - $125,000).
■ Assist in and manage the preparation, maintenance and implementation
of data privacy policies and standard operating procedures.
■ Deliver data insights and trends throughout in order to support privacy by
design.
■ Develop processes for on-boarding and review of vendors in compliance
with privacy requirements, as well as processes for auditing existing
vendors.
■ Implement the use of privacy impact assessment and architect solutions
to drive PIAs and DPIAs at scale in conjunction with IT and supply
management.
■ Develops IT-based solutions for processing data subject access requests.
■ Partners with cybersecurity, IT, regulatory affairs and enterprise risk
management to help manage risk exposure.
■ Maintains professional and technical knowledge by attending
conferences, educational workshops, reviewing professional publications,
and establishing personal networks.
■ Lead the Privacy Council in addressing new challenges, evolving our
policy positions, and help a large cross-functional group make decisions
on how best to maintain our position as one of the location intelligence
industry’s privacy thought leaders.
■ Assess the global privacy framework in collaborations with the Product
and Engineering Teams, including internal and external privacy policies.


4

GDPR compliance, US, Canada, Mexico and Australia privacy law

compliance.
● Job Description in London, UK

○ Privacy Program Manager
■ Manage cross-functional privacy review process for new products and
features.
■ Track and document new product proposals, status updates, and key
decisions.
■ Work with product managers and other privacy stakeholders to develop
and drive consensus around creative solutions to privacy-by-design
challenges.
■ Facilitate discussion and coordination among product managers and
privacy stakeholders across the company.
■ Bachelor in Business, Management, Marketing, and Related Support
Services.
■ Extensive experiences in product privacy or technology law, policy,
programs, or other related field.
● Job Description in Australia

○ Senior Privacy Officer
■ Providing privacy advice to the organisation.
■ Undertaking all activities relating to the development, implementation,
communication, maintenance and adherence to our organisation’s
policies and procedures in compliance with all legal and regulatory
requirements in Australia and other relevant jurisdictions.
■ Coordinating the handling of internal and external privacy enquiries and
privacy complaints, including liaising with the Fund’s third party
administrator and strategic third party service providers.
■ Resolving escalated privacy complaints, including verbal and written
correspondence directly with aggrieved members, and resolution through
mediation and agreed settlements.
■ Reviewing and amending precedent documents relating to privacy,
including privacy and data security clauses in precedent agreements.


5

■ Developing and providing privacy training to the Trustee’s staff and other
stakeholders to enhance privacy awareness and decision making in
relation to privacy.
● Lesson Summary
○ Reviewed three different job descriptions around the globe.
○ Discussed similarities and differences in those job descriptions.
Lesson 2.3: Developing a Strategy and Vision

Skills Learned From This Lesson: Develop a privacy strategy, create a vision, Executive
Approval.
○ Developing a Strategy.
○ Developing a Vision.
○ Gaining Approval.
● Developing a privacy strategy
○ Business Alignment.
○ Finalize Operational business case for privacy.
○ Identify stakeholders.
○ Leverage key functions.
○ Create a process for interacting with the community.
○ Align and adjust culture.
○ Obtain funding.
○ Development statements on collection, authorized use, access, and destruction
of information.
○ Privacy inquiry/complaint handling.
○ Program flexibility due to external factors.
● Create a Vision
○ Privacy vision should align with the organization's objectives.
○ Provide feedback to key stakeholders.
○ Short and succinct - a few sentences a most - 30 seconds to read.
● Vision Example


6

○ The Stanford University Privacy Office works to protect the privacy of university,
employee, patient, and other confidential information. Our office helps to ensure
proper use and disclosure of such information, as well as, foster a culture that
values privacy through awareness. The Privacy office provides meaningful advice
and guidance on privacy “Best Practices” and expectations for the University
community.
● Executive Approval
○ Vision can and should be approved before an actual program is developed.
○ Vision can be amended before the program is running.
○ C-Level and Board of Directors should provide written approval of the vision.
● Evaluate the Objective
○ Is the vision attainable?
○ What major obstacles exist?
○ Is funding required?
○ Does the vision reach all stakeholders?
● Lesson Summary
○ Discuss developing a privacy strategy and vision.
○ Discussed the importance of organizational structure and approval.
Lesson 2.4: Establish a Program Data Governance Model

Skills Learned From This Lesson: Understanding Centralization of Data Governance,
Understanding Decentralization of Data Governance, Understanding Potential Hybrid Solutions.
○ Understanding Centralization of Data Governance.
○ Understanding Decentralization of Data Governance.
○ Understanding Potential Hybrid Solutions.
● Centralized - Local (Decentralized) - Hybrid
○ Regardless of the model chosen it should ensure information is controlled and
distributed to decision-makers.
○ Centralized - One person in charge allowing for direction to flow from a single
source.
○ Local (Decentralized) - Decisions are made locally where fewer tiers of
leadership exists allowing for a wider span of control.


7

○ Hybrid - Combination of centralized and decentralized.
● A decision to centralize requires a yes to at least one of three questions.
Source:
https://www.mckinsey.com/business-functions/organization/our-insights/to-centralize-or-not-to-c
entralize#
● Lesson Summary
○ Discussed data governance models such as centralized, decentralized, and
hybrid.
○ Discussed the benefits and downsides of each model.
Lesson 2.5: Define a Program Scope and Charter

Skills Learned From This Lesson: Understand Privacy Program Scope, Understand Charters,
Discover Scope Integration Concerns.
○ Understand Privacy Program Scope and Charters.
○ Discover Scope Integration Concerns.


8

● Define Scope and Charter

○ Charter includes the stakeholders by name and role along with the vision and
desired governance model. A high-level document explaining why the program
exists.
○ Scope includes identifying the personal information collected and processed as
well as in-scope privacy and data protection laws and regulations. An in-depth
document that provides the specifics on what your program will cover.
● Scope should define:
○ Who collects, uses and maintains personal information.
○ Types of personal information collected and purpose.
○ Where the data and information is stored.
○ Where data is transferred.
○ When collection occurs.
○ Security controls in place to protect data.
○ Incident handling and response.
○ Monitoring defines the regulatory landscape.
● Integration Requirements
○ Involve senior leadership.
○ Involve stakeholders.
○ Develop internal partnerships.
○ Provide flexibility.
○ Leverage communications.
○ Leverage collaboration.
● Scope Challenges
○ Domestic - Global - Both.
○ Scope Creep.
○ Legal and Cultural Concerns.
○ Limited Enforcement or Oversight.
○ Unrealistic budget or schedule.
○ Limited technology resources.
● Lesson Summary
○ Discussed privacy program scope and charters.
○ Discussed the scope integration concerns.


9

Lesson 2.6: Identify how PII is used and Applicable Laws

Skills Learned From This Lesson: Understand how PII is used in an Organization, Identify PII
Used, Understand Applicable Laws.
○ Understand how PII is used in an Organization.
○ Understand Applicable Laws.
● Identify PII Used
○ Consumer and Employee PII.
○ Preliminary Workflows.
○ Survey or Interview stakeholders.
○ Data Maps - May consist of logical diagrams of systems, applications, and
repositories.
● Applicable Laws
○ General privacy laws (e.g. GDPR, Australian, Argentina, etc.)
○ Federal privacy laws by sector - Health, Financial, Consumer.
○ State, provincial, local, or territory laws.
○ Online privacy laws.
○ Workplace privacy.
○ Understand penalties for noncompliance.
○ Inside or outside counsel should be consulted.
● Lesson Summary
○ Discussed how to determine how PII is used throughout the organization.
○ Discussed various types of laws and regulations that may be included in a
privacy program.
Lesson 2.7: Additional Program Considerations

Skills Learned From This Lesson: Funding benefits, program size based on organizational size,
build program awareness.
○ Understand funding benefits.
○ Understand program size based on organizational size.
○ Learn how to build program awareness



10

● .Funding and Budgeting Considerations

○ Exposure of gaps in procedures and workflows.
○ Greater security for all stakeholders.
○ Reduction in financial ;liability and regulatory risk.
○ Reduction in incident and breach related costs.
○ Preservation of brand.
● Organizational Model, Responsibilities, and Reporting
○ Large Organizations = Chief Privacy Officer (CPO), Privacy Manager, Privacy
Analysts, Business Leaders, First Responders.
○ Small Organizations - Data Protection Officer (DPO) responsibilities included with
another role.
○ Point of contact = Internal and External.
○ Professional competency requirements and measure.
● Awareness
○ Create awareness of privacy programs internally and externally - not exclusive to
the CPO.
○ Show and ingrain accountability.
○ Identify, catalog and maintain documents requiring updates with changes (e.g.
policies, websites, statements, contracts) - be part of the solution not an inhibitor.
○ Create an external and possibly internal website where individuals can obtain
information on your program.
○ Ensure contact information is easy to obtain for all stakeholders.
● Lesson Summary
○ Discussed how to found a program.
○ Discussed various considerations of program reach due to organizational size.
○ Discussed how to improve the awareness of the privacy program.
Lesson 2.8: Introduction to ISO/IEC 27701:2019 and Privacy Information Systems (PIMS)
Skills Learned From This Lesson: What ISO/IEC 27701 Covers, Understanding of the ISO/IEC
27701 Outline, Privacy Information Systems (PIMS).
○ What ISO/IEC 27701 Covers.


1 1

○ Understanding of the ISO/IEC 27701 Outline

● What does ISO 27701 Cover?
○ Specifies requirements and provides guidance for establishing, implementing,
maintaining and continually improving a Privacy information Management System
(PIMS) un the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for
privacy management within the context of the organization.
● Outline of ISO 27701
○ PIMS Specific Requirements related to ISO/IEC 27001 - General, Leadership,
Planning, Support, Operation, Performance Evaluation, Improvement.
○ PIMS Specific Requirements re;ated to ISO/IEC 27002 - General, Information
Security Policies, Organization of Information Security, Human Resource
Security, Asset Management, Access Control, Cryptography, Physical and
Environmental Security, Systems Acquisition, Supplier Relationship, Incident
Management, Business Continuity, Compliance.
○ Additional ISO/IEC 27002 guidance for PII controllers - Conditions for collection
and processing, privacy by design and privacy by default, PII sharing, transfer,
and disclosure.
○ Additional ISO/IEC 27002 guidance for PII processors - Conditions for collection
and processing, obligations for PII principals, PII sharing, transfer, and
disclosure.
○ Annex A-F - controls and objectives for PII Controllers and Processors, Mapping
to General Data, and other mappings to other ISO’s.



12

● Is ISO 27701 a Certification?

○ No, however vendors can provide attestation they comply with 27701.
● Lesson Summary
○ Discussed the ISO/IEC 27701 Standard.
○ Reviewed the ISO/IEC 27701 Outline.



13

Lesson 2.9: Introduction to the National Institute of Standards and Technology (NIST) Privacy
Framework v1.0
Skills Learned From This Lesson: What NIST Privacy Framework v1.0 Covers, Understanding
of the Specifics of the NIST Privacy Framework v1.0, Frameworks basics.
○ What NIST Privacy Framework v1.0 Covers.
○ Understanding of the Specifics of the NIST Privacy Framework v1.0
● What does NIST Privacy Framework Cover?
○ Building consumer trust by supporting decision-making in product and service
design or deployment and optimizes beneficial uses of data while minimizing
adverse consequences for individuals privacy and society as a whole.
○ Fulfilling current compliance obligations, as well as future-proofing products and
services to meet these obligations in changing technological and privacy
environments.
○ Facilitating communication about privacy practices with individuals, business
partners, assessors, and regulators.
● What does NIST Privacy Framework Include?
○ An introduction to their framework.
○ Frameworks basics.
○ How to use the framework.
● Specifics of the Privacy framework
○ Core - an increasingly granular set of activities and outcomes that enable an
organizational dialogue about managing privacy risk.
○ Profiles - selection of Functions, Categories, and Subcategories from the Core
that an organization has prioritized to help manage privacy risk.
○ Implementation Tiers - communication about whether an organization has
sufficient processes and resources in place to manage privacy risk and achieve
its target profile.



14

● Lesson Summary
○ Discussed the ISO/IEC 27701 Standard.
○ Reviewed the ISO/IEC 27701 Outline.



15

Module 3: Privacy Program Operational Elements

Lesson 3.1: Develop Policies, Standards, and Guidelines
Skills Learned From This Lesson: Develop policies and procedures to support the privacy
policy, Explore how policies are created, Explore standards and guidelines to influence the
policy.
○ Explore how policies are created.
○ Learn about policies and procedures to support the privacy policy.
○ Explore standards and guidelines to influence the policy.
● Develop Policies - Standards - Guidelines
○ Policies - Different from mission and vision, aligned with goals, and strategic.
○ Standards - Badges, uniforms, physical security, etc.
○ Guidelines - Use of antivirus software, firewalls, email security, encryption,
VPN’s, etc.
● Policy Structure
○ Purpose - Why the policy exists.
○ Scope - Defines resources covered.
○ Risk and responsibilities - Responsibilities of roles (internal and external),
training, and stakeholder accountability.
○ Compliance - Reference to applicable privacy laws or regulation(s), oversight,
audicting, response, penalties.
○ Note: Different from operational procedures...a policy is a high-level document.
● Policy Cost Considerations
○ Administrative time to draft, develop, and approve.
○ Practical protections aligned to privacy vision or mission.
○ Allow the organization to reasonably conduct business.
● Microsoft Privacy Statement



16

URL: https://privacy.microsoft.com/en-US/privacystatement
● Privacy Policy vs. Privacy Notice

○ Privacy policy - Internal.
○ Privacy notice - External.
○ Note: Website privacy policies are external.
● Policies that support the Privacy Policy
○ Acceptable Use POlicy (AUP).
○ Information and Cyber Security.
○ Procurement.
○ Contract Development.
○ Employee Onboarding/Offboarding.
○ Data and Record Retention.
○ Bring your own device (BYOD).
○ Employee/Workplace Monitoring.
○ Social Media.
○ Data Backup.



17

○ Information Disposition.
● Other Policies to consider in practice
○ Merger and acquisition.
○ Software development.
○ Product development.
○ Artificial intelligence.
● Privacy Program Activities (Procedures)
○ Education and awareness.
○ Monitoring and responding to the regulatory environment.
○ Internal policy compliance.
○ Data inventories, data flows, and classification.
○ Risk assessment (Privacy Impact Assessments(PIA’s, DPIA’s, etc.)).
○ Incident Response.
○ Remediation.
○ Program Assurance and Audits.
● Popular Privacy Principles and Standards
○ Fair Information Practices developed in the early 1970s.
○ OECD Guidelines on the Protection of Privacy and Transborder Flows.
○ Generally Accepted Privacy Principles (GAPP).
○ Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
○ Binding corporate rules (BCRs) - Article 47 of the GDPR references BCRs have
to be approved by the competent supervisory authority.
○ European Telecommunications Standards Institute (ETSI).
○ ISO/IEC 27701:2019 - Extension to ISO/IEC 27001 and ISO/IEC 27002 for
privacy information management.
● Lesson Summary
○ Discussed how to create policies and procedures related to privacy management.
○ Reviewed supporting policies and procedures with examples.
Lesson 3.2: Metrics



18

Skills Learned From This Lesson: Planning, Compliance, Non-Compliance.
○ Explore how to plan what metrics to consider.
○ Understand metrics to measure compliance.
○ Understand metrics to measure non-compliance.
● Planning
○ Determine the audience for the metrics.
○ Determine what you are measuring (i.e. Risk and Revenue Activities).
○ Define reporting resources.
○ Understand how information is collected, where stored, and who or what has
access (i.e. mobile app data, websites, landing pages, Internet of Things (IoT)
devices, etc.)
● Compliance
○ Collection.
○ Responses to data subject inquiries.
○ Use and Retention.
○ Disclosures to third parties.
○ Training and Awareness tracking.
○ Incident (breaches, complaints, inquiries)
○ PIA and DPIA metrics.
● Non-Compliance
○ Trending analysis.
○ Privacy program return on investment (ROI).
○ Program maturity.
○ Resource utilization.
○ Revenue from data sold or accessed.
● Lesson Summary
○ Discussed what metrics to consider for your privacy program.
○ Reviewed how to use metrics for compliance and non-compliance.
Lesson 3.3: Audits



19

Skills Learned From This Lesson: Audits, building a better pen tester, privacy program.
○ Discuss how auditing can aid a privacy program.
○ Explore examples on what to audit to support the privacy program.
● Audit Overview
○ Conducted by internal team, individual, or third-party.
○ Occur at a predefined time period, in response to an incident, or at the request of
an enforcement authority.
○ Contains a plan, can be subjective (i.e. employee interviews and review of
system logs).
○ Goal: Validate what is working, what is not working, or a collection of information
at a specific period.
● Audits Related to Privacy Program
○ System Penetration Testing.
○ Controlled Social Engineering.
○ Audit program to framework or maturity model.
○ Data centers and office access.
○ Data Subject Access Requests (DSAR’s).
○ Document destruction.
○ Media sanitization and disposal of technology assets (e.g. hard drives,
USB/thumb drives, servers, etc.)
○ Device security (e.g. mobile devices, Internet of Things (IoT), geo-tracking,
imaging/copier hard drive security controls.
○ Tip: Personal cloud storage, personal email usage, home equipment.
● Penetration Testing Blueprint



20

● Lesson Summary
○ Discussed how an audit can improve a privacy program.
○ Reviewed various audit examples.
Lesson 3.4: Assessments

Skills Learned From This Lesson: Risk assessment, Privacy Impact Assessments, Data
Protection Impact Assessment.
○ Learn how to assess and analyze the privacy program through various
assessments including regulatory, PIA’s and DPIA’s.
○ Explore third-party assessments, physical assessments, and assessments
involve corporate changes such as mergers, acquisitions, and divestitures.
● Source: Transition Support URL: https://transition-support.com/faq38.html



21

● Monitoring the regulatory environment

○ Internet and Automated online services.
○ Blogs and Social Media.
○ Printed and online journals.
○ Third-party vendor activities (i.e. lawsuits and breaches).
○ Associations.
● Regulatory Gap Analysis
○ Determine program gaps as it pertains to applicable laws and regulations.
○ Laws have overlap so it is important to involve the legal team or counsel.
○ Not always necessary but a privacy compliance tool may be necessary.
● Risk assessment (PIA’s and DPIA’s)
○ Privacy Impact Assessment - an analysis of the privacy risks associated with
processing personal information in relation to a project, product or service.
○ Data Protection Impact Assessment - describes a process designed to identify
risks arising out of the processing of personal data and to minimize these risks as
much and as early as possible.
○ Breach Impacts Assessments - evaluate the impact of an actual or probable
breach (e.g. regarding downtime, response time, financial impact).



22

● Privacy Impact Assessments
● Sample DPIA template



23

● PIA and DPIA Sources

○ Privacy Impact Assessment Template -
https://www.dhs.gov/xlibrary/assets/privacy_guidance_march_v5.pdf
○ Data Protection Impact Assessment Template -
https://lapp.org/media/pdf/resource_center/dpia-template-v04-post-comms-revie
w-20180308.pdf
● Vendors and Processors
○ Risk assessments.
○ Contractual requirements (incident response, service level agreement (SLA),
notification requirement, liability, disposal of data).
○ Ongoing monitoring and auditing.
○ Organizational Certification (ISO, SSAE, SOC, et al) and attestation.
○ Where personal information is being held.
○ Who has access to personal information.
○ In practice: know what is contractually required and validate.
● Source: Cloud Security Alliance URL: https://cloudsecurityalliance.org/star/levels



24

● Mergers, acquisitions and divestitures

○ New compliance requirements and laws (e.g. sector specific and jurisdictional)
○ Review previous audits.
○ Explore existing client and vendor agreements.
○ New PIA’s and DPIA’s.
○ Review retention requirements.
● Lesson Summary
○ Discussed what an assessment is and how to analyze a privacy program.
○ Reviewed assessment to common business activities that could impact a privacy
program.
Lesson 3.5: Information Disposition Discussion by Bob Johnson

Skills Learned From This Lesson: iSIGMA, NAID (National Association of Information
Destruction), Data privacy.
Lesson 3.6: Security

Skills Learned From This Lesson: Privacy, Security, Security Terms.
○ Explore security items in frameworks and common security terms.
○ Understand how Security and Privacy work together.
● Security Topics Covered in ISO 27701 (i.e. PIMS - specific guidance related to ISO IEC
27002)



25

○ Information Security Policies.

○ Human Resource Security.
○ Asset Management.
○ Access Control.
○ Cryptography.
○ Physical and Environmental Security.
○ Operations Security.
○ Communications Security.
○ Systems acquisition, development, and maintenance.
○ Supplier relationships.
○ Incident management.
○ Compliance.
● Security Terms
○ DDOS - Distributed Denial of Service
○ APT - Advanced Persistent Threat
○ CAPTCHA - Completely Automated Public Turing Test to Tell Computers and
Humans Apart
○ COBIT - Control Objectives for Information and Related Technologies
○ IDS/IPS - Intrusion Detection/Intrusion Detection and Prevention
○ Phishing - Attack through email
○ 2FA - Two-factor Authentication
○ OSINT - Open Source Intelligence
○ SIEM - Security Information and Event Management
○ VPN - Virtual Private Network
○ DLP - Data Loss Prevention
○ IAM - Identity Access Management
○ Zero Day Attack - Otherwise known at “0” Day Attack
○ APM - Automated Patch Management
● Security and Privacy
○ Security is Objective (Open or Closed, 1 or 0, On or Off).
○ Privacy is Subjective (What is private here may not be private there).
○ Both - Should Protect Against Unauthorized Access of Information.
● Lesson Summary
○ Discussed security elements covered in frameworks.



26

○ Reviewed security terms that are important to privacy programs.

○ Discussed how security and privacy differ and how they work together.
Lesson 3.7: Data Protection Discussion with Lisa Daulby, PhD

Skills Learned From This Lesson: Data Protection, Privacy, Risk Assessment, Data Retention.
○ Discuss transitioning into a privacy role and how data protection plays a role in
privacy management.
○ Discuss the importance of data retention management and the value of data.
● Lesson Summary
○ Discussed the importance of monitoring privacy regulations to ensure data is
adequately protected.
○ Reviewed the importance of data retention privacy management and the value of
data to reduce risk.
Lesson 3.8: Vendor Privacy Examples

Skills Learned From This Lesson: Privacy Policy, Cloud Vendor Privacy, AWS, Compliance.
○ Analyze Cloud Vendor Privacy Examples
○ Review an App Privacy Policy
● Amazon Shared Responsibility Model
Source URL: https://aws.amazon.com/compliance/shared-responsibility-model/



27

● Frequently asked questions



28

● Privacy example from mobile app



29

● Lesson Summary
○ Discussed privacy examples from several cloud vendors.
○ Reviewed a privacy example from a mobile app vendor.
Lesson 3.9: Record Retention

Skills Learned From This Lesson: Record, Retention schedules, Privacy Program.
○ Explore the definition of a record.
○ Discuss types of records common to a privacy program.
○ Analyze record retention schedule examples
● What is a Record?
○ According to ARMA international, a record is any recorded information,
regardless of medium or characteristics, made or received by an organization
that is evidence of its operations, and has value requiring its retention for a
specific period of time.



30

● Common Privacy Records

○ Policies and procedures
○ Education and awareness.
○ Response to the regulatory environment.
○ Internal policy compliance.
○ Workflow and data maps.
○ Risk assessments (PIA’s and DPIA’s).
○ Incident response and remediation.
○ Cookies and logs.
○ Data subject requests and responses.
○ Program assurance and audits.
● Retention Schedule



31

Source: State of Michigan Cities and Villages Retention Schedule - URL:

https://www.michigan.gov/documents/dtmb/RMS_GS8_640198_7.pdf Reviewed on July 10,
2020



32

● General Retention Schedule



33

● Lesson Summary
○ Discussed various records that are part of a privacy program.
○ Reviewed examples of retention schedules.
Lesson 3.10: Retention Discussion with John Montana

Skills Learned From This Lesson: Records Management, Privacy, Analysis.
Lesson 3.11: Education and Awareness

Skills Learned From This Lesson: Privacy, Data Security, Awareness
○ Discuss Common Methods and Concerns.
○ Review Privacy Training Resources
● Common Methods
○ Classroom training.
○ Online learning through streaming, videos and websites.
○ Poster campaigns.
○ Booklets.
○ Workshops.
○ Gamification.
○ Mobile Apps.
○ Certification training for key stakeholders.
● Points of Caution
○ Equating education with awareness.
○ Using only one communication channel.
○ Lack of effectiveness measurements.
○ Eliminating either education or awareness due to budget concerns.
● Data Security and Privacy



34



35

● Tips to Help you with your Education

○ Search for associations and publications related to privacy.
○ Talk to privacy vendors about your education and awareness initiatives.
○ Check regulatory and government websites for resources.
● Lesson Summary
○ Discussed the methods and common misconceptions about education and
awareness.
○ Reviewed examples of training resources and where to find additional
information.
Lesson 3.12: Privacy by Design

Skills Learned From This Lesson: Principles of PbD, Privacy by Design, Privacy, Security, Data
Protection.
○ Discuss the basic and objective of Privacy by Design (PbD).



36

○ Explore the 7 Principles of PbD.

○ Analyze PbD in practice.
● What is PbD?
○ PbD is a concept developed back in the 90’s by Dr. Ann Cavoukian in Ontario,
Canada, to address the ever-growing and systemic effects of Information and
Communication Technologies, and of large-scale networked data systems.
● PbD Objective
○ Ensuring privacy and gaining personal control over one's information and for
organizations to gain a sustainable competitive advantage.
● Principles of PbD
○ 1st Principle
■ Proactive not Reactive; Preventative not Remedial.
■ Privacy by Design comes before-the-fact, not after.
○ 2nd Principle
■ Privacy as the Default Setting.
■ No action is required on the part of the individual to protect their privacy -
it is built into the system, by default.
○ 3rd Principle
■ Privacy embedded into Design
■ Privacy is integral to the system, without diminishing functionality.
○ 4th Principle
■ Full Functionality - Positive-Sum, not Zero-Sum.
■ Privacy by Design avoids the pretense of false dichotomies, such as
privacy vs. security, demonstrating that it is possible to have both.
○ 5th Principle
■ End-to-End Security - Full Lifecycle Protection
■ Privacy by Design ensures end-to-end management of information.
○ 6th Principle
■ Visibility and Transparency - Keep it Open
■ Its component parts and operations remain visible and transparent.
○ 7th Principle
■ Respect for User Privacy - Keep it User-Centric



37

■
Requires architects and operators to offer such measures as strong
privacy defaults, appropriate notice, and empowering user-friendly
options.
● GDPR Consistent with PbD
○ Article 25 - Data protection by design and by default
○ Emphasizes privacy protection by default
○ Recital 78 - Appropriate technical and organizational measures
● PbD in Action
○ Software Development
○ Internet of Things (IoT)
○ Social Media Sites
○ Websites
○ Electronic Forms
○ Client Relationship Management (CRM) systems
○ Separation of consumers from one region from another (i.e. EU consumers may
not have data captured as non-EU consumers)
● Lesson Summary
○ Discussed the origins and objective of PbD
○ Analyzed the 7 Principles of PbD
○ Reviewed PbD in practice examples
Lesson 3.13: Data Subjects

Skills Learned From This Lesson: Data Subject, Opt-In, Opt-Out.
○ Explore what a Data Subject is as referenced by regulations
○ Understand the difference between opt-in versus opt-out
● Data Subjects
○ Data Subjects = Individuals whose personal information is being accessed,
processed, stored, or transferred by an organization.
● Responsibilities to Data Subjects from Organizations typically include:
○ Notice of how information is collected and used.
○ High visibility and accessibility to notices.
○ Where to submit requests.



38

○ Timely response to requests.

○ Whether information is shared with third-parties and if so how.
○ Website monitoring.
○ Regulation and regulatory body potentially impacted.
● Opt-In versus Opt-Out
○ Opt-In - Typically seen as proactive action to assume a data subject does not
want their information shared, stored, or collected in any way. Data subjects must
agree to have their information processed before an action.
○ Pot-Out - Typically seen as a reactionary option for data subjects and not data
subject privacy centered. Data subjects can choose to not have their information
processed after an action.
● Lesson Summary
○ Discussed what a data subject is and why they are important.
○ Reviewed the difference between opt-in versus opt-out.
Lesson 3.14: Data Subjects - US

Skills Learned From This Lesson: Data Subjects, US Laws, US State Laws, Privacy.
○ Explore various US Laws and how they impact data subjects.
○ Explored various state laws and how they impact data subjects.
● US Federal Laws and Functions that Impact Data Subjects
○ Federal Credit Reporting Act (FCRA).
○ Health insurance Portability and Accountability Act (HIPAA).
○ Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM).
○ Privacy Act of 1974.
○ Freedom of information Act (FOIA).
○ CARES Act of 2020.
● US State Laws that Impact Data Subjects
○ California Consumer Privacy Act (CCPA)
○ California “Shine the Light” Law
○ California “Online Eraser” Law
○ California Online Privacy Protection Act



39

○ Delaware Online Privacy Act

○ Illinois Biometric Information Privacy Act (BIPA)
● US Privacy Program Considerations
○ Know the enforcement agency
○ Identify the reporting requirements
○ Understand fines for non-compliance
○ Identify when consent is required
○ Seek legal counsel
● Lesson Summary
○ Discussed various federal regulations and laws that impact data subjects in the
US.
○ Discussed various state regulations and laws that impact data subjects in the US.
Lesson 3.15: Data Subjects - EU

Skills Learned From This Lesson: Privacy, Data Protection, Data Subjects, Rights.
○ Explore the GDPR and how it impacts data subjects
○ Handling concerns with EU dat subjects



40

● GDPR - General Data Protection Regulation

○ Article 7: Right to withdraw consent
○ Articles 12-14: Right to transparent communication and information
○ Article 15: Right to access
○ Article 16: Rights to rectification
○ Article 17: Right to erasure (“to be forgotten”)
○ Article 18: Right to restrict processing
○ Article 19: Obligation to notify recipients
○ Article 20: Right to data portability
○ Article 21: Right to object
○ Article 22: Right to not subject to automated decision-making
○ Article 77: Right to lodge a complaint
○ Article 78-79: Right to judicial remedy against supervisory authorities, controllers,
and processors.
○ Article 80: Right to Representation (non-profit representation)
○ Article 83: Condition for imposing fines



41

● Handling Concerns with Data Subjects

○ Handling of complaints against the organization
○ Incident handling workflow (centralized vs. decentralized)
○ Tracking and oversight of the workflow
○ Document management
○ Redressing and resolution management
○ Reporting procedure
○ Transfers and Safeguards of data per Article 46
○ Local privacy law requirements
● Lesson Summary
○ Discussed the GDPR and how it impacts data subjects
○ Analyzed some of the articles and recitals of the GDPR
Lesson 3.16: Information Requests Discussion with Monica Reichert

Skills Learned From This Lesson: Privacy, Records Management, Information privacy.
Lesson 3.17: Incident Management

Skills Learned From This Lesson: Management, Incident Planning, Implementation,
Investigation
○ Analyze incident planning and implementation
○ Explore incident response and notifications
● Incident Planning and Implementation
○ Determine incident framework (i.e. secure, notify, resolve)
○ Merge into existing incident procedures (i.e. medical, human resources, and
information technology)
○ Incident detection in technology, processes, and people
○ Incident classification and escalation workflows
○ Determine a reporting and escalation process



42

○ Understanding incident response budgeting is as important as training

○ Threat isolation, forensic investigation, engaging of legal counsel, PR
communications and media outreach, and reporting and notification
○ Supplies (i.e. printing, postage, and a call center)
○ Insurance
● Incident Investigation - Basic Details
○ Name and location
○ Times of identification and reporting
○ System(s) impacted
○ Information impacted
○ Eyewitness accounts
○ System(s) logs
○ Responsibility to notify and when
● Remediation
○ Breached organizations may choose to engage remediation providers to reduce
consumers’ risk of fraud or identity theft
○ Services covered typically are: free daily credit monitoring, identity theft
insurance, and fraud resolution services
● Incident Investigation - Advanced Details
○ Determine IT response and remediation
○ Verification PII is or is not impacted
○ System log collection
○ Details required for regulators, insurance, public relations, and counsel
● Executive Summary
○ Who was impacted and when?
○ What reporting requirements exist?
○ What to expect in next day, week, and month
○ Verification PII is or is not impacted
○ System log collection and review
○ Details required for regulators, insurance, public relations, and counsel
○ Estimated remediation expense (i.e. system replacement, training, fines,
insurance premiums, et al)
● Lesson Summary
○ Discussed incident planning and implementation



43

○ Analyzed incident response and notification
Lesson 3.18: Incident Management Roles

Skills Learned From This Lesson: Incident Management, Privacy, Security.
○ Analyze key roles in incident management
○ Explore functions of key roles during an incident
● Key Roles Required for an Incident
○ Privacy Team members may not be included in incident response team
○ Incident Team Members: Appointed Overseer, Tech Lead, Communications
(internal/external), Social Media, Customer Support, Corporate Counsel,
Accounting, Risk Advisory, and Insurance Agency
● Incident Levels
○ Consider adopting levels of criticality for incidents to guide roles during an
incident
○ Red, Yellow, Green (Red being severe and Green being normal)
○ Level 1-5 (1 being minor and 5 being severe)
● Incident Role Overlap
○ Consider other groups to determine if certain incident functions can be
streamlined
○ Helpdesk, Business Continuity, Vendors, Disaster Recovery, Internal Audit,
Cyber Security, and Facilities
● Lesson Summary
○ Discussed key roles in incident management
○ Reviewed functions of key roles when responding to incidents
Lesson 3.19: Incident Examples

Skills Learned From This Lesson: Incident Handling, Privacy, Investigation
○ Explore the types of incidents that may occur
○ Analyze the different types of incidents with examples



44

● Types of Incidents
○ Card - When cards used to transfer funds are compromised
○ Hack - When a criminal or system intentionally compromises a system and steals
data
○ Insider - Employee or trusted individual takes information
○ Loss - Lost USB drives, mobile devices, pappers, or workstations
○ Accidental Disclosure - Unintentionally sharing sensitive information
● Card Incidents
○ Skimming Devices, RFID Scanners, Point-of-Service terminals
○ Information taken from magnetic strip, a photo of the card is taken, or malware
transfers data from the transaction elsewhere
● Hack Incidents
○ Software such as Malware or Ransomware used to take information, encrypt
information, or control information for nefarious purposes
○ Organized Crime, Rogue Nations, Lone Wolf, Hacker-for-Hire
● Insider Incidents
○ Deliberate unauthorized access, theft, or sabotage made by employees or
subcontractors
● Loss Incidents
○ Lost USB drive, laptop, mobile phones, workstations, data center equipment,
paper record boxes, backup tapes, data files that cannot be restored
● Accidental Disclosure Incidents
○ Including an unintended recipient on an email, exposing confidential information
on a screen or paper in public, sharing information verbally in public, sharing a
link to an unintended recipient, acts of God, terrorism, vendor error, natural
occurances, celestial incidents
● Lesson Summary
○ Discussed the different types of incidents
○ Reviewed each of the specific incident types with examples
Module 4: Summary
Lesson 4.1: Future of Privacy



45

Skills Learned From This Lesson: Privacy, Data Protection, Security.
● Course Outline
○ Module 1: Introduction.
○ Module 2: Privacy Strategy and Program.
○ Module 3: Privacy Program Operational Elements.
○ Module 4: Summary.
○ Explore the possible future of privacy
○ Review how the possible future could impact our privacy program
● Look into the past…



46

● Look into the future…



47

Lesson 4.2: Course Summary

Skills Learned From This Lesson: Privacy, Security, Data Protection, Incident Management.
○ Explore topics covered from the course
● Module 2 | Privacy Strategy and Program
○ Module 2.1: Role of the Privacy Manager
○ Module 2.2: Review Privacy Manager Job Descriptions
○ Module 2.3: Developing a Strategy and Vision
○ Module 2.4: Establish a Program Data Governance Model
○ Module 2.5: Define a Program Scope and Charter
○ Module 2.6: Identify how PII is used and Applicable Laws
○ Module 2.7: Additional Program Considerations
○ Module 2.8: Introduction to ISO/IEC 27701:2019



48

○ Module 2.9: Introduction to NIST Privacy Framework v1.0

● Module 3 | Privacy Program Operational Elements
○ Module 3.1: Develop Policies, Standards, and Guidelines
○ Module 3.2: Metrics
○ Module 3.3: Audits
○ Module 3.4: Assessments
○ Module 3.5: Information Disposition Discussion by Bob Johnson
○ Module 3.6: Security
○ Module 3.7: Data Protection Discussion with Lisa Daulby, PhD
○ Module 3.8: Vendor Privacy Examples
○ Module 3.9: Record Retention
○ Module 3.10: Retention Discussion with John Montana
○ Module 3.11: Education and Awareness
○ Module 3.12: Privacy by Design
○ Module 3.13: Data Subjects
○ Module 3.14: Data Subjects - US
○ Module 3.15: Data Subjects - Eu
○ Module 3.16: Information Requests Discussion with Monica Reichert
○ Module 3.17: Incident Management
○ Module 3.18: Incident Management Roles
○ Module 3.19: Incident Examples



49

Privacy Program Management 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Privacy Program Management 1

Uploaded by

Copyright:

Available Formats

Module 2: ​Privacy Strategy and Program

○ “Structured approach of combining several disciplines into a framework that

Lesson 2.2​: Review Privacy Manager Job Description

GDPR compliance, US, Canada, Mexico and Australia privacy law

● Job Description in London, UK

● Job Description in Australia

Lesson 2.3​: Developing a Strategy and Vision

Lesson 2.4​: Establish a Program Data Governance Model

○ Hybrid - Combination of centralized and decentralized.

● A decision to centralize requires a yes to at least one of three questions.

Lesson 2.5​: Define a Program Scope and Charter

● Define Scope and Charter

Lesson 2.6​: Identify how PII is used and Applicable Laws

Lesson 2.7​: Additional Program Considerations

● .Funding and Budgeting Considerations

○ Understanding of the ISO/IEC 27701 Outline

● Is ISO 27701 a Certification?

Module 3: ​Privacy Program Operational Elements

● Privacy Policy vs. Privacy Notice

Lesson 3.2​: Metrics

Skills Learned From This Lesson: Planning, Compliance, Non-Compliance.

Lesson 3.3​: Audits

Lesson 3.4​: Assessments

● Monitoring the regulatory environment

● Privacy Impact Assessments

● Sample DPIA template

● PIA and DPIA Sources

● Mergers, acquisitions and divestitures

Lesson 3.5​: Information Disposition Discussion by Bob Johnson

Lesson 3.6​: Security

○ Information Security Policies.

○ Reviewed security terms that are important to privacy programs.

Lesson 3.7​: Data Protection Discussion with Lisa Daulby, PhD

Lesson 3.8​: Vendor Privacy Examples

● Frequently asked questions

● Privacy example from mobile app

Lesson 3.9​: Record Retention

● Common Privacy Records

Source: State of Michigan Cities and Villages Retention Schedule - URL:

● General Retention Schedule

Lesson 3.10​: Retention Discussion with John Montana

Lesson 3.11​: Education and Awareness

● Tips to Help you with your Education

Lesson 3.12​: Privacy by Design

○ Explore the 7 Principles of PbD.

Lesson 3.13​: Data Subjects

○ Timely response to requests.

Lesson 3.14​: Data Subjects - US

○ Delaware Online Privacy Act

Lesson 3.15​: Data Subjects - EU

● GDPR - General Data Protection Regulation

● Handling Concerns with Data Subjects

Lesson 3.16​: Information Requests Discussion with Monica Reichert

Lesson 3.17​: Incident Management

○ Understanding incident response budgeting is as important as training

○ Analyzed incident response and notification

Lesson 3.18​: Incident Management Roles

Lesson 3.19​: Incident Examples

Skills Learned From This Lesson: Privacy, Data Protection, Security.

● Look into the future…

Lesson 4.2​: Course Summary

○ Module 2.9: Introduction to NIST Privacy Framework v1.0

You might also like

Module 2: Privacy Strategy and Program

Lesson 2.2: Review Privacy Manager Job Description

Lesson 2.3: Developing a Strategy and Vision

Lesson 2.4: Establish a Program Data Governance Model

Lesson 2.5: Define a Program Scope and Charter

Lesson 2.6: Identify how PII is used and Applicable Laws

Lesson 2.7: Additional Program Considerations

Module 3: Privacy Program Operational Elements

Lesson 3.2: Metrics

Lesson 3.3: Audits

Lesson 3.4: Assessments

Lesson 3.5: Information Disposition Discussion by Bob Johnson

Lesson 3.6: Security

Lesson 3.7: Data Protection Discussion with Lisa Daulby, PhD

Lesson 3.8: Vendor Privacy Examples

Lesson 3.9: Record Retention

Lesson 3.10: Retention Discussion with John Montana

Lesson 3.11: Education and Awareness

Lesson 3.12: Privacy by Design

Lesson 3.13: Data Subjects

Lesson 3.14: Data Subjects - US

Lesson 3.15: Data Subjects - EU

Lesson 3.16: Information Requests Discussion with Monica Reichert

Lesson 3.17: Incident Management

Lesson 3.18: Incident Management Roles

Lesson 3.19: Incident Examples

Lesson 4.2: Course Summary