Professional Documents
Culture Documents
IAPP Privacy Program Management 2E 2019-SAMPLE
IAPP Privacy Program Management 2E 2019-SAMPLE
Management
Tools for Managing Privacy Within Your Organization
Second Edition
E
PL
Executive Editor and Contributor
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Contributors
M
Susan Bandi, CIPP/US, CIPM, CIPT, FIP
João Torres Barreiro, CIPP/E, CIPP/US
Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Jonathan Fox, CIPP/US, CIPM
SA
Tracy Kosa
Jon Neiditz, CIPP/E, CIPP/US, CIPM
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Tajma Rahimic
Liisa Thomas
Amanda Witt, CIPP/E, CIPP/US
Edward Yakabovicz, CIPP/G, CIPM, CIPT
An IAPP Publication
E
PL
©2019 by the International Association of Privacy Professionals (IAPP)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
M
system or transmitted in any form or by any means, mechanical, photocopying,
recording or otherwise, without the prior written permission of the publisher,
International Association of Privacy Professionals, Pease International Tradeport,
75 Rochester Ave., Portsmouth, NH 03801, United States of America.
SA
CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered
trademarks of the International Association of Privacy Professionals, Inc. registered in
the U.S. CIPP, CIPP/E, CIPM and CIPT are also registered in the EU as Community
Trademarks (CTM).
ISBN: 978-1-948771-23-8
E
CHAPTER 1
Introduction to Privacy Program Management
PL
1.1 Responsibilities of a Privacy Program Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Beyond Law and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Why Does an Organization Need a Privacy Program? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
M
1.5 Privacy Across the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.6 Awareness, Alignment and Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
SA
CHAPTER 2
Privacy Governance
2.1 Create an Organizational Privacy Vision and Mission Statement . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Define Privacy Program Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Develop and Implement a Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5 Privacy Tech and Government, Risk and Compliance Vendors and Tools . . . . . . . . . . . . . . . . . . 23
2.6 Develop a Privacy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.7 Structure the Privacy Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8 Governance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.9 Establish the Organizational Model, Responsibilities and Reporting Structure . . . . . . . . . . . . 30
2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
iii
CHAPTER 3
Applicable Privacy Laws and Regulations
3.1 U.S. Federal Government Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 Global Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 General Data Protection Regulation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4 Commonalities of International Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Cross-Border Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6 Organizational Balance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.7 Understanding Penalties for Noncompliance with Laws and Regulations . . . . . . . . . . . . . . . . . 52
3.8 Understanding the Scope and Authority of Oversight Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.9 Other Privacy-Related Matters to Consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
E
3.10 Monitoring Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.11 Third-Party External Privacy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
PL
3.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
CHAPTER 4
Data Assessments
M
4.1 Inventories and Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.2 Records of Processing Activities Under the General Data Protection Regulation . . . . . . . . . . . 67
4.3 Assessments and Impact Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
SA
CHAPTER 5
Policies
5.1 What is a Privacy Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.2 Privacy Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3 Interfacing and Communicating with an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.4 Communicating the Privacy Policy within the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.5 Policy Cost Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.6 Design Effective Employee Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
iv
5.7 Procurement: Engaging Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.8 Data Retention and Destruction Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.9 Implementing and Closing the Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
CHAPTER 6
Data Subject Rights
6.1 Privacy Notices and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.2 Choice, Consent and Opt-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.3 Obtaining Consents from Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.4 Data Subject Rights in the United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.5 Data Subject Rights in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
E
6.6 Responding to Data Subject Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
PL
6.7 Handling Complaints: Procedural Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.8 Data Subject Rights Outside the United States and Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
CHAPTER 7
M
Training and Awareness
7.1 Education and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
7.2 Leveraging Privacy Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
SA
CHAPTER 8
Protecting Personal Information
8.1 Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
8.2 Data Protection by Design and by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
v
8.3 Diagramming Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
8.4 Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
8.5 Information Privacy and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.6 Privacy Policy and Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
8.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
CHAPTER 9
Data Breach Incident Plans
9.1 Incident Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
9.2 How Breaches Occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
9.3 Terminology: Security Incident versus Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
9.4 Getting Prepared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
E
9.5 Roles in Incident Response Planning, by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
PL
9.6 Integrating Incident Response into the Business Continuity Plan . . . . . . . . . . . . . . . . . . . . . . . . 184
9.7 Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
9.8 Team Roles During an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
9.9 Investigating an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
M
9.10 Reporting Obligations and Execution Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
9.11 Recovering from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.12 Benefiting from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
SA
CHAPTER 10
Monitoring and Auditing Program Performance
10.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
10.2 Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
10.3 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
10.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
10.5 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
vi
About the IAPP
E
The IAPP is a not-for-profit association founded in 2000 with a mission to define,
support and improve the privacy profession globally. We are committed to providing
PL
a forum for privacy professionals to share best practices, track trends, advance privacy
management issues, standardize the designations for privacy professionals and provide
education and guidance on opportunities in the field of information privacy.
The IAPP is responsible for developing and launching the only globally recognized
M
credentialing programs in information privacy: the Certified Information Privacy
Professional (CIPP®), the Certified Information Privacy Manager (CIPM®) and the
Certified Information Privacy Technologist (CIPT®). The CIPP, CIPM and CIPT are
the leading privacy certifications for thousands of professionals around the world who
SA
serve the data protection, information auditing, information security, legal compliance
and/or risk management needs of their organizations.
In addition, the IAPP offers a full suite of educational and professional development
services and holds annual conferences that are recognized internationally as the leading
forums for the discussion and debate of issues related to privacy policy and practice.
vii
SA
M
PL
E
Preface
I am privileged to have worked with so many great privacy professionals on both the
first edition of this textbook in 2013 and now on this second edition in 2019. The
privacy landscape has changed remarkably in this five-year period. We have seen the
first major, comprehensive privacy regulation implemented in the EU, with the General
E
Data Protection Regulation (GDPR) impacting organizations and individuals around
the globe. We have come to understand that individuals expect organizations to get it
PL
right when it comes to the protection of personal information. Demands for improved
legislation to protect individuals and their rights have grown exponentially, giving
regulators the power they need to ensure organizations comply. Organizations fear
damage to their brand, loss of consumer confidence, and regulatory fines due to data
M
breaches. There has never been a better time for organizations to demand well-trained,
well-informed privacy professionals.
The privacy program manager is a critical component of every privacy program
at any organization. We have seen this field develop over the last few years from a
SA
ix
privacy organization to be successful. The privacy program manager should be able
to understand all these areas but will most likely not be an expert in all of them. Who,
then, should be the privacy program manager?
In the past, a legal expert (attorney) has often served as the chief privacy officer and
the privacy program manager. Currently, I am seeing a division of duties among the
chief privacy officer, the privacy program manager, and privacy engineers. The chief
privacy officer may handle the legal and regulatory obligations for the organization
while the privacy program manager oversees program compliance requirements,
organizational functions, and execution of implementation and the privacy engineer
manages the technical functions. There may be overlap, and certainly each of the
different domains may serve multiple functions, but we are seeing these areas of
expertise evolve.
The privacy program manager is responsible for proving to the organization that
E
it has the proper controls in place and for helping demonstrate to regulators that the
organization is handling personal data responsibly. There must be a data map showing
PL
what data the organization has and how that data is protected and processed. By
definition, this is the privacy engineer's duty. The number of privacy engineers in the
privacy profession is rising; in fact, the IAPP launched the Privacy Engineering Section
in 2018. The value of such individuals is becoming clear. Perhaps this is the future,
where the chief privacy officer, the privacy engineer, and the privacy program manager
M
work together to cover all three roles. Certainly, the organization will need experts in
each of these fields to be successful.
There appears to be no one-size-fits-all approach, especially in large multinational
SA
and complex organizations. I believe one individual may still be able to cover all of these
functions for a small organization; however, I believe privacy program management has
matured into a team sport and requires several teammates to be successful.
I would like to thank everyone who assisted with this textbook, especially the
individual authors who contributed in their areas of expertise. They were all dedicated
and supportive, proving we could work together as a holistic team to achieve success.
Finally, I would also like to thank Mr. Edward Yakabovicz once again for assisting
me with the final review of this text. His friendship and professional assistance are
appreciated deeply.
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP
January 2019
x
Acknowledgments
The IAPP is pleased to present this second edition of Privacy Program Management:
Tools for Managing Privacy Within Your Organization in support of our Certified
Information Privacy Manager (CIPM) program.
We rely on the expertise and support of privacy and data protection professionals
E
from around the globe to provide our members with quality resources. Thank you to
the many individuals who contributed their time and shared their knowledge for the
revision of this textbook. PL
Our Training Advisory Board provides ongoing support and guidance. Thank
you, members past and present, for your willingness to share your expertise. Current
members include:
M
Francesco Banterle, CIPP/E
Punit Bhatia, CIPP/E, CIPM
Machiel Bolhuis, CIPP/E, CIPM, FIP
Michaela Buck
SA
xi
James Park, CIPP/E, CIPT
Anna Pateraki
Cassandra Porter, CIPP/US, CIPM, FIP
Stephen Ramey
Brandon Schneider, CIPP/G, CIPT, FIP
Thea Sogenbits
Tiina Suomela, CIPP/E, CIPM, FIP
Liisa Thomas
Maaike van Kampen - Duchateau, CIPP/E, CIPT, FIP
Emily Wall, CIPP/US, CIPM
Ben Westwood, CIPP/E, CIPP/US, CIPM, FIP
Christin Williams, CIPP/E, CIPP/US
Brett Wise, CIPP/US, CIPT, FIP
E
Matthew Woldin, CIPP/US, CIPM, FIP
Laurel Yancey, CIPP/E, CIPP/US, CIPM
Philip Yang, CIPM PL
The first edition of Privacy Program Management was published in 2013. I had the
pleasure of working with Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP, who
served as the executive editor for the project and led a team of highly respected privacy
professionals including James M. Byrne; Elisa Choi, CIPT; Ozzie Fonseca, CIPP/US;
M
Edward Yakabovicz, CIPP/G, CIPM, CIPT; and Amy E. Yates, CIPP/US. Their
contributions ensured we had a strong foundation upon which to build this second
edition.
SA
We are very grateful that Russell Densmore agreed to serve as executive editor for
the second edition of Privacy Program Management. Not only was he a pleasure to work
with, he was also a very effective project manager, leading a team of privacy and data
protection professionals from around the world through all stages of development,
from draft outline to final manuscript, in addition to writing his own contribution. He
generously provided his time, guidance and support to the whole team. Without him,
this revision would not have been possible.
Thank you to Susan Bandi, CIPP/US, CIPM, CIPT, FIP; João Torres Barreiro,
CIPP/E, CIPP/US; Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT,
FIP; Jonathan Fox, CIPP/US, CIPM; Tracy Kosa; Jon Neiditz, CIPP/E, CIPP/US, CIPM;
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP; Tajma Rahimic;
Liisa Thomas; Amanda Witt, CIPP/E, CIPP/US; and Edward Yakabovicz, CIPP/G,
CIPM, CIPT for your commitment and dedication to this project. We are grateful for your
willingness to share your experience and knowledge in the pages of this book.
xii
Many thanks to Pasha Steinburg and Shanna Pearce for their contributions to
Chapter 9, and to Jyn Schultze-Melling for permission to include his chapter on the
rights of data subjects from European Data Protection: Law and Practice as an excerpt in
Chapter 6 of this book.
Grace Buckler, CIPP/E, CIPP/G, CIPP/US, CIPM, FIP; Anthony E. Stewart,
CIPP/US, CIPM; Tiina Suomela, CIPP/E, CIPM, FIP; Matthew Woldin, CIPP/US,
CIPM, FIP; David Wood, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP; and Laurel
Yancey, CIPP/E, CIPP/US, CIPM reviewed the draft manuscript and provided
insightful feedback that helped shape the final draft of the text.
We are grateful for the meticulous eye of Julia Homer, who both copyedited and
proofread the manuscript. Thank you to Hyde Park Publishing Services for creating the
book index.
We appreciate the hard work, expertise and dedication of the many professionals
E
who contributed to the publication of this book. We hope you will find it to be both a
useful tool for preparing for your CIPM certification and a practical resource for your
professional career.
Marla Berry, CIPT
Training Director
PL
International Association of Privacy Professionals
M
SA
xiii
SA
M
PL
E
Introduction
E
Quickly, however, organizations with business models increasingly dependent
on data came to realize that better management and customer trust were needed.
PL
Unless the privacy professional was involved at every step of product development,
organizations faced too much risk. In public administrations, open data efforts and well-
meaning attempts to unlock the value of public data were stymied. Work was wasted.
Product leads were frustrated. Mistakes were made.
M
Further, with the passage of the EU’s General Data Protection Regulation (GDPR),
the idea of operational privacy, or “privacy by design,” became law.
Now we see, through research conducted for our annual IAPP-EY Privacy Governance
Report, that organizations with mature privacy operations not only have full teams
SA
of privacy professionals, they also have privacy pros embedded in various business
operations and in administrative departments ranging from human resources to IT,
marketing and sales. They provide privacy with multimillion-dollar budgets. They buy
technology bespoke for privacy operations.
Nor is it any wonder. While the GDPR gets the headlines, there are any number of
other privacy regulations around the world that require operational responses. These
issues—from data subject access requests to requests for corrections or deletions
and increasing requirements for data portability—require deliberate process, careful
management and well-trained people.
In short, privacy program management is here to stay, and the need for sophisticated
leaders who understand the complexities of the global digital marketplace will only
increase. Thus, it’s not surprising that the CIPM has become the IAPP’s second-fastest-
growing certification, behind only the CIPP/E, and that there is great demand for a new
and improved textbook to support the certification program.
xv
Yet again, Executive Editor Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT,
FIP, has overseen a variety of valuable contributions in revamping Privacy Program
Management: Tools for Managing Privacy Within Your Organization. There are more
practical examples, more deep dives into the “how” of privacy management, and more
information on the tools privacy professionals are using to create effective privacy
programs.
For data protection officers, privacy program managers, global privacy leaders, and
any number of other new titles emerging around the globe, the CIPM is the perfect
tool for privacy professionals working in both the public and private sectors. This book
helps unlock the benefits of CIPM and prepare those hoping to take the exam and get
certified.
I am extremely pleased with the way the CIPM has been accepted around the globe
as the new standard for how privacy is done on the ground and I hope you—and your
E
organization—enjoy its benefits.
J. Trevor Hughes, CIPP
President and CEO PL
International Association of Privacy Professionals
M
SA
xvi
CHAPTER 1
E
principles and considers privacy regulations from around the globe. It incorporates
common privacy principles and implements concepts such as privacy by design and
privacy by default.1
PL
Businesses are motivated today, more than ever, to ensure they are compliant with
regulations such as the General Data Protection Regulation (GDPR) and other laws
and regulations implemented around the globe—in part, because they want to protect
their brand name, reputation, and consumer trust. Large data breaches commonly make
M
news headlines, and organizations have paid penalties and lost revenue or consumer
trust. Millions of people have been affected by the sloppy data protection practices
organizations have used in the past. These things must change.
It is time for the privacy profession to recognize the value of a holistic data privacy
SA
program and the ever-important privacy program manager. This chapter will delve into
the requirements for becoming a privacy program manager. The Certified Information
Privacy Manager (CIPM) certification indicates that a privacy program manager has
the proper understanding of concepts, frameworks and regulations to hold the role of
privacy program manager for their employer.2
1
Privacy Program Management
• Create, revise and implement policies and procedures that effect positive
practices and together comprise a privacy program
The goals of a privacy program (at a minimum) are to:
• Promote consumer trust and confidence
• Enhance the organization’s reputation
• Facilitate privacy program awareness, where relevant, of employees, customers,
partners and service providers
• Respond effectively to privacy breaches
• Continually monitor, maintain and improve the privacy program
The specific responsibilities of the privacy program manager include:
E
• Policies, procedures and governance
PL
• Privacy-related awareness and training
• Incident response
• Communications
M
• Privacy controls
• Privacy issues with existing products and services
• Privacy-related monitoring
SA
2
Introduction to Privacy Program Management
• Privacy-related subscriptions
• Privacy-related travel
• Redress and consumer outreach
• Privacy-specific or -enhancing software
• Privacy-related web certification seals
• Cross-functional collaboration with legal, information technology (IT),
information security (sometimes referred to as IS or InfoSec), cybersecurity
and ethics teams, among others
• Reporting to chief privacy officer (CPO), data protection officer (DPO), and/or
data protection authority (DPA)
E
However, before starting the journey toward becoming a certified privacy program
manager, you need to understand a few concepts. The first is accountability.
1.2 Accountability
PL
What is accountability? Accountable organizations have the proper policies and
procedures to promote proper handling of personal information and, generally, can
M
demonstrate they have the capacity to comply with applicable privacy laws. They
promote trust and confidence and make all parties aware of the importance of proper
handling of personal information.
SA
3
Index
E
Actual audit phase, in audit lifecycle, 228 attestation, as self-assessment, 78
Adequacy, cross-border transfers and, 50 data protection impact assessments (DPIA),
Administrative or policy controls, 158 73–78
AFL-CIO, 182
Age
PL
California “Online Eraser” law protections
International Organization for
Standardization (ISO), 72–73
PIAs in the United States, 71–72
for, 115 privacy assessment: measuring compliance,
consent and, 110–111 69
M
AICPA/CICA Privacy Task Force, 20 privacy impact assessment (PIA), 69–71
Alignment, in information privacy and See also entries for individual topics
information security, 164–165 Assurance, in information security, 157
American Institute of Certified Public Attestation/self-assessment, 78
SA
237
Privacy Program Management
E
140–142 how they occur, 174–175
external, 141–142 recovering from, 211–214
importance of, 102
privacy, 165
internal, 140–141
PL
in information security and information
response evaluation and modifications,
211–212
security incidents versus, 175
tracking and monitoring, 225
operational actions, 142 See also Data breaches; Data breach
of organizational privacy policy and incident plans
M
practices, 136–138 Breach notification laws, 173
successful, steps for, 143 Breach-reporting obligations, 204–211.
training versus, 137 See also Notification, of breaches
using metrics to prove, 144–146 Breaux, Ronald, 94
SA
238
Index
E
expectation of transparency in, 51 consent and, 109
international guidelines/legislation and opt-in/opt-out and, 109–110
responsible authority, 44
Office of the Privacy Commissioner of
Canada, 51, 110
oversight regulatory authority and
PL Cloud computing acceptable use, 99
Colombia
international guidelines/legislation and
responsible authority, 45
enforcement powers, 56 oversight regulatory authority and
enforcement powers, 56
M
Personal Information Protection and
Electronic Documents Act (PIPEDA), Commission nationale de l’informatique et des
20, 33, 43, 83, 128 libertés (CNIL; France), 20, 77
protection models and approach to privacy Communication
protection, 17 closing the loop, 102–103
SA
239
Privacy Program Management
E
Daily Dashboard (IAPP), 58
from children, 110–111
Data assessments
electronic, 109
inventories and records, 65–67
parental, 110
right to withdraw, 117
withdrawals of, 125–126
PL
Consumer Financial Protection Bureau (CFPB),
mergers, acquisitions and divestitures:
privacy checkpoints, 83
overview, 65
physical and environmental, 79–80
40, 41
records of processing activities under the
Consumer protection laws, 106
M
GDPR, 67–69
Consumer trust, 4
vendors, 80–82
Containment, during an investigation, 202
vendors under the GDPR, 82
Controlling the Assault of Non-Solicited
See also Assessments and impact
Pornography and Marketing Act (CAN-
SA
240
Index
E
legally required, 65 See also Privacy notices
overview, 65 Data subject rights in Europe
tips for building, 67
Data map, 65
Data mapping, 15
Data minimization, 168
PL explanation of, 119–125
modalities: to whom, how and when,
118–119
summary of, 117–118
Data portability, right to, 118, 123 Data subject rights in the United States
Data Privacy Day, 102, 138–139 federal laws
M
Data Protection Authority (Belgium), vision Controlling the Assault of Non-Solicited
and mission, 14 Pornography and Marketing Act
Data protection authority (DPA), 68, 223 (CAN-SPAM) of 2003, 113
Data protection by design and default, 151–154 Federal Credit Reporting Act (FCRA),
SA
241
Privacy Program Management
California “Shine the Light” law, 115 Environmental and physical assessment, 79–80
Delaware Online Privacy Protection Act Environmental monitoring, 224
(DOPPA), 114–115 Erasure, right of (“right-to-be-forgotten”),
Data subjects, defined, 105 117, 121–122
Decentralized governance model, 29, 30 EU Data Protection Directive, 19
De Jesus, Ron, 11–37, 232–233 Europe, data protection legislation and, 16–17.
Delaware Online Privacy Protection Act See also Data subject rights in Europe
(DOPPA), 114–115 European Commission, 20, 149
Densmore, Russell, 1–9, 231 European Data Protection Board (EDPS), 107
Department of Health and Human Services European Telecommunications Standards
(DHHS), 40, 207 Institute (ETSI), 20
Destruction of data/information, 80–81 European Union (EU)
Destruction policies, 100–102, 169 information security group and, 6
Detection, of incidents, 187 international guidelines/legislation and
Detective controls, 158 responsible authority, 44
E
Digital Advertising Alliance (DAA), 107 oversight regulatory authority and
Disposal Rule (Fair and Accurate Credit enforcement powers, 55
43
Do Not Track requests, 114–115
PL
Transaction Act [FACTA]) of 2003, 80–81
DMA Guidelines for Ethical Business Practices,
protection models and approach to privacy
protection, 17
See also GDPR (General Data Protection
Regulation)
Driver’s Privacy Protection Act (DPPA) of 1994, European Union Agency for Network and
41 Information Security (ENISA), 21
M
EU–U.S. Privacy Shield, 20
Executive privacy team, 26
E External breach announcements, 207
Education
SA
242
Index
Federal laws. See Data subject rights in the GDPR (General Data Protection Regulation)
United States appropriate technical and organizational
Federal Privacy Act of 1974, 40 measures, 152–153
Federal Trade Commission (FTC), 139, 149 BCR requirements, 20
Children’s Online Privacy Protection Rule breaches, responses to, 173
(COPPA), 18 compliance with, 1
DNC Registry and, 112 creation of, 46
privacy-related laws enforced by, 40, 41 data protection by design and by default,
unfair and deceptive trade patterns and, 106 151–152
Federal Trade Commission Act, 106 data protection officers (DPOs) required
Federal Trade Commission Act (Section 5) of under, 33–34
1914, 41 DPIA features set out in, 76
Final audit phase, in audit lifecycle, 228 electronic consent, 109
Finance stakeholders fines for violations, 52
planning role, for data breach, 182–183 framework for data protection and
E
role of, during an incident, 196–197 organizational obligations, 20
Financial privacy-related concerns, 42 as general privacy law, 39
Fines, 73
First-party audits, 228
First responders, 31
Forensic firms, 199–200, 204
PL as global standard for data protection, 46
on handling personal information, 15
material scope, 47
metrics for demonstrating compliance and,
Fox, Jonathan, 149–171, 233 222–223
Framework for Improving Critical Infrastructure noncompliance with DPIA requirements, 73
M
Cybersecurity Version 1.1 (NIST), 21 overview, 46–49
Frameworks, for building the privacy program principles and standards, 19
awareness-raising and, 138 privacy as default, 149
defined, 19 privacy notices and, 108
SA
243
Privacy Program Management
E
IAPP. See International Association of Privacy
Governance models
Professionals (IAPP)
centralized, 29, 30
Iceland, oversight regulatory authority and
creating, 28
elements of, 28–29
hybrid, 29, 30
local or decentralized, 29, 30
PL enforcement powers, 56
Icons, for communicating privacy practices, 107
Identity access management, 166
Illinois Biometric Information Privacy Act
Governance structure, 8
(BIPA), 116
Government privacy-related concerns, 42
M
Incident detection, 187
Gramm-Leach-Bliley Act (GLBA) of 1999,
Incident handling
16, 17–18, 40
collaboration among stakeholders and, 189
Gramm-Leach-Bliley Act (GLBA) Safeguards
employee training for, 187
Rule, 65
SA
244
Index
E
information security and/or information planning role, for data breach, 180
technology, 180 practices, 157
legal, 180–181
marketing, 181
president/CEO, 183
PL
sample departmental responsibilities, 180
risk defined in, 157
role of
during an incident, 194
in incident response planning, 180
union leadership, 182 vendor controls of, 80
Incident response team, cost savings through, 135 Information security group, function of, in
M
India creating privacy policy, 6
cost of data breaches in, 135 Information security policies
international guidelines/legislation and access and data classification, 97
responsible authority, 45 cloud computing acceptable use and, 99
SA
245
Privacy Program Management
E
Management in Federal Systems, An (NIST), 21 Latin America, data subject rights in, 128
Inventories. See Data inventory Laws
(DPC), 78
Irregular component analysis, 220
PL
Investigations. See Incident investigation
Irish Office of the Data Protection Commission
for breach notification, 173
categories of, 39–40
consumer protection, 106
cross-border transfers, 50–51
ISMS (information security management data protection, 16
system), 159–161 global, 43–46
M
Israel, international guidelines/legislation and international privacy, 49
responsible authority, 45 inventory of, creating, 67
Issue/objective statement, in employee policies, monitoring of, 57–58
94 monitoring of changes in, 224
SA
IT group, function of, in creating privacy policy, penalties for non-compliance with, 52–53
7 as policy control, 168
IT vendors, 24 privacy frameworks and, 20
See also Data subject rights in the United
States; Regulations; U.S. federal
J government privacy laws
Japan
Learning and development group, function of,
international guidelines/legislation and
in creating privacy policy, 6
responsible authority, 45
Legal stakeholders, role of
oversight regulatory authority and
during an incident, 193
enforcement powers, 53
in incident response planning, 180–181
protection models and approach to privacy
Letter drops, as breach notification, 208
protection, 17
Liability, in data breaches
Jo, Sam, 94
general commercial (GCL), 197
Jurisdiction
insurance coverage and, 178–179
cross-border transfers and, 50–51
legal exposure and, 174
key terms in, 51
246
Index
E
planning role, for data breach, 180, 181
Morocco
role of, during an incident, 197–198
international guidelines/legislation and
Maturity levels, for metrics, 221–222
McAfee, 43
McDonald, Aleecia, 108
Mergers, 83
Metric audience, 230
PL responsible authority, 45
oversight regulatory authority and
enforcement powers, 57
MySpace, 106
Metric owner, 219, 230
M
Metrics N
defined, 230 National Credit Union Administration, 41
purpose of, 137 National Do Not Call Registry (DNC), 41, 112
for training and awareness measurement, National Institute of Standards and
SA
247
Privacy Program Management
Notification, of breaches P
call center launches, 208–209 Pahl, Chris, 135–147, 234
deadline for, 206 Parental consent, 110
expenses for, 197 Payment Card Industry Data Security Standard
external announcements, 207 (PCI DSS), 18, 43, 83
internal announcements, 206–207 PayPal, 43
during an investigation, 203 Penalties
letter drops, 208 GDPR fines, 73
mishandling of, 206 for HIPPA violations, 52
obligation to notify recipients, 118 for noncompliance, 91
progress reporting, 210–211 Performance measurement, defined, 229.
regulator, 207 See also Metrics, for program performance
remediation offers, 209–210 measurement
requirements and guidelines, 205–206 Personal data collection, right to information
timeline for, 204–205 about, 119–120
E
in the United States, 18 Personal information, collected and used by the
U.S. laws, 173 organization, 14–15
O
PL
Obfuscation, as technical control, 168
Objection, right of, 118, 124
Personal information, protecting
data protection by design and by default,
151–154
information privacy and, 161–167
Obligation to notify recipients, 118 privacy policy and technical controls,
M
Office of Civil Rights, 40 167–169
Office of the Comptroller of the Currency, 41 See also Information security; Privacy by
Office of the Privacy Commissioner of Canada, design (PbD)
51, 110 Personal Information Protection and Electronic
Documents Act (PIPEDA; Canada), 20, 33,
SA
248
Index
E
diagramming, 154–156 (DPIA)
dictates of, 149 Privacy incidents, leveraging, 138–139
facilitated by a PIA, 69
foundational concepts, 149
foundational principles, 149–150
illustrated, 150
PL Privacy leaders
educational and professional backgrounds
of, 32
titles used for, 31–32
paradigm of, 150–151 Privacy Maturity Model (PMM), 221–222
privacy engineering and, 154 Privacy mission statement, 11
M
purpose and approach of, 21 Privacy notices
Privacy champion, 26 communication considerations and
Privacy checkpoints, 83 re-evaluation of the fair information
Privacy committee, 8 practice principles, 108–109
SA
249
Privacy Program Management
E
See also Vendors Privacy Tracker (IAPP), 58
purpose of, 90 Privacy vision statement
scope of, 90
technical controls and, 167–169
Privacy professional, defined, 11
PL
risk and responsibilities of, 90–91 examples, 12–14
importance of, 11
Privacy workshop, for shareholders, 27
Processing, right to restricting, 117, 122–123
Privacy program management Procurement
defined, 1 engaging vendors, 97–100
M
framework of, 1 implementing policies, 99
introduction to, 1–9 See also Vendors
Privacy program manager Procurement group, function of, in creating
accountability of, 3 privacy policy, 7
SA
250
Index
E
monitoring of changes in, 224 Self-assessment, 78
penalties for non-compliance with, 52–53 Self-regulatory privacy programs, 43, 168
privacy frameworks and, 20 Seminars, 33
See also Laws
Regulator notifications, 207
Remediation offers, 209–210
PL Siegel, Bob, 89
Singapore
international guidelines/legislation and
responsible authority, 46
Remediation providers, 200–201
Reporting phase, in audit lifecycle, 228 oversight regulatory authority and
M
Reporting worksheets, for incident handling, enforcement powers, 54
187–188 protection models and approach to privacy
Reputational liability, in data breaches, 174 protection, 17
Return on investment (ROI), of privacy Snapchat, 106
SA
251
Privacy Program Management
E
employee policies, 95 Third parties, incident handling by, 190
StaySafe Online, 139 Third-party audits, 229
Supplier monitoring, 226
Surprise minimization, 51
PL
Symbols, for communicating privacy practices,
107
Third-party external privacy resources, 58
Third-party forensic vendors, in complex breach,
204
Thomas, Liisa, 173–216, 235
Three Lines of Defence model, 65
Tools, for monitoring, 225
M
T Training
Tabletop exercises, as readiness-testing activity,
audience identification for, 142
184–185
awareness versus, 137
Taiwan, international guidelines/legislation and
budgeting for, 185–186
SA
responsible authority, 46
as closing the communication loop, 102
Teaming, in information privacy and
of employees, for incident handling, 187
information security, 165
in preparation for a breach, 175–176
Team roles, during an incident
requirements for, 137
board of directors, 202
using metrics to prove, 144–146
business development, 199
Training and awareness
call center, 200
methods for, 143–144
computer emergency response team
strategies for, 142–143
(CERT), 194
Transparency
customer care, 198–199
importance of, 105
finance, 196–197
privacy by design and, 150
human resources, 195–196
WP29 guidance on, 107
information security, 194
Transparency principle, 51
legal, 193
Transparent communication, necessity of, 119
marketing/public relations, 197–198
Transparent communication and information,
outside resources, 199–201
right of, 117
overview, 191–193
252
Index
E
contract language and, 81–82
engaging, 97–100
U evaluating, 81
PL
UAE-Dubai (DIFC), international guidelines/
legislation and responsible authority, 46
Uber Technologies data breach settlement, 136
UN Convention on the Rights of the Child in
GRC (governance, risk and compliance), 24
held to privacy standards, 97–100
monitoring of, 99
privacy tech, 23–24
Child Friendly Language, 110 reputations of, 80
M
Union leadership role of, during an incident, 200
planning role, for data breach, 180, 182 as source of an incident, management of, 179
role of, during an incident, 201 standards for selecting, 80–81
United States, 39 vendor contract, 98
SA
253
Privacy Program Management
E
Yahoo! data breach (2014), 135–136
Yakabovicz, Edward, 89–104, 236
PL
M
SA
254