Privacy Program

Management
Tools for Managing Privacy Within Your Organization
Second Edition

E
PL
Executive Editor and Contributor
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP

Contributors
M
Susan Bandi, CIPP/US, CIPM, CIPT, FIP
João Torres Barreiro, CIPP/E, CIPP/US
Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Jonathan Fox, CIPP/US, CIPM
SA

Tracy Kosa
Jon Neiditz, CIPP/E, CIPP/US, CIPM
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Tajma Rahimic
Liisa Thomas
Amanda Witt, CIPP/E, CIPP/US
Edward Yakabovicz, CIPP/G, CIPM, CIPT

An IAPP Publication
 E
PL
©2019 by the International Association of Privacy Professionals (IAPP)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval
M
system or transmitted in any form or by any means, mechanical, photocopying,
recording or otherwise, without the prior written permission of the publisher,
International Association of Privacy Professionals, Pease International Tradeport,
75 Rochester Ave., Portsmouth, NH 03801, United States of America.
SA

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered
trademarks of the International Association of Privacy Professionals, Inc. registered in
the U.S. CIPP, CIPP/E, CIPM and CIPT are also registered in the EU as Community
Trademarks (CTM).

Copy editor and proofreader: Julia Homer

Indexer: Hyde Park Publishing Services

ISBN: 978-1-948771-23-8

Library of Congress Control Number: 2019931184

 Contents

About the IAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

E
CHAPTER 1
Introduction to Privacy Program Management

PL
1.1 Responsibilities of a Privacy Program Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Beyond Law and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Why Does an Organization Need a Privacy Program? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
M
1.5 Privacy Across the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.6 Awareness, Alignment and Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
SA

CHAPTER 2
Privacy Governance
2.1 Create an Organizational Privacy Vision and Mission Statement . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Define Privacy Program Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Develop and Implement a Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5 Privacy Tech and Government, Risk and Compliance Vendors and Tools . . . . . . . . . . . . . . . . . . 23
2.6 Develop a Privacy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.7 Structure the Privacy Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8 Governance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.9 Establish the Organizational Model, Responsibilities and Reporting Structure . . . . . . . . . . . . 30
2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

iii
CHAPTER 3
Applicable Privacy Laws and Regulations
3.1 U.S. Federal Government Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 Global Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 General Data Protection Regulation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4 Commonalities of International Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Cross-Border Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6 Organizational Balance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.7 Understanding Penalties for Noncompliance with Laws and Regulations . . . . . . . . . . . . . . . . . 52
3.8 Understanding the Scope and Authority of Oversight Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.9 Other Privacy-Related Matters to Consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

E
3.10 Monitoring Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.11 Third-Party External Privacy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
PL
3.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CHAPTER 4
Data Assessments
M
4.1 Inventories and Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.2 Records of Processing Activities Under the General Data Protection Regulation . . . . . . . . . . . 67
4.3 Assessments and Impact Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
SA

4.4 Physical and Environmental Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.5 Assessing Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.6 Mergers, Acquisitions and Divestitures: Privacy Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

CHAPTER 5
Policies
5.1 What is a Privacy Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.2 Privacy Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3 Interfacing and Communicating with an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.4 Communicating the Privacy Policy within the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.5 Policy Cost Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.6 Design Effective Employee Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

iv
 5.7 Procurement: Engaging Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.8 Data Retention and Destruction Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.9 Implementing and Closing the Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

CHAPTER 6
Data Subject Rights
6.1 Privacy Notices and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.2 Choice, Consent and Opt-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.3 Obtaining Consents from Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.4 Data Subject Rights in the United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.5 Data Subject Rights in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

E
6.6 Responding to Data Subject Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

PL
6.7 Handling Complaints: Procedural Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.8 Data Subject Rights Outside the United States and Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

CHAPTER 7
M
Training and Awareness
7.1 Education and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
7.2 Leveraging Privacy Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
SA

7.3 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

7.4 Creating Awareness of the Organization’s Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.5 Awareness: Operational Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
7.6 Identifying Audiences for Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
7.7 Training and Awareness Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
7.8 Training and Awareness Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
7.9 Using Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

CHAPTER 8
Protecting Personal Information 
8.1 Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
8.2 Data Protection by Design and by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

v
 8.3 Diagramming Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
8.4 Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
8.5 Information Privacy and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.6 Privacy Policy and Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
8.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

CHAPTER 9
Data Breach Incident Plans
9.1 Incident Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
9.2 How Breaches Occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
9.3 Terminology: Security Incident versus Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
9.4 Getting Prepared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

E
9.5 Roles in Incident Response Planning, by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

PL
9.6 Integrating Incident Response into the Business Continuity Plan . . . . . . . . . . . . . . . . . . . . . . . . 184
9.7 Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
9.8 Team Roles During an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
9.9 Investigating an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
M
9.10 Reporting Obligations and Execution Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
9.11 Recovering from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.12 Benefiting from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
SA

9.13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

CHAPTER 10
Monitoring and Auditing Program Performance
10.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
10.2 Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
10.3 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
10.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
10.5 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

About the Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

vi
 About the IAPP

The International Association of Privacy Professionals (IAPP) is the largest and

most comprehensive global information privacy community and resource, helping
practitioners develop and advance their careers and organizations manage and protect
their data.

E
The IAPP is a not-for-profit association founded in 2000 with a mission to define,
support and improve the privacy profession globally. We are committed to providing
PL
a forum for privacy professionals to share best practices, track trends, advance privacy
management issues, standardize the designations for privacy professionals and provide
education and guidance on opportunities in the field of information privacy.
The IAPP is responsible for developing and launching the only globally recognized
M
credentialing programs in information privacy: the Certified Information Privacy
Professional (CIPP®), the Certified Information Privacy Manager (CIPM®) and the
Certified Information Privacy Technologist (CIPT®). The CIPP, CIPM and CIPT are
the leading privacy certifications for thousands of professionals around the world who
SA

serve the data protection, information auditing, information security, legal compliance
and/or risk management needs of their organizations.
In addition, the IAPP offers a full suite of educational and professional development
services and holds annual conferences that are recognized internationally as the leading
forums for the discussion and debate of issues related to privacy policy and practice.

vii
SA
M
PL
E
 Preface

I am privileged to have worked with so many great privacy professionals on both the
first edition of this textbook in 2013 and now on this second edition in 2019. The
privacy landscape has changed remarkably in this five-year period. We have seen the
first major, comprehensive privacy regulation implemented in the EU, with the General

E
Data Protection Regulation (GDPR) impacting organizations and individuals around
the globe. We have come to understand that individuals expect organizations to get it
PL
right when it comes to the protection of personal information. Demands for improved
legislation to protect individuals and their rights have grown exponentially, giving
regulators the power they need to ensure organizations comply. Organizations fear
damage to their brand, loss of consumer confidence, and regulatory fines due to data
M
breaches. There has never been a better time for organizations to demand well-trained,
well-informed privacy professionals.
The privacy program manager is a critical component of every privacy program
at any organization. We have seen this field develop over the last few years from a
SA

budding program management framework to an integrated and fully functioning

multidisciplinary effort. Privacy program management is definitely a team sport.
Subject matter expertise is needed in multiple areas ranging from regulatory
compliance, policy implementation, training and awareness, data mapping and records
of processing to third-party vendor management and contracting. It requires a holistic
approach, with multiple skill sets to accomplish all the required aspects of privacy
program management in every organization.
Over the last few years, I have come to believe that while a privacy program manager
is responsible for bringing all the needed components of the privacy program to
maturity, rarely does one person have expertise in all the different disciplines required.
An individual skilled in the training and awareness domain may not excel at writing
policies, and vice versa. A person who excels at managing data breaches may not
do well at vendor management or contracting. I hope you see the point I am trying
to make. Privacy is a complex topic with diverse skill sets, which are needed by the

ix
privacy organization to be successful. The privacy program manager should be able
to understand all these areas but will most likely not be an expert in all of them. Who,
then, should be the privacy program manager?
In the past, a legal expert (attorney) has often served as the chief privacy officer and
the privacy program manager. Currently, I am seeing a division of duties among the
chief privacy officer, the privacy program manager, and privacy engineers. The chief
privacy officer may handle the legal and regulatory obligations for the organization
while the privacy program manager oversees program compliance requirements,
organizational functions, and execution of implementation and the privacy engineer
manages the technical functions. There may be overlap, and certainly each of the
different domains may serve multiple functions, but we are seeing these areas of
expertise evolve.
The privacy program manager is responsible for proving to the organization that

E
it has the proper controls in place and for helping demonstrate to regulators that the
organization is handling personal data responsibly. There must be a data map showing
PL
what data the organization has and how that data is protected and processed. By
definition, this is the privacy engineer's duty. The number of privacy engineers in the
privacy profession is rising; in fact, the IAPP launched the Privacy Engineering Section
in 2018. The value of such individuals is becoming clear. Perhaps this is the future,
where the chief privacy officer, the privacy engineer, and the privacy program manager
M
work together to cover all three roles. Certainly, the organization will need experts in
each of these fields to be successful.
There appears to be no one-size-fits-all approach, especially in large multinational
SA

and complex organizations. I believe one individual may still be able to cover all of these
functions for a small organization; however, I believe privacy program management has
matured into a team sport and requires several teammates to be successful.
I would like to thank everyone who assisted with this textbook, especially the
individual authors who contributed in their areas of expertise. They were all dedicated
and supportive, proving we could work together as a holistic team to achieve success.
Finally, I would also like to thank Mr. Edward Yakabovicz once again for assisting
me with the final review of this text. His friendship and professional assistance are
appreciated deeply.
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP
January 2019

x
 Acknowledgments

The IAPP is pleased to present this second edition of Privacy Program Management:
Tools for Managing Privacy Within Your Organization in support of our Certified
Information Privacy Manager (CIPM) program.
We rely on the expertise and support of privacy and data protection professionals

E
from around the globe to provide our members with quality resources. Thank you to
the many individuals who contributed their time and shared their knowledge for the
revision of this textbook. PL
Our Training Advisory Board provides ongoing support and guidance. Thank
you, members past and present, for your willingness to share your expertise. Current
members include:
M
Francesco Banterle, CIPP/E
Punit Bhatia, CIPP/E, CIPM
Machiel Bolhuis, CIPP/E, CIPM, FIP
Michaela Buck
SA

Duncan Campbell, CIPP/US

Ionela Cuciureanu
Evan Davies, CIPP/E
Karen Duffy, CIPP/E
Marjory Gentry, CIPP/E, CIPP/US, CIPM
Promila Gonsalves, CIPP/C
Ryan Hammer, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Missi Hart-Kothari, CIPP/US
Richard Ingle
Laura Kiviharju, CIPM
Henri Kujala, CIPP/E, CIPM, FIP
Viviane Maldonado
Ana Monteiro, CIPP/E, CIPM, CIPT, FIP
Michelle Muthiani, CIPP/E, CIPP/US

xi
James Park, CIPP/E, CIPT
Anna Pateraki
Cassandra Porter, CIPP/US, CIPM, FIP
Stephen Ramey
Brandon Schneider, CIPP/G, CIPT, FIP
Thea Sogenbits
Tiina Suomela, CIPP/E, CIPM, FIP
Liisa Thomas
Maaike van Kampen - Duchateau, CIPP/E, CIPT, FIP
Emily Wall, CIPP/US, CIPM
Ben Westwood, CIPP/E, CIPP/US, CIPM, FIP
Christin Williams, CIPP/E, CIPP/US
Brett Wise, CIPP/US, CIPT, FIP

E
Matthew Woldin, CIPP/US, CIPM, FIP
Laurel Yancey, CIPP/E, CIPP/US, CIPM
Philip Yang, CIPM PL
The first edition of Privacy Program Management was published in 2013. I had the
pleasure of working with Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP, who
served as the executive editor for the project and led a team of highly respected privacy
professionals including James M. Byrne; Elisa Choi, CIPT; Ozzie Fonseca, CIPP/US;
M
Edward Yakabovicz, CIPP/G, CIPM, CIPT; and Amy E. Yates, CIPP/US. Their
contributions ensured we had a strong foundation upon which to build this second
edition.
SA

We are very grateful that Russell Densmore agreed to serve as executive editor for
the second edition of Privacy Program Management. Not only was he a pleasure to work
with, he was also a very effective project manager, leading a team of privacy and data
protection professionals from around the world through all stages of development,
from draft outline to final manuscript, in addition to writing his own contribution. He
generously provided his time, guidance and support to the whole team. Without him,
this revision would not have been possible.
Thank you to Susan Bandi, CIPP/US, CIPM, CIPT, FIP; João Torres Barreiro,
CIPP/E, CIPP/US; Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT,
FIP; Jonathan Fox, CIPP/US, CIPM; Tracy Kosa; Jon Neiditz, CIPP/E, CIPP/US, CIPM;
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP; Tajma Rahimic;
Liisa Thomas; Amanda Witt, CIPP/E, CIPP/US; and Edward Yakabovicz, CIPP/G,
CIPM, CIPT for your commitment and dedication to this project. We are grateful for your
willingness to share your experience and knowledge in the pages of this book.

xii
 Many thanks to Pasha Steinburg and Shanna Pearce for their contributions to
Chapter 9, and to Jyn Schultze-Melling for permission to include his chapter on the
rights of data subjects from European Data Protection: Law and Practice as an excerpt in
Chapter 6 of this book.
Grace Buckler, CIPP/E, CIPP/G, CIPP/US, CIPM, FIP; Anthony E. Stewart,
CIPP/US, CIPM; Tiina Suomela, CIPP/E, CIPM, FIP; Matthew Woldin, CIPP/US,
CIPM, FIP; David Wood, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP; and Laurel
Yancey, CIPP/E, CIPP/US, CIPM reviewed the draft manuscript and provided
insightful feedback that helped shape the final draft of the text.
We are grateful for the meticulous eye of Julia Homer, who both copyedited and
proofread the manuscript. Thank you to Hyde Park Publishing Services for creating the
book index.
We appreciate the hard work, expertise and dedication of the many professionals

E
who contributed to the publication of this book. We hope you will find it to be both a
useful tool for preparing for your CIPM certification and a practical resource for your
professional career.
Marla Berry, CIPT
Training Director
PL
International Association of Privacy Professionals
M
SA

xiii
SA
M
PL
E
 Introduction

In 2013, when we launched the Certified Information Privacy Manager (CIPM)

program, the idea of operating a privacy program was still novel. Our profession largely
evolved from law and compliance, and privacy was, in many ways, binary: The privacy
pro gave the product or service a thumbs-up or thumbs-down.

E
Quickly, however, organizations with business models increasingly dependent
on data came to realize that better management and customer trust were needed.
PL
Unless the privacy professional was involved at every step of product development,
organizations faced too much risk. In public administrations, open data efforts and well-
meaning attempts to unlock the value of public data were stymied. Work was wasted.
Product leads were frustrated. Mistakes were made.
M
Further, with the passage of the EU’s General Data Protection Regulation (GDPR),
the idea of operational privacy, or “privacy by design,” became law.
Now we see, through research conducted for our annual IAPP-EY Privacy Governance
Report, that organizations with mature privacy operations not only have full teams
SA

of privacy professionals, they also have privacy pros embedded in various business
operations and in administrative departments ranging from human resources to IT,
marketing and sales. They provide privacy with multimillion-dollar budgets. They buy
technology bespoke for privacy operations.
Nor is it any wonder. While the GDPR gets the headlines, there are any number of
other privacy regulations around the world that require operational responses. These
issues—from data subject access requests to requests for corrections or deletions
and increasing requirements for data portability—require deliberate process, careful
management and well-trained people.
In short, privacy program management is here to stay, and the need for sophisticated
leaders who understand the complexities of the global digital marketplace will only
increase. Thus, it’s not surprising that the CIPM has become the IAPP’s second-fastest-
growing certification, behind only the CIPP/E, and that there is great demand for a new
and improved textbook to support the certification program.

xv
 Yet again, Executive Editor Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT,
FIP, has overseen a variety of valuable contributions in revamping Privacy Program
Management: Tools for Managing Privacy Within Your Organization. There are more
practical examples, more deep dives into the “how” of privacy management, and more
information on the tools privacy professionals are using to create effective privacy
programs.
For data protection officers, privacy program managers, global privacy leaders, and
any number of other new titles emerging around the globe, the CIPM is the perfect
tool for privacy professionals working in both the public and private sectors. This book
helps unlock the benefits of CIPM and prepare those hoping to take the exam and get
certified.
I am extremely pleased with the way the CIPM has been accepted around the globe
as the new standard for how privacy is done on the ground and I hope you—and your

E
organization—enjoy its benefits.
J. Trevor Hughes, CIPP
President and CEO PL
International Association of Privacy Professionals
M
SA

xvi
 CHAPTER 1

Introduction to Privacy Program Management

Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP

What is privacy program management? It is the structured approach of combining

several disciplines into a framework that allows an organization to meet legal
compliance requirements and the expectations of business clients or customers while
reducing the risk of a data breach. The framework follows program management

E
principles and considers privacy regulations from around the globe. It incorporates
common privacy principles and implements concepts such as privacy by design and
privacy by default.1
PL
Businesses are motivated today, more than ever, to ensure they are compliant with
regulations such as the General Data Protection Regulation (GDPR) and other laws
and regulations implemented around the globe—in part, because they want to protect
their brand name, reputation, and consumer trust. Large data breaches commonly make
M
news headlines, and organizations have paid penalties and lost revenue or consumer
trust. Millions of people have been affected by the sloppy data protection practices
organizations have used in the past. These things must change.
It is time for the privacy profession to recognize the value of a holistic data privacy
SA

program and the ever-important privacy program manager. This chapter will delve into
the requirements for becoming a privacy program manager. The Certified Information
Privacy Manager (CIPM) certification indicates that a privacy program manager has
the proper understanding of concepts, frameworks and regulations to hold the role of
privacy program manager for their employer.2

1.1 Responsibilities of a Privacy Program Manager

The goals of a privacy program manager are to:
• Identify privacy obligations for the organization
• Identify business, employee and customer privacy risks
• Identify existing documentation, policies and procedures

1
 Privacy Program Management

• Create, revise and implement policies and procedures that effect positive
practices and together comprise a privacy program
The goals of a privacy program (at a minimum) are to:
• Promote consumer trust and confidence
• Enhance the organization’s reputation
• Facilitate privacy program awareness, where relevant, of employees, customers,
partners and service providers
• Respond effectively to privacy breaches
• Continually monitor, maintain and improve the privacy program
The specific responsibilities of the privacy program manager include:

E
• Policies, procedures and governance

PL
• Privacy-related awareness and training
• Incident response
• Communications
M
• Privacy controls
• Privacy issues with existing products and services
• Privacy-related monitoring
SA

• Privacy impact assessments

• Development of privacy staff
• Privacy-related investigations
• Privacy-related data committees
• Privacy by design in product development
• Privacy-related vendor management
• Privacy audits
• Privacy metrics
• Cross-border data transfers
• Preparation for legislative and regulatory change

2
 Introduction to Privacy Program Management

• Privacy-related subscriptions
• Privacy-related travel
• Redress and consumer outreach
• Privacy-specific or -enhancing software
• Privacy-related web certification seals
• Cross-functional collaboration with legal, information technology (IT),
information security (sometimes referred to as IS or InfoSec), cybersecurity
and ethics teams, among others
• Reporting to chief privacy officer (CPO), data protection officer (DPO), and/or
data protection authority (DPA)

E
However, before starting the journey toward becoming a certified privacy program
manager, you need to understand a few concepts. The first is accountability.

1.2 Accountability
PL
What is accountability? Accountable organizations have the proper policies and
procedures to promote proper handling of personal information and, generally, can
M
demonstrate they have the capacity to comply with applicable privacy laws. They
promote trust and confidence and make all parties aware of the importance of proper
handling of personal information.
SA

The concept of accountability is one of the most important concepts introduced by

new data protection laws. It is about not only saying the organization is taking action,
but actually being able to prove that it is. In other words, the organization is accountable
for the actions it takes (or does not take) to protect personal data. The idea is that, when
organizations collect and process information about people, they must be responsible
for it. They need to take ownership and take care of it throughout the data lifecycle. By
doing so, the organization can be held accountable.
If the evidence says the organization has a policy in place, the organization should
follow that policy or document why it has deviated from policy.
Accountability as defined by laws can actually benefit organizations because, although
it may impose obligations to take ownership and to explain how the organization is
compliant, in exchange, it can give organizations a degree of flexibility about exactly how
they will comply with their obligations. Privacy program managers are accountable for
the safekeeping and responsible use of personal information—not just to investors and
regulators, but also to everyday consumers and their fellow employees.

3
 Index

A “ARCO” rights (Mexico), 128

Acceptable use policies (AUPs), 96–97 Argentina, 39
Access international guidelines/legislation and
in information security policies, 97 responsible authority, 44
right of, 117, 120–121 oversight regulatory authority and
Access control, 165–166 enforcement powers, 56
Accountability Asia, data protection legislation and, 16–17
in information security, 157 Asia-Pacific Economic Cooperation (APEC)
of the organization, 3 Privacy Framework, 20, 44
Acquisitions, 83 Assessments and impact assessments

E
Actual audit phase, in audit lifecycle, 228 attestation, as self-assessment, 78
Adequacy, cross-border transfers and, 50 data protection impact assessments (DPIA),
Administrative or policy controls, 158 73–78
AFL-CIO, 182
Age
PL
California “Online Eraser” law protections
International Organization for
Standardization (ISO), 72–73
PIAs in the United States, 71–72
for, 115 privacy assessment: measuring compliance,
consent and, 110–111 69
M
AICPA/CICA Privacy Task Force, 20 privacy impact assessment (PIA), 69–71
Alignment, in information privacy and See also entries for individual topics
information security, 164–165 Assurance, in information security, 157
American Institute of Certified Public Attestation/self-assessment, 78
SA

Accountants (AICPA), 20 Attorney-client privilege, during an

American National Standards Institute investigation, 203
(ANSI), 33 Audience
Analysis, of metrics identifying, for training, 142
business resiliency, 221 metric, 218–219
overview, 219 Audit, of program performance
program maturity, 221–222 definition, 226
return on investment (ROI), 220 lifecycle, 227–228
trend analysis, 220 overview, 226
An Coimisiún um Chosaint Sonraí | Data phases, 227–228
Protection Commission mission statement, 13 rationale, 227
Angola, international guidelines/legislation and review, 229
responsible authority, 44 types of, 228–229
Anti-money laundering, 42 Audit lifecycle, 227–228
Anti-Spam Legislation (CASL; Canada), 128 Audit planning phase, in audit lifecycle, 228
Applicability, in employee policies, 95 Audit rights, of organizations, 81

237
 Privacy Program Management

Audits, monitoring, 225 Bosnia and Herzegovina, international

Australia, 39 guidelines/legislation and responsible
data protection legislation, 16–17 authority, 44
international guidelines/legislation and Brands/branding, 4
responsible authority, 44 Brazil
oversight regulatory authority and cost of data breaches in, 135
enforcement powers, 55 international guidelines/legislation and
protection models and approach to responsible authority, 44
privacy protection, 17 oversight regulatory authority and
Automated decision-making, right not to be enforcement powers, 56
subject to, 118, 124 Breaches
Availability, in information security, 157 benefiting from, 214–215
Awareness companies and settlements, 135–136
in building a program, 8 costs of, calculating and quantifying,
creating, of organization’s privacy program, 212–214

E
140–142 how they occur, 174–175
external, 141–142 recovering from, 211–214
importance of, 102

privacy, 165
internal, 140–141
PL
in information security and information
response evaluation and modifications,
211–212
security incidents versus, 175
tracking and monitoring, 225
operational actions, 142 See also Data breaches; Data breach
of organizational privacy policy and incident plans
M
practices, 136–138 Breach notification laws, 173
successful, steps for, 143 Breach-reporting obligations, 204–211.
training versus, 137 See also Notification, of breaches
using metrics to prove, 144–146 Breaux, Ronald, 94
SA

See also Training and awareness Brown University, Executive Master in

Cybersecurity, 32
Budgeting, for training and response, 185–186
B Bureau of Labor Statistics, 182
Bandi, Susan, 39–64, 231–232
Business continuity plan (BCP)
Barreiro, João Torres, 65–87, 232
breach response best practices, 186
Belarus, international guidelines/legislation and
budgeting for training and response,
responsible authority, 44
185–186
Bermuda, international guidelines/legislation
integrating incidence response into, 184–186
and responsible authority, 44
overview, 184
Binding corporate rules (BCRs), 20
tabletop exercises, 184–185
Biometric privacy laws, 116
updating, 185
Board of directors
Business development stakeholders
planning role, for data breach, 183
planning role, for data breach, 180, 181–182
role of, during an incident, 202
role of, during an incident, 199
Board of Governors Federal Reserve System, 41
Business resiliency, 221

238
 Index
C Chief privacy officer (CPO), 29
California Consumer Privacy Act (CCPA) of
2018, 111, 115–116
California “Online Eraser” law, 115
California Online Privacy Protection Act
(CalOPPA), 114–115
California “Shine the Light” law, 115
Call center
for breach notification, 208–209, 210
role of, during an incident, 200
Canada
Anti-Spam Legislation (CASL), 128
cost of data breaches in, 135
data protection legislation, 16–17
data subject rights in, 128
E
expectation of transparency in, 51
international guidelines/legislation and
responsible authority, 44
Office of the Privacy Commissioner of
Canada, 51, 110
oversight regulatory authority and
PL
enforcement powers, 56
M
Personal Information Protection and
Electronic Documents Act (PIPEDA),
20, 33, 43, 83, 128
protection models and approach to privacy
protection, 17
SA
Canadian Institute of Chartered Accountants
(CICA), 20
Canadian Standards Association (CSA) Privacy
Code, 20
Cape Verde, international guidelines/legislation
and responsible authority, 44
Cardholders, 18
Carnegie Mellon, 32, 108
Cavoukian, Ann, 149, 151
Centralized governance, 29, 30
Certifications, professional, 33
Champion, for privacy program, 26
Chief information officer (CIO), 26
Chief information security officer (CISO), 32
Chief operating officer (COO), 26
239
Children, consent from, 110–111
Children’s Advertising Review Unit (CARU)
guidelines, 43
Children’s Online Privacy Protection Act
(COPPA) of 1998, 16, 18, 41, 110
Chile, international guidelines/legislation and
responsible authority, 44
China
international guidelines/legislation and
responsible authority, 45
oversight regulatory authority and
enforcement powers, 53
privacy protections in, 128–129
Choice
consent and, 109
opt-in/opt-out and, 109–110
Cloud computing acceptable use, 99
Colombia
international guidelines/legislation and
responsible authority, 45
oversight regulatory authority and
enforcement powers, 56
Commission nationale de l’informatique et des
libertés (CNIL; France), 20, 77
Communication
closing the loop, 102–103
to create awareness of privacy program,
139–140
interfacing and, with an organization, 92
of privacy policy, within the organization,
92–93
successful, steps for, 143
transparent, necessity of, 119
Communications group, function of, in creating
privacy policy, 6
Communications stakeholders, planning role,
for data breach, 182
Complaint-monitoring processes, 225
Compliance
general organization compliance, 91
in goals and objectives of privacy program,
51–52
 Privacy Program Management

governance, risk and compliance (GRC) Council of Europe, Convention 108, 19

tools and, 24 Cranor, Lorrie Faith, 108
measuring, 69 Credit card incidents/card schemes, 203
as privacy policy issue, 91 Credit cards, 18
stated in employee policies, 95 Cross-border transfers, 50–51
using metrics to prove, 144–146 Crosswalk, of organization’s privacy
See also Noncompliance requirements, 39
Compliance monitoring, 224 Customer care
Computer emergency response team (CERT), 194 planning role, for data breach, 183–184
Conferences, 33 role of, during an incident, 198–199
Confidentiality, integrity and availability (CIA), Cyber-liability insurance, 178–179, 197
157, 175 Cyclical component analysis, 220
Consensus, 25
Consent
age threshold for, 110–111
D

E
Daily Dashboard (IAPP), 58
from children, 110–111
Data assessments
electronic, 109
inventories and records, 65–67
parental, 110
right to withdraw, 117
withdrawals of, 125–126
PL
Consumer Financial Protection Bureau (CFPB),
mergers, acquisitions and divestitures:
privacy checkpoints, 83
overview, 65
physical and environmental, 79–80
40, 41
records of processing activities under the
Consumer protection laws, 106
M
GDPR, 67–69
Consumer trust, 4
vendors, 80–82
Containment, during an investigation, 202
vendors under the GDPR, 82
Controlling the Assault of Non-Solicited
See also Assessments and impact
Pornography and Marketing Act (CAN-
SA

assessments; Data protection impact

SPAM) of 2003, 40, 113
assessments (DPIAs)
Controls
Data breaches. See Breaches; Data breach
on information, 19
incident plans
in information security, 158–159
Data breach incident plans
monitoring and, 225
benefiting from a breach, 214–215
technical, 167–169
how breaches occur, 174–175
Corrective controls, 158
incident handling, 186–191
Costa Rica, international guidelines/legislation
incident planning, 173–174
and responsible authority, 45
integrating, into the business continuity
Cost of a Data Breach Study (Ponemon Institute;
plan, 184–186
2018), 135
investigating an incident, 202–204
Costs
preparing for
of a breach, calculating and quantifying,
creating a response plan, 176–177
212–214
insurance coverage, 178–179
of data breaches, 135–136, 174
know your roster of stakeholders, 177–178
of privacy policy, 93–94

240
 Index

management of vendors when source of required under the GDPR, 33

incident, 179
training, 175–176
recovering from a breach, 211–214
reporting obligations and execution timeline,
204–211
roles in, by function, 179–184
team roles, during an incident, 191–202
terminology, 175
See also entries for individual topics
Data breach notification laws, 18
Data classification, 97, 166–167
Data destruction, 169
Data inventory
elements of, 66
when required, 33–34
Data retention, 225
Data retention policies, 100–102
Data subject access and rectification requests,
126
Data subject requests, responding to, 125–126
Data subject rights
choice, consent and opt-outs and, 109–110
handling complaints: procedural
considerations, 126–128
obtaining consents from children, 110–111
outside the United States and Europe,
128–129
restrictions of, 125

E
legally required, 65 See also Privacy notices
overview, 65 Data subject rights in Europe
tips for building, 67
Data map, 65
Data mapping, 15
Data minimization, 168
PL explanation of, 119–125
modalities: to whom, how and when,
118–119
summary of, 117–118
Data portability, right to, 118, 123 Data subject rights in the United States
Data Privacy Day, 102, 138–139 federal laws
M
Data Protection Authority (Belgium), vision Controlling the Assault of Non-Solicited
and mission, 14 Pornography and Marketing Act
Data protection authority (DPA), 68, 223 (CAN-SPAM) of 2003, 113
Data protection by design and default, 151–154 Federal Credit Reporting Act (FCRA),
SA

Data protection impact assessments (DPIAs) 111–112

components of, 77–78
generic iterative process for carrying out, 76
noncompliance with, 73
overview, 73
what to include in, 76–77
when required, 74–78
when to contact supervisory authority, 77
Data protection laws and regulations, 16
Data protection officers (DPOs), 31
as audience, 218
maintaining records of processing activities,
67–69
qualifications and responsibilities, 34
reporting structure and independence, 34
reporting to the board, 222–223
Freedom of Information Act (FOIA),
113–114
Health Insurance Portability and
Accountability Act (HIPAA) of 1996,
112
National Do Not Call Registry (DNC),
112
Privacy Act of 1974, 113
state laws
biometric privacy laws, 116
California Consumer Privacy Act,
115–116
California “Online Eraser” law, 115
California Online Privacy Protection Act
(CalOPPA), 114–115

241
 Privacy Program Management
California “Shine the Light” law, 115
Delaware Online Privacy Protection Act
(DOPPA), 114–115
Data subjects, defined, 105
Decentralized governance model, 29, 30
De Jesus, Ron, 11–37, 232–233
Delaware Online Privacy Protection Act
(DOPPA), 114–115
Densmore, Russell, 1–9, 231
Department of Health and Human Services
(DHHS), 40, 207
Destruction of data/information, 80–81
Destruction policies, 100–102, 169
Detection, of incidents, 187
Detective controls, 158
E
Digital Advertising Alliance (DAA), 107
Disposal Rule (Fair and Accurate Credit
43
Do Not Track requests, 114–115
PL
Transaction Act [FACTA]) of 2003, 80–81
DMA Guidelines for Ethical Business Practices,
Driver’s Privacy Protection Act (DPPA) of 1994,
41
M
E External breach announcements, 207
Education
SA
about organizational privacy policy and
practices, 136–138, 143–144
“lunch and learn” sessions, 138–139
of privacy leaders, 32
Education privacy-related concerns, 42
E-Government Act of 2002, 71
Egypt, oversight regulatory authority and
enforcement power, 57
E-learning, 144
Electronic Communications Privacy Act
(ECPA) of 1986, 41
Electronic consent, 109
Emails, as breach notification, 208
Employee policies, design of, 94–97
Employee training, for incident handling, 187
Energy privacy-related concerns, 42
242
Environmental and physical assessment, 79–80
Environmental monitoring, 224
Erasure, right of (“right-to-be-forgotten”),
117, 121–122
EU Data Protection Directive, 19
Europe, data protection legislation and, 16–17.
See also Data subject rights in Europe
European Commission, 20, 149
European Data Protection Board (EDPS), 107
European Telecommunications Standards
Institute (ETSI), 20
European Union (EU)
information security group and, 6
international guidelines/legislation and
responsible authority, 44
oversight regulatory authority and
enforcement powers, 55
protection models and approach to privacy
protection, 17
See also GDPR (General Data Protection
Regulation)
European Union Agency for Network and
Information Security (ENISA), 21
EU–U.S. Privacy Shield, 20
Executive privacy team, 26
F
Fair and Accurate Credit Transactions Act
(FACTA) of 2003, 41, 80–81
Fair Credit Reporting Act (FCRA) of 1970, 41
Fair Information Practices, 19
Family Educational Rights and Privacy Act
(FERPA), 41
Federal Communications Commission (FCC),
41, 112
Federal Credit Reporting Act (FCRA), 111–112
Federal Deposit Insurance Corporation (FDIC),
41
Federal government privacy laws. See Data
subject rights in the United States; U.S. federal
government privacy laws
 Index
Federal laws. See Data subject rights in the
United States
Federal Privacy Act of 1974, 40
Federal Trade Commission (FTC), 139, 149
Children’s Online Privacy Protection Rule
(COPPA), 18
DNC Registry and, 112
privacy-related laws enforced by, 40, 41
unfair and deceptive trade patterns and, 106
Federal Trade Commission Act, 106
Federal Trade Commission Act (Section 5) of
1914, 41
Final audit phase, in audit lifecycle, 228
Finance stakeholders
planning role, for data breach, 182–183
E
role of, during an incident, 196–197
Financial privacy-related concerns, 42
Fines, 73
First-party audits, 228
First responders, 31
Forensic firms, 199–200, 204
PL
Fox, Jonathan, 149–171, 233
Framework for Improving Critical Infrastructure
M
Cybersecurity Version 1.1 (NIST), 21
Frameworks, for building the privacy program
awareness-raising and, 138
defined, 19
SA
emerging, 19
importance and purpose of, 19
laws, regulations and programs, 20
management solutions, 21–22
objectives, 21–22
principles and standards, 19–20
rationalizing requirements, 22–23
France
guidance on legal frameworks, 20
privacy impact assessment guidelines, 77
Freedom of Information Act (FOIA), 113–114
Functional groups, understanding needed by, 5
G Generally Accepted Privacy Principles (GAPP),
Gap analysis, 67
243
GDPR (General Data Protection Regulation)
appropriate technical and organizational
measures, 152–153
BCR requirements, 20
breaches, responses to, 173
compliance with, 1
creation of, 46
data protection by design and by default,
151–152
data protection officers (DPOs) required
under, 33–34
DPIA features set out in, 76
electronic consent, 109
fines for violations, 52
framework for data protection and
organizational obligations, 20
as general privacy law, 39
as global standard for data protection, 46
on handling personal information, 15
material scope, 47
metrics for demonstrating compliance and,
222–223
noncompliance with DPIA requirements, 73
overview, 46–49
principles and standards, 19
privacy as default, 149
privacy notices and, 108
privacy notices to children, 110–111
records of processing activities under, 67–69
subject-matter and objectives, 47
territorial scope, 48–49
vendor assessment under, 82
what consumers can do, 48
what organizations must do, 49
what regulators can do, 49
See also Data subject rights in the United
States
General commercial liability (GCL), 197
General Data Protection Regulation (GDPR).
See GDPR (General Data Protection
Regulation)
20
 Privacy Program Management

General organization compliance, 91 oversight regulatory authority and

General privacy laws, 39 enforcement powers, 54
Germany Human resources (HR)
cost of data breaches in, 135 implementing policies, 99–100
EU Data Protection Directive (95/46/EC), incident handling by, 190
33 monitoring and, 226
Ghana, international guidelines/legislation and planning role, for data breach, 180, 181
responsible authority, 45 privacy-related concerns, 42
Global issues, sample approaches to privacy and role of, during an incident, 195–196
data protection, 17. See also entries for specific types of policies, 100
countries Hybrid governance model, 29, 30
Global privacy laws, 43–46 Hyperlinks, 107
Google, 106
Governance, risk and compliance (GRC) tools,
24, 225
I

E
IAPP. See International Association of Privacy
Governance models
Professionals (IAPP)
centralized, 29, 30
Iceland, oversight regulatory authority and
creating, 28
elements of, 28–29
hybrid, 29, 30
local or decentralized, 29, 30
PL enforcement powers, 56
Icons, for communicating privacy practices, 107
Identity access management, 166
Illinois Biometric Information Privacy Act
Governance structure, 8
(BIPA), 116
Government privacy-related concerns, 42
M
Incident detection, 187
Gramm-Leach-Bliley Act (GLBA) of 1999,
Incident handling
16, 17–18, 40
collaboration among stakeholders and, 189
Gramm-Leach-Bliley Act (GLBA) Safeguards
employee training for, 187
Rule, 65
SA

human resources, 190

incident detection, 187
H overview, 186
Healthcare providers, 18 physical security, 189
Health Information Technology for Economic reporting worksheets for, 187–188
and Clinical Health (HITECH), 42, 52 third parties, 190
Health Insurance Portability and Accountability tools of prevention, 191
Act (HIPAA) of 1996, 16, 18, 20, 40, 42, 52, Incident investigation
83, 112 attorney-client privilege, 203
Health plans, 18 containment, 202
Herath, Kirk M., 8, 12 credit card incidents and card schemes, 203
HIPPA violation penalties, 52 involving key stakeholders during, 204
Holistic data privacy program, 1 notification and cooperation with insurer,
Hong Kong 203
international guidelines/legislation and third-party forensics, 204
responsible authority, 45 Incident planning

244
 Index

costs when addressing an incident, 174 confidentiality, integrity and availability

legal exposure and liability, 174 (CIA) and, 157
what’s at risk, 173 confidentiality and, 79
Incident response controls in, 158–159
best practices for, 186 defined, 79
of vendors, 81 information privacy and, 161
Incident response plan access control and, 165–166
creating, 176–177 alignment of, 164–165
roles in, by function, 179–184 data classification and, 166–167
board of directors, 183 disconnects of, 163–164
business development, 181–182 illustrated, 162
communications and public relations, 182 overlap of, 162–163
customer care, 183–184 integrity and, 79
finance, 182–183 ISO standards, 159–161
human resources, 181 overview, 156

E
information security and/or information planning role, for data breach, 180
technology, 180 practices, 157
legal, 180–181
marketing, 181
president/CEO, 183
PL
sample departmental responsibilities, 180
risk defined in, 157
role of
during an incident, 194
in incident response planning, 180
union leadership, 182 vendor controls of, 80
Incident response team, cost savings through, 135 Information security group, function of, in
M
India creating privacy policy, 6
cost of data breaches in, 135 Information security policies
international guidelines/legislation and access and data classification, 97
responsible authority, 45 cloud computing acceptable use and, 99
SA

oversight regulatory authority and implementing, 99

enforcement powers, 55 Information technology, role of, in incident
Indonesia, oversight regulatory authority and response planning, 180
enforcement powers, 54 In-scope privacy, 16
Industry-specific privacy-related concerns, 42 Insurance coverage
Information, right to, about personal data for data breaches, 178–179
collection and processing, 119–120 of vendors, 80
Information Commissioner’s Office (ICO; UK) Insurer, cooperation with, during an
guidelines on DPIAs, 77 investigation, 203
mission, vision, and goals, 13–14 Interfacing and communicating with an
Information lifecycle, 19 organization, 92
Information privacy. See Information security Internal audit group, function of, in creating
Information security privacy policy, 7
achievement of, 79 Internal breach announcements, 206–207
aim of, 157 Internal partnerships
availability and, 79 best practices when developing, 26–27

245
 Privacy Program Management

building and gaining consensus, 25 privacy approaches by, 17

identifying, 25–27 similarities of international privacy laws, 49
International Association of Privacy Just-in-time notice, 107
Professionals (IAPP), 58, 164
International Conference of Data Protection
and Privacy Commissioners, vision of, 13
K
Kenya, oversight regulatory authority and
International Organization for Standardization
enforcement powers, 57
(ISO)
Key performance indicators (KPIs), 218
on information security controls, 159–161
Korean Personal Information Protection Act,
privacy impact assessments (PIAs) and,
129
72–73
Kosa, Tracy, 217–230, 233
professional certifications under, 33
third-party audits and, 229
Internet-of-things (IoT), 107 L
Introduction to Privacy Engineering and Risk Language, children and privacy notices and, 110

E
Management in Federal Systems, An (NIST), 21 Latin America, data subject rights in, 128
Inventories. See Data inventory Laws

(DPC), 78
Irregular component analysis, 220
PL
Investigations. See Incident investigation
Irish Office of the Data Protection Commission
for breach notification, 173
categories of, 39–40
consumer protection, 106
cross-border transfers, 50–51
ISMS (information security management data protection, 16
system), 159–161 global, 43–46
M
Israel, international guidelines/legislation and international privacy, 49
responsible authority, 45 inventory of, creating, 67
Issue/objective statement, in employee policies, monitoring of, 57–58
94 monitoring of changes in, 224
SA

IT group, function of, in creating privacy policy, penalties for non-compliance with, 52–53
7 as policy control, 168
IT vendors, 24 privacy frameworks and, 20
See also Data subject rights in the United
States; Regulations; U.S. federal
J government privacy laws
Japan
Learning and development group, function of,
international guidelines/legislation and
in creating privacy policy, 6
responsible authority, 45
Legal stakeholders, role of
oversight regulatory authority and
during an incident, 193
enforcement powers, 53
in incident response planning, 180–181
protection models and approach to privacy
Letter drops, as breach notification, 208
protection, 17
Liability, in data breaches
Jo, Sam, 94
general commercial (GCL), 197
Jurisdiction
insurance coverage and, 178–179
cross-border transfers and, 50–51
legal exposure and, 174
key terms in, 51

246
 Index

reputational, 174 international guidelines/legislation and

Local data protection authorities, 20 responsible authority, 45
Local governance model, 29 oversight regulatory authority and
“Lunch and learn” training sessions, 138–139 enforcement powers, 56
Microsoft, privacy mission statement, 12–13
Mission statement, 11–14
M Monaco, international guidelines/legislation
Malaysia
and responsible authority, 45
international guidelines/legislation and
Monitoring
responsible authority, 45
of laws and regulations, 57–58
oversight regulatory authority and
of program performance
enforcement powers, 54
forms of, 224–226
Marketing privacy managers, 5
overview, 223–224
Marketing privacy-related concerns, 42
types of, 224
Marketing stakeholders
of vendors, 99

E
planning role, for data breach, 180, 181
Morocco
role of, during an incident, 197–198
international guidelines/legislation and
Maturity levels, for metrics, 221–222
McAfee, 43
McDonald, Aleecia, 108
Mergers, 83
Metric audience, 230
PL responsible authority, 45
oversight regulatory authority and
enforcement powers, 57
MySpace, 106
Metric owner, 219, 230
M
Metrics N
defined, 230 National Credit Union Administration, 41
purpose of, 137 National Do Not Call Registry (DNC), 41, 112
for training and awareness measurement, National Institute of Standards and
SA

144–146 Technologies (NIST), 21, 78, 229

Metrics, for program performance measurement National privacy laws, 39
analysis Need-to-know access, 166
business resiliency, 221 Negligence, data breaches and, 174–175
overview, 219 Neiditz, Jon, 105–134, 234
program maturity, 221–222 Network Advertising Initiative (NAI) Code of
return on investment (ROI), 220 Conduct, 43
trend analysis, 220 New Zealand, 39
intended audience, 218–219 international guidelines/legislation and
metric owner, 219 responsible authority, 45
overview, 217–218 oversight regulatory authority and
reporting to the board, 222–223 enforcement powers, 54
Metrics lifecycle, 230 Noise (analysis), 220
Mexico Noncompliance
“ARCO” rights, 128 with DPIA requirements, 73
data subject rights in, 128 penalties for, 52–53, 91

247
 Privacy Program Management
Notification, of breaches
call center launches, 208–209
deadline for, 206
expenses for, 197
external announcements, 207
internal announcements, 206–207
during an investigation, 203
letter drops, 208
mishandling of, 206
obligation to notify recipients, 118
progress reporting, 210–211
regulator, 207
remediation offers, 209–210
requirements and guidelines, 205–206
timeline for, 204–205
E
in the United States, 18
U.S. laws, 173
O
PL
Obfuscation, as technical control, 168
Objection, right of, 118, 124
Obligation to notify recipients, 118
M
Office of Civil Rights, 40
Office of the Comptroller of the Currency, 41
Office of the Privacy Commissioner of Canada,
51, 110
SA
Office of Thrift Supervision, 41
Online privacy-related concerns, 42
Operational actions to ensure ongoing
awareness, 142
Opt-in versus opt-out, 109–110
Organisation for Economic Co-operation and
Development (OECD) Guidelines on the
Protection of Privacy and Transborder Flows
of Personal Data, 19, 44
Organizational balance and support, 51–52
Organizational model, responsibilities and
reporting structure, 30–34
Outliers, 22
Oversight agencies, worldwide, 53–57
Ownership, recording, 27
248
P
Pahl, Chris, 135–147, 234
Parental consent, 110
Payment Card Industry Data Security Standard
(PCI DSS), 18, 43, 83
PayPal, 43
Penalties
GDPR fines, 73
for HIPPA violations, 52
for noncompliance, 91
Performance measurement, defined, 229.
See also Metrics, for program performance
measurement
Personal data collection, right to information
about, 119–120
Personal information, collected and used by the
organization, 14–15
Personal information, protecting
data protection by design and by default,
151–154
information privacy and, 161–167
privacy policy and technical controls,
167–169
See also Information security; Privacy by
design (PbD)
Personal Information Protection and Electronic
Documents Act (PIPEDA; Canada), 20, 33,
83, 128
Personally identifiable information (PII), 71,
114, 140
Peru, international guidelines/legislation and
responsible authority, 45
Philippines
international guidelines/legislation and
responsible authority, 45
oversight regulatory authority and
enforcement powers, 54
Phishing attack, 183–184
Physical and environmental assessment, 79–80
Physical controls, 158
Physical security, for incident handling, 189
Point of transfer, 80
 Index

Points of contact, in employee policies, 95 privacy vision and mission statement,

Policies. See Privacy policies
Policy or administrative controls, 158, 167-168
Ponemon Institute, 174, 213
Preparation phase, in audit lifecycle, 228
President/CEO
planning role, for data breach, 183
role of, during an incident, 201
Preventive controls, 158
Print vendors, 200
Privacy
across the organization, 5–8
Privacy Act of 1974, 113
Privacy assessment, measuring compliance and, 69
Privacy by design (PbD)
creating, for organizations, 11–14
program scope, 14–18
See also entries for individual topics
Privacy impact assessment (PIA)
accomplish early, 70
defined, 69
International Organization for
Standardization (ISO) and, 72–73
privacy professionals and, 71
requirements regarding, 69
triggering events, 70
in the United States, 71–72
uses of, 69, 70–71
See also Data protection impact assessments

E
diagramming, 154–156 (DPIA)
dictates of, 149 Privacy incidents, leveraging, 138–139
facilitated by a PIA, 69
foundational concepts, 149
foundational principles, 149–150
illustrated, 150
PL Privacy leaders
educational and professional backgrounds
of, 32
titles used for, 31–32
paradigm of, 150–151 Privacy Maturity Model (PMM), 221–222
privacy engineering and, 154 Privacy mission statement, 11
M
purpose and approach of, 21 Privacy notices
Privacy champion, 26 communication considerations and
Privacy checkpoints, 83 re-evaluation of the fair information
Privacy committee, 8 practice principles, 108–109
SA

Privacy dashboard, 108 defined, 92, 105–106

Privacy-enabling technologies (PETs), 163 design challenges and solutions, 106–108
Privacy engineering, 154, 168 effectiveness of, 108
Privacy-first mindset, 187 elements of, 106
Privacy governance goal of, 107
components of, listed, 11 illusion of control of, 108
framework development and just-in-time, 107
implementation, 19 privacy policies versus, 91–92, 105–106
frameworks, 19–23 providing, approaches to, 107
governance, risk and compliance (GRC) Privacy policies
tools and, 24 acceptable use policies (AUP), 96–97
governance models, 28–30 cloud computing acceptable use, 99
organizational model, responsibilities and communication of, within the organization,
reporting structure, 30–34 92–93
privacy strategy development, 24–27 compliance issues of, 91
privacy team, structure of, 28 components of, 90–91

249
 Privacy Program Management

cost considerations of, 93–94 Privacy Ref, Inc., 89

data retention and destruction policies, Privacy-related laws enforced by the U.S. federal
100–102 government, 40–41
defined, 90, 91, 105–106 Privacy strategy
employee, design of, 94–97 benefits to implementing, 25
examples of, 90 building, 25, 135
explained, 89–90 defined, 24–25
HR policies, 99–100 developing, 24–27
implementing and closing the loop, 102–103 getting buy-in, 25
information security policies, 97, 99 Privacy team
interfacing and communicating with an positioning, 28
organization and, 92 steps for integration, 28
overview, 89 structure of, 28
privacy notice versus, 91–92, 105–106 Privacy tech vendors, 23–24
procurement and vendors, 97–100. Privacy threshold analysis (PTA), 71

E
See also Vendors Privacy Tracker (IAPP), 58
purpose of, 90 Privacy vision statement

scope of, 90
technical controls and, 167–169
Privacy professional, defined, 11
PL
risk and responsibilities of, 90–91 examples, 12–14
importance of, 11
Privacy workshop, for shareholders, 27
Processing, right to restricting, 117, 122–123
Privacy program management Procurement
defined, 1 engaging vendors, 97–100
M
framework of, 1 implementing policies, 99
introduction to, 1–9 See also Vendors
Privacy program manager Procurement group, function of, in creating
accountability of, 3 privacy policy, 7
SA

goals of, 1–2 Professional certifications, 33

responsibilities of, 2–3
Privacy programs
domestic and global approaches to, 16–18
goals of, 2
organizations’ need for, 4–5
See also Privacy governance
Privacy program scope
defining, 14–18
in-scope privacy and data protection laws
and regulations, 16
personal information collected and
processed, 14–15
questions to help define, 15
scope challenges, 16–18
successful scoping approach, 18
Professional forensic firms, 199–200
Profiling, right not to be subject to, 118
Program management solutions, 21–22
Program performance
metrics for measurement of, 217–223
monitoring of, 223–226
Program scope. See Privacy program scope
Progress reporting, during breach notification,
210–211
Proofpoint, 183
Protected health information (PHI), 112
Public relations stakeholders
planning role, for data breach, 180, 182
role of, during an incident, 197–198

250
 Index

Q Ryerson University, Certificate in Privacy,

Qatar, international guidelines/legislation and Access and Information Management, 32
responsible authority, 45
S
R Schultze-Melling, Jyn, 116
Rahimic, Tajma, 105–134, 235 Scope, of privacy policy, 90. See also Privacy
Ramirez, Edith, 106 program scope
Records of processing, 15 Second-party audits, 228–229
Rectification, right of, 117, 121 Security controls
Rectification requests, 126 defined, 79
Regulations purpose of, 168
data protection, 16 types of, 79
inventory of, creating, 67 Security incident versus breach, 175
monitoring of, 57–58 Segregation of duties, 166

E
monitoring of changes in, 224 Self-assessment, 78
penalties for non-compliance with, 52–53 Self-regulatory privacy programs, 43, 168
privacy frameworks and, 20 Seminars, 33
See also Laws
Regulator notifications, 207
Remediation offers, 209–210
PL Siegel, Bob, 89
Singapore
international guidelines/legislation and
responsible authority, 46
Remediation providers, 200–201
Reporting phase, in audit lifecycle, 228 oversight regulatory authority and
M
Reporting worksheets, for incident handling, enforcement powers, 54
187–188 protection models and approach to privacy
Reputational liability, in data breaches, 174 protection, 17
Return on investment (ROI), of privacy Snapchat, 106
SA

program, 218, 220 Social engineering, as threat, 183

Rights. See Data subject rights entries South Africa
Rights of individuals, 19 international guidelines/legislation and
“Right-to-be-forgotten,” 117, 121–122 responsible authority, 46
Risk oversight regulatory authority and
governance, risk and compliance (GRC) enforcement powers, 57
tools and, 24 South Korea
in information security, 157 international guidelines/legislation and
of privacy policy, 90–91 responsible authority, 46
Roadmap, of organization’s privacy oversight regulatory authority and
requirements, 39 enforcement powers, 53
Russia privacy regime in, 129
international guidelines/legislation and South Korea, Data Protection Act, 33
responsible authority, 46 Spear fishing data breach, 135–136
oversight regulatory authority and Stakeholders
enforcement powers, 55 building and gaining consensus, 25

251
 Privacy Program Management

collaboration among, for incident handling, president/CEO, 201

189
functions and importance of, 8
identifying, 25–27
during an investigation, 204
knowing, for incident responses, 177–178
legal, 180–181
privacy workshop for, 27
responsibilities of, in a breach, 179–184
Stanford University Privacy Office, privacy
vision/mission statement, 12
State attorneys general (AG), 106
State laws. See Data subject rights in the United
States
Statements of organization’s position, in
print vendors, 200
professional forensic firms, 199–200
remediation providers, 200–201
team leadership, 192–193
union leadership, 201
Technical controls, 158, 167–169
Telecom privacy-related concerns, 42
Telemarketing Sales Rule (TSR), 112
Telephone Consumer Protection Act (TCPA)
of 1991, 41
Terrorism, 42
Texas biometric privacy laws, 116
Thailand, oversight regulatory authority and
enforcement powers, 54

E
employee policies, 95 Third parties, incident handling by, 190
StaySafe Online, 139 Third-party audits, 229
Supplier monitoring, 226
Surprise minimization, 51
PL
Symbols, for communicating privacy practices,
107
Third-party external privacy resources, 58
Third-party forensic vendors, in complex breach,
204
Thomas, Liisa, 173–216, 235
Three Lines of Defence model, 65
Tools, for monitoring, 225
M
T Training
Tabletop exercises, as readiness-testing activity,
audience identification for, 142
184–185
awareness versus, 137
Taiwan, international guidelines/legislation and
budgeting for, 185–186
SA

responsible authority, 46
as closing the communication loop, 102
Teaming, in information privacy and
of employees, for incident handling, 187
information security, 165
in preparation for a breach, 175–176
Team roles, during an incident
requirements for, 137
board of directors, 202
using metrics to prove, 144–146
business development, 199
Training and awareness
call center, 200
methods for, 143–144
computer emergency response team
strategies for, 142–143
(CERT), 194
Transparency
customer care, 198–199
importance of, 105
finance, 196–197
privacy by design and, 150
human resources, 195–196
WP29 guidance on, 107
information security, 194
Transparency principle, 51
legal, 193
Transparent communication, necessity of, 119
marketing/public relations, 197–198
Transparent communication and information,
outside resources, 199–201
right of, 117
overview, 191–193

252
 Index
Trend analysis, 220
Trending, 220
Trust, of consumers, 4
TrustArc, 43, 164
TRUSTe, 164
Turkey
cost of data breaches in, 135
international guidelines/legislation and
responsible authority, 46
oversight regulatory authority and
enforcement powers, 55
2018 Cost of a Data Breach Study (Ponemon
Institute), 174
2018 Data Breach Investigations Report
(Verizon), 135
E
U evaluating, 81
PL
UAE-Dubai (DIFC), international guidelines/
legislation and responsible authority, 46
Uber Technologies data breach settlement, 136
UN Convention on the Rights of the Child in
Child Friendly Language, 110
M
Union leadership
planning role, for data breach, 180, 182
role of, during an incident, 201
United States, 39
SA
breach notification laws, 173
cost of data breaches in, 135
data protection legislation and, 16–17
domestic privacy challenges, 17–18
privacy impact assessments (PIAs) in, 71–72
protection models and approach to privacy
protection, 17
Uruguay, 39
international guidelines/legislation and
responsible authority, 46
oversight regulatory authority and
enforcement powers, 56
U.S. Department of Commerce (DOC), 78
U.S. Department of Health and Human
Services, 20
User access management, 166
User testing, 107
253
U.S. federal government privacy laws
industry-specific concerns, 42
names, enforcement, and focused concern of,
40–41
self-regulation: industry standards and codes
of conduct, 43
See also Data subject rights in the United
States
V
Vendor incident response, 81
Vendors
assessing, 80–82
assessing, under the DGPR, 82
contract language and, 81–82
engaging, 97–100
GRC (governance, risk and compliance), 24
held to privacy standards, 97–100
monitoring of, 99
privacy tech, 23–24
reputations of, 80
role of, during an incident, 200
as source of an incident, management of, 179
standards for selecting, 80–81
vendor contract, 98
vendor policy, 98
VeriSign, 43
Verizon: 2018 Data Breach Investigations Report,
135
Video Privacy Protection Act (VPPA) of 1988,
41
Video privacy-related concerns, 42
Video teleconferencing, 144
Vietnam, international guidelines/legislation
and responsible authority, 46
Vision statement, 11–14
Voicemail broadcasts, 144
W
Washington biometric privacy laws, 116
Web pages, for communication, 144
 Privacy Program Management

Witt, Amanda, 105–134, 235–236

Wombat Security, 183
Worksheets, for incident handling, 187–188
WP29
on consent, 109
guidance on transparency, 107
Guidelines on Data Protection Impact
Assessment, 77–78
on language and consent from children, 110
on privacy dashboards, 108
processing operations requiring a DPIA,
74–75

E
Yahoo! data breach (2014), 135–136
Yakabovicz, Edward, 89–104, 236

PL
M
SA

254