Gestão de Programa de Privacidade

Prévia do material em texto

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
 
 
 
 
PRIVACY PROGRAM MANAGEMENT 
ONLINE TRAINING TRANSCRIPT 
MODULE 5: PRIVACY OPERATIONAL LIFE CYCLE— 
PROTECT: PROTECTING PERSONAL INFORMATION 
 
Introduction 
Module introduction 
Keeping personal information secure requires both privacy and security measures. 
Information security practices can help identify and mitigate risk, but an organization must also consider, 
from a privacy standpoint, taking proactive steps to protect personal information. How can you employ 
processes and technology that build privacy into the organization’s systems and daily tasks? 
This module will provide an overview of privacy risk models and frameworks, cover various security and 
privacy practices and controls, and review the principles of privacy by design and data protection by 
design and default. 
 
Scenario 3 
AtlantiPulse causes a privacy problem (1) 
AtlantiPulse is now an integral division of One Earth Medical. AtlantiPulse has well-established policies and 
procedures for its nurses who work from home, including scheduled periodic audits to be sure they are 
operating in accord with company standards. However, through her work, Mary has discovered several 
potential privacy weaknesses. Click the numbers to learn more. 
1. Although printing functions were disabled on remote computers and an admin password is needed 
to enable them, it is possible to use the “print as PDF” function to create copies of patient data. 
 
2. AtlantiPulse’s database with patient and scheduling data does not restrict access to data beyond 
the initial login, regardless of the user’s location or role. Coupled with potential breaches due to the 
computer’s configuration, this situation could cause serious issues. 
 
3. Some ports on nurses’ laptops are unsecured, making it possible to transfer data from an 
AtlantiPulse machine to an external storage device or computer outside the network. 
2 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
AtlantiPulse causes a privacy problem (2) 
To resolve the potential security issues Mary has observed, what questions must she first ask? Consider 
the situation with privacy principles in mind. Type your ideas in the box, then click “Submit.” 
Some important privacy-related questions that Mary must find answers to are shown here: 
Data minimization 
• Is the minimum necessary amount of data being collected from each patient? 
• What is the minimum necessary amount of data each nurse should have access to? 
Access 
• What other functional roles within AtlantiPulse need access to data? 
• How should access to the data be restricted? 
Accountability 
• How is accountability established for access to the data? For example, is there an audit trail or 
other tracking mechanism (including who, when, through which service, and from what location/IP 
address was patient data accessed)? 
Processes 
• How are appropriate work-from-home processes defined and implemented? 
• How is compliance with these processes tracked? 
Security 
• How should information security and IT be involved to ensure that the correct technical controls are 
in place to implement the policies? 
• What policies and procedures are in place to keep data in the remote, work-at-home environment 
as secure as it is in the onsite work environment? 
 
 
Information security and privacy 
Learning objectives 
• Explore the intersection of privacy and information security 
• Examine ways to better align the privacy and information security functions 
• Outline drivers behind information security practices 
How do privacy and security intersect? (1) 
“Privacy v. security … isn’t it the same thing? 
3 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Data privacy is focused on the use and governance of personal data—things like putting policies in 
place to ensure that consumers’ personal information is being collected, shared and used in 
appropriate ways. Security focuses more on protecting data from malicious attacks and the 
exploitation of stolen data for profit. While security is necessary for protecting data, it’s not 
sufficient for addressing privacy.” 
Source: https://iapp.org/about/what-is-privacy/ 
How do privacy and security intersect? (2) 
Privacy and security are related concepts, and both focus on information. However, security’s main focus 
is the control of information: ensuring its confidentiality, integrity and availability throughout the data life 
cycle. In contrast, privacy focuses on the information itself and the people represented by the information. 
With privacy, we need to not only examine what information is revealed, but also whether there is a risk 
to the person or their reputation. 
See below for points to consider about security and privacy, from Virtru’s 2019 whitepaper, Succeeding at 
the Intersection of Security and Privacy. For the full white paper, click here. 
• While there are areas where security and privacy remain distinct, they increasingly intersect. 
Organizations that focus on this intersection and on data-level protections are better equipped to 
navigate today’s modern data landscape. 
• Modern data protection requires defending against unauthorized data access while simultaneously 
securely sharing and collaborating internally and externally to achieve mission objectives. From law 
enforcement to catching software vulnerabilities to maritime safety, information sharing is essential 
for business success. 
• In addition to limiting unauthorized data access, a holistic focus on the intersection of security and 
privacy provides other benefits. Compliance to data protection laws could spark revenue streams 
by encouraging greater efficiency and awareness across the entire life cycle of data and can help 
protect intellectual property. 
Information security and risk management 
Information security provides administrative, technical and physical controls, or safeguards, to reduce 
potential damage, loss, modification or unauthorized access to data. 
Information security builds on risk management practices to: 
• Identify risk 
• Select and implement measures to mitigate risk 
• Track and evaluate risk 
Regardless of industry, government affiliation or geographic location, risk factors are the driving force 
behind all information security matters. Note that just because risk exists, it does not mean that data is 
not secure. 
Summary 
• Privacy and security are related concepts and both focus on information. However, security’s main 
focus is the control of information, while privacy focuses on the information itself and the people 
represented by the information. 
https://iapp.org/about/what-is-privacy/
https://iapp.org/media/pdf/resource_center/virtru_whitepaper_intersection_security_privacy.pdf
4 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• Information security builds on risk management practices to identify risk, take measures to 
mitigate risk, and track and evaluate risk. 
• The existence of risk does not mean that data is not secure. 
 
Privacy and security controls 
Learning objectives 
• Analyze types and categories of controls 
• Review examples of administrative controls 
• Illustrate types of access controls 
• Determine technical controls for protecting personal information 
Control categories 
Controls can be divided into several categories based on the control objective: 
• Preventive controls such as firewalls, passwords, procedures and training are intended to prevent 
an incident from occurring 
• Detective controls such as audits, antivirus software, and monitoringand logging are intended to 
identify and characterize an incident that has occurred or is in progress 
• Corrective controls such as business continuity plans, back-up data restoration and updated 
policies are intended to limit the extent of any damage caused by an incident 
Control types 
Information security provides physical, technical and administrative controls to manage risk by reducing 
potential damage, loss, modification or unauthorized access to data. 
• Physical controls such as fences, doors and locks restrict physical access to hard copies of data and 
the systems that process and store electronic copies 
• Technical controls such as user logins, virus software, and firewalls govern software processes and 
data 
• Administrative or policy controls such as incident response processes, management oversight, 
security awareness and training, and data handling policies govern an organization’s business 
practices 
ISO/IEC security control standards 
The types of security controls discussed in this module align with the ISO/IEC 27001 and ISO/IEC 27002 
standards. ISO/IEC 27001 and 27002 are internationally recognized information security standards 
published by the International Organization for Standardization, or ISO, and the International 
Electrotechnical Commission, or IEC. ISO/IEC 27001 Annex A contains a summary of security controls, 
and ISO/IEC 27002 examines controls in more depth. 
ISO/IEC 27701 is an extension of ISO/IEC 27001 and is considered the first mainstream global privacy 
management standard. It defines processes and provides guidance for protecting personal information in 
an ongoing, evolving basis and specifies the requirements for establishing, implementing, maintaining and 
5 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
continually improving a privacy-specific information security management system. Adding a privacy 
standard to a commonly adopted security standard gives privacy greater visibility and promotes greater 
collaboration between an organization’s security and privacy teams. 
Click here for the IAPP article about Microsoft’s open-source tool, the “Data Protection/Privacy Mapping 
Project,” which maps ISO/IEC 27701 to nine privacy laws around the world, including the GDPR, CCPA and 
LGPD. 
Administrative controls 
Administrative controls are the nontechnical, “softer” privacy control measures established by 
management (for example, policies and procedures). They may derive from laws and regulations, self-
regulatory regimes, industry practices, and corporate ethics and policies. Policies dictate controls that, in 
turn, establish what mechanism or process must be implemented to ensure the control is enabled. 
How could you implement the administrative controls outlined here? Drag each implementation example 
to the correct control row. 
Type Source 
Administrative 
control 
Implementation 
Laws and 
regulations 
GDPR: Right to 
erasure 
Data must be 
deleted upon 
request 
Ensure the deletion 
processes work 
properly 
Self-regulatory 
regime 
Payment Card 
Industry Data 
Security Standard 
(PCI DSS) 
Cardholder data 
must be encrypted 
Use AES 256 
(Advanced 
Encryption 
Standard) in transit 
Industry practices 
Generally Accepted 
Privacy Principles 
(GAPP) 
Explicit consent 
must be obtained for 
sensitive data 
Require “opt-in” 
selection for 
specified users 
Corporate 
ethics/policy 
Google’s former 
motto: “Don’t be 
evil.” 
Search results must 
not be deceptive 
Always clearly 
identify advertising 
as a “sponsored 
link” 
Access controls 
A privacy team should work with information security and IT to ensure effective access controls, which 
govern who has the right to access specific information. 
Role-based controls and guidelines for managing user access can help ensure that only people who 
absolutely need access to certain information have it. The organization must also teach the importance of 
user responsibility. It should train and regularly remind employees of good security practices in selecting 
and protecting passwords, as well as practices that promote physical security, such as a clean desk policy. 
Click on the tabs to learn more about role-based controls and user access management. 
Role-based controls 
https://iapp.org/news/a/microsoft-launches-open-source-privacy-mapping-tool/
6 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Basic security principles 
Segregation of duties: Ensures one person cannot exploit or gain access to information 
inappropriately 
Least privilege: Access is granted at the lowest possible level required to perform the function 
Need-to-know or -access: Access is restricted to only information that is critical to the performance 
of an authorized, assigned mission 
User access management 
 (Also known as identity access management) 
Unique user IDs 
Credentials for ID (smart card, password, two-factor authentication, machine certificate, etc.) 
Level of access based on business purpose 
Formal, logical process for granting and removing access 
Password management 
Review of user access rights (e.g., privileged accounts, job function changes, employment 
termination) 
Security policies 
A well-functioning internal security policy prevents unauthorized or unnecessary access to corporate data 
or resources, including intellectual property, financial data and personal information. Physical security 
measures such as locks, safes, cameras and fences offer a first layer of protection from both internal and 
external threats. 
Other ways to secure data include: 
• Data classification policies that should be established and enforced for both granting and revoking 
access to assets and information according to their classification; 
• Database schemas that separate customer information into relative tables that make it easier to 
enable access only to those who need to see the information; 
• Data retention policies and procedures that are established early in a system’s development and 
which need to be clearly communicated to all individuals who handle data; and, 
• Data deletion policies that dictate the secure and complete removal of data from all systems when 
it is no longer needed for a legitimate business purpose. 
Technical privacy controls 
In addition to security and administrative controls, technical privacy controls offer ways to protect 
personal information. 
Click on the squares to view definitions of each example; then drag and drop each example to its technical 
privacy control type. 
Obfuscation 
Masking: Masking is a means of permitting parts of a sensitive value to be visible while leaving the 
remainder of the value shielded from view. 
Randomization: Randomization uses random information or randomizes the data to complicate 
linking personal information back to an individual. 
7 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Noise: Noise adds false data to information to complicate identification of valid personal 
information. 
Hashing: Hashing is taking user identifications and converting them into an ordered system to 
track the user’s activities without directly using personal information. 
Data minimization 
 Data segregation: Data segregation stores data in different areas to prevent aggregation or 
access to large amounts of data or linking data. 
 Compression: Compressing data, such as an audio file, maintains its comprehensibility while 
removing characteristics that may distinguish an individual. 
 Aggregation: Data aggregation is the process of combining data from multiple records so that the 
combined data reflects the attributes of a group versus an individual. 
 Deletion:Deleting unneeded or expired data is one of the best ways to remove the risk that can 
come from having too much data. 
 Deidentification: Deidentification is an action to remove identifying characteristics from data. 
Deidentified data is information that does not actually identify an individual. Some laws require 
specific identifiers to be removed. 
Common security practices 
 Data loss prevention (DLP): DLP helps to ensure that sensitive data is not inadvertently 
released to the wrong person or entity. 
 Destruction: At the end of its life cycle, data should be destroyed. 
 Encryption: Encryption is the process of obscuring information, often through the use of a 
cryptographic scheme, in order to make the information unreadable without special knowledge, 
i.e., the use of code keys. 
 Auditing and testing: Auditing and testing are essential to verify that privacy requirements are 
being met and to validate the appropriateness of those requirements. 
 Access controls for physical and virtual systems: Access control is a mechanism by which 
access permission to a resource is managed. 
Privacy-enhancing technologies 
 Differential privacy: Differential privacy is a database technique that permits the analysis of user 
data stored within the database without revealing any information about individuals that is 
unavailable to those without access to the database. 
 Homomorphic encryption: Homomorphic encryption is a type of advanced technology that 
prevents raw data from being accessed while still allowing for analysis of the data. 
Evaluating security controls 
When you are evaluating security controls, your goal should be to ensure they are implemented and 
operating effectively to support the organization’s privacy practices. 
In evaluating controls: 
• Collaborate: Data privacy teams should work closely with information security and IT teams. 
Building partnerships between stakeholders in the privacy and information security functions is 
essential for consistency, visibility and alignment on key elements of the privacy program. 
• Don’t reinvent: Leverage existing audits and reviews, such as SOC1 and SOC2 (System and 
Organization Controls for Service Organizations) audits and ISO certifications. 
• Stay aware: Include relevant security risks in the privacy framework. 
• Rank and prioritize: Keep a scorecard of risk factors for high, medium and low risk. Not all 
problems can be solved or mitigated at once, so having an agreed-upon ranking of risk factors is 
key to prioritizing resources and evaluating outcomes. 
From an expert: Controls 
8 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Katrina Destrée, CIPP/E, Privacy Center of Excellence – Team Lead, Strategy and Consulting, Dell 
Technologies 
When we look at gold standard of controls—well, we look at, first of all, the alliance with frameworks, legal 
and regulatory frameworks in which the companies are operating, but on a very day-to-day basis, the gold 
standard is what people understand, what they use, and what they can cite. So, for me, when I think 
about the definition of gold standard of controls, that really is the gold standard because that means that 
you’re connecting with these controls on a daily basis. We look at different departments and how they’re 
handling their controls, whether it’s their new technologies, their vendors, their products or services—then 
they know these products, they know these vendors and they know their systems so well that they know 
which controls apply to them. That’s an ideal situation, so they really do connect. 
Now on a privacy side, when you’re explaining these controls or going through a process of assessing 
different systems, what I’ve found to be really helpful is to think of them as operating procedures—they’re 
reference documents, to have them on your desktop. So that’s what I do, I have all of—looking at 
primarily eight different controls and having those on my desktop so that when I’m in a conversation with 
a system owner, with a person that’s going through a PIA for a new vendor, a new technology, a new 
product or service, or new features of an existing product, we talk about one of those controls, I can open 
up that document, share my screen, and say, “Here’s what we need. Here are the policies that help us 
achieve these goals and here are the controls that are kind of operating procedures on exactly what to 
do.” So, that’s an example of a gold standard for the controls of either systems, products or services. And 
these controls definitely help companies achieve their overall policy objectives and goals. 
So, if we think about the reality of updating or initiating controls—updating is far more difficult, because 
it’s after the fact, and the reality is, if we look at systems, first of all, there can be a lot of them, a lot—
hundreds of systems—and these systems could have been in place for a long time, and they’re working; 
they’re not broken. And you’ve got people that are not in privacy and security that are in other 
departments of the organization running these systems. Which means they’re busy with business as usual. 
So, to ask to stop, to assess these systems, to be in compliance with controls is to step away from their 
normal day-to-day work and to say, “Let’s talk about assessing your system for compliance with our 
privacy and security controls.” That’s number one. Just to acknowledge the players involved and the 
realities of assessing these systems. 
So, second of all, it has to be made a priority, and it can be very time-consuming because then you have 
to get on the same page—what exactly are we doing today. As we mentioned, “That’s right, we 
understand about privacy, it’s very important, it’s a business imperative, it’s very important for customer 
trust.” People really do understand that, and they increasingly connect with it—it’s a message that’s loud 
and clear and people resonate with it themselves because we’re all customers, consumers ourselves. You 
look at a system and you say, “Well, what about your system? How well do you know it, your system or 
your vendor that you’re relying upon for processing that personal data of that system?” And when the 
person looks at the system they might say, “Yes, well, we recognize that personal data is name, address, 
et cetera.” But that list is oftentimes longer than the name and the address. 
So, the definition of personal data is very useful to start off with at the beginning of that life cycle. Let’s 
revisit—what do we mean by personal data? What do we mean by information classification? Is that 
personal data? It might be public, but it still could be personal. We still need to treat it that way. It can be 
restricted, it can be confidential, whichever class it is, but it doesn’t mean that the system owner can 
recite that back. So that is what I mean by, again, thinking of the gold standard, understanding, using, 
and being able to cite it/enforce the, the controls that are facilitating the company policy for protecting 
personal information. 
When assessing these systems, it’s important that the system owner can connect and understand why 
there might be a policy gap and then to establish a plan for a plan for remediation. Now it’s important for 
the system owner to plan for this plan. Why? Because it’s going to be the system owner that implements 
the plan. Again, making time for that, making it a priority, and it is away from business as usual, so it is a 
9 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
reality of that. The reality has to be that it’s part of a bigger priority—perhaps there’s an executive that 
has stated, “This is our organizational key results. We need to do this.” Then it jumps up the priority list: 
“Okay, this is worthstepping away from business as usual.” 
So, then you go through the process of identifying which controls apply to your system, your vendor, et 
cetera. So, the controls—we have, obviously, information classification, we have retention, we have 
accuracy, we have system availability, we have—there’s an incident, we have role-based access. So, the 
system owner has to say, “Those apply to me. That applies to my system.” Now those are topics that 
people do understand, they do recognize, but what’s part of that life cycle is to take the next step and ask 
the secondary question. So, if the system owner says, “Yes, we recognize we can’t hold on to the data 
forever, that’s right, we understand about data retention.” The secondary question is to ask, what is the 
purge schedule? Role-based access: “Yes, we recognize role-based access.” Ok, which IAM tool—identity 
access management tool—do you use? Role-based access: What happens when someone leaves and you 
need to revoke their access? How long does that take? Is it three months? Or is it a year? Those types of 
secondary questions are what is very important in that life cycle. So, it’s getting to know those controls so 
well that they are understood, they’re used, and they can be cited. 
Looking at it from initiating the controls, well, that is the dream situation. Very beginning, and that’s like, 
let’s look at privacy by design from the very beginning, which, of course, is what we want to do. And that 
can be achieved through a privacy impact assessment which are great tools for that process, whether it’s 
a vendor, it’s a system, new product or service being launched into the marketplace. A PIA is only as 
intelligent as we design it to be. So, if that PIA has questions that say, “Not applicable; don’t know,” that’s 
introducing risk. And controls are all about mitigating that risk to the company or the organization that is, 
has created the policies that define the controls. We think of controls as before, during and after. 
Preventative, detective, and corrective: it’s an ongoing life cycle. 
Summary 
• Information security provides different kinds of controls to manage risk. Controls can be 
administrative, physical or technical controls. 
• Controls are also divided into different categories based on their objective: preventive controls to 
prevent an incident from occurring; detective controls to identify and characterize an incident that 
has occurred or is in progress; and corrective controls to limit the extent of any damage caused by 
an incident. 
• ISO/IEC 27701 is considered the first mainstream global privacy management standard. It 
defines processes and provides guidance for protecting personal information on an ongoing, evolving 
basis and specifies the requirements for establishing, implementing, maintaining and continually 
improving a privacy-specific information security management system. 
• Administrative controls are non-technical privacy control measures established by management (for 
example, policies and procedures). They may derive from laws and regulations, self-regulatory 
regimes, industry practices, and corporate ethics and policies. Policies dictate the controls, which, in 
turn, establish what mechanism or process must be implemented to ensure the control is enabled. 
• Access controls govern who has the right to access specific information and may involve approaches 
from administrative, physical and technical control categories. 
• Role-based controls and guidelines for managing user access can help ensure that only those 
who absolutely need access to certain information have it. These controls rely on basic security 
principles like need-to-know or -access and segregation of duties. They also involve user access 
management, which uses strategies such as unique user IDs and password management. 
• Technical privacy controls offer ways to protect personal information. Examples of technical controls 
are obfuscation, data minimization, common security practices and privacy-enhancing technologies. 
 
10 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Privacy by design 
Learning objectives 
• Define privacy by design and review its seven principles 
• Define data protection by design and default in the GDPR 
• Explore privacy risk models and frameworks 
• Compare process-oriented and data-oriented privacy design strategies 
Privacy by design (PbD) 
Privacy by design, or PbD, is the philosophy and approach of embedding privacy into the design of 
technology, systems and practices. Privacy by design helps ensure the existence of privacy from the 
beginning of development. 
As originally conceived of by the former Privacy Commissioner of Ontario, Ann Cavoukian, privacy by 
design is based on seven foundational principles: 
1. Proactive, not reactive; preventative, not remedial 
2. Privacy as the default 
3. Privacy embedded into design 
4. Full functionality—positive-sum, not zero-sum 
5. End-to-end security—life cycle protection 
6. Visibility and transparency 
7. Respect for user privacy 
Privacy by design includes ingraining privacy throughout the entire life cycle of technologies, from early 
design state to deployment, use and disposal. For example, PbD considers privacy principles and other 
privacy requirements throughout the design of a vehicle/driver tracking system to adjust insurance 
premiums based on driver behavior or the introduction of facial recognition in airports, casinos and other 
commonly visited places. 
Considerations throughout the project life cycle can include ensuring only the minimum data required is 
collected, defining data retention periods, ensuring data sharing is limited to what is necessary, and 
testing for discrimination and bias in algorithms used. 
From an expert: Privacy by design 
Aaron Weller, CIPP/US, CIPM, CIPT, FIP, President and Co-founder, Sentinel (Ethos Privacy) 
Before privacy by design was really required, the concept existed, but it wasn’t really something that a lot 
of organizations had a formal program around. And there were numerous examples where companies, 
particularly technology companies, were found to have gone and done something with data that when it 
became public that that was what they had done, there was a pretty significant backlash. And in some 
cases, the regulators came in and imposed either fines or the FTC imposed a consent decree as well. 
Where a lot of this was, it wasn’t necessarily breaking the law. And I think that’s a really important 
consideration where, a lot these areas where we’re trying to drive competitive advantage, it may not 
specifically be breaking the law, but it may be something that falls under the FTC’s Section 5 authority for 
unfair or deceptive trade practices. Where you’re looking at something where it wasn’t very clear to the 
users whose data was in that dataset, what was actually going to happen with that information. Or things 
11 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
were being done in a way, that it was a new piece of technology, and nobody really knew how this was 
going to work, but then the company could see that if they did things in a certain way that potentially they 
could either gain more advertising revenue. Or they in other ways be able to outpace some of their 
competitors. So yeah, I have seen some of the examples of that. 
I think one of the reasons where, and I am glad to see that in the proposed state laws in many states, 
we’re looking at actually requiring privacy by design as well. Because I think that helps us as privacy 
professionals, to give a backstop to say, “We should really be thinking about these things.” And I always 
advise my clients to look beyond kind of that black-and-white legal interpretation and buildin more 
thinking about, “Is this in line with our overall corporate culture? Is this what we want to be known as, as 
an organization? And is that short-term gain really worth it for the potential long-term consequences?” 
Data protection by design and default in the GDPR 
Data protection by design and default is specifically called out in Article 25 of the GDPR, with 
corresponding requirements and consequences for noncompliance. 
In the GDPR, the ultimate goal of data protection by design and default is to build information privacy into 
the design process (and not added on as an afterthought), and protect individuals’ privacy by default in a 
product, application or service. 
PbD and GDPR principles 
Several of the data processing principles outlined in the GDPR may be implemented through privacy by 
design. 
Click on each image for information about the GDPR processing principles. 
Lawfulness, fairness and transparency of processing requires honest practices, such as 
communicating openly with data subjects about processing activities. 
Purpose limitation requires collecting and processing personal data for the specified purpose only. 
To determine if personal data may be processed further, use a compatibility test to look for links 
between purposes, nature of the data, method of collection, consequences of secondary uses and 
safeguards. 
Data minimization and proportionality means processing only personal data that is relevant and 
necessary for the purpose. 
Accuracy means ensuring data is complete and up to date. 
Storage limitation means retaining only personal data that is relevant and necessary for the 
purpose. 
Integrity and confidentiality require ensuring personal data is reasonably secure. 
Accountability means ensuring that responsibility for privacy is spread throughout the organization 
and that compliance with the GDPR and other applicable laws can be demonstrated. 
From an expert: Differences between U.S. and EU approaches to PbD 
Antonis Patrikios, CIPP/E, CIPM, FIP, Partner, Dentons 
12 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
It is useful, when you’re trying to assess what do you need to do in order to embed privacy by design to 
first understand what is the potential privacy invasion that we’re trying to address here. What is the 
potential risk to privacy? And that’s where the difference between EU and U.S. approaches lies. Because in 
the U.S., the prevailing thinking is that if you invade someone’s privacy, but as a result of that there is no 
harm that comes to them, nothing bad happens to them, then that’s okay. It’s not a problem because 
nothing bad happened. 
In Europe, we take a much different approach, which basically says, it’s irrelevant whether harm happens 
or not. What the law seeks to protect is precisely that bubble around that person that is their private 
sphere. And you’re not allowed to enter that private sphere. And it’s irrelevant whether harm is caused or 
not. The problem is that you invaded their privacy. That’s a problem. 
So please remember that, but that’s sort of … legal and philosophical points aside, in a practical sense, 
this is going to help you understand, right, what is going on here. And what do I need to do in order to 
imbed privacy by design? 
Real-world examples 
To see the importance of data protection by design and default, consider these real-world examples. Click 
each image for details and consider: How might privacy by design or data protection by design and default 
have helped to avoid privacy issues? 
• “My Friend Cayla” doll: The “My Friend Cayla” doll used smart technology to carry on 
conversations with children. Flaws in the toy’s encryption process allowed hackers to listen in on 
conversations as well as speak directly to the child playing with it. 
o (https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-
friend-cayla-doll-spy-on-children) 
• Target: Target used data mining to deliver targeted advertising. In one case, Target delivered a 
mailer for baby products to a teenager before her parents were aware she was pregnant. 
o (https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-
was-pregnant-before-her-father-did/#564b2a7f6668) 
• Predictim: The Predictim service scans potential babysitters’ social media postings to provide 
parents looking to hire them with risk ratings for things like drug use and bullying, as well as less 
objective measures, such as attitude or disrespectfulness. 
o (https://en.softonic.com/articles/predictim-babysitter-scanning) 
Privacy risk models and frameworks 
Risk management is an integral aspect of developing reliable software. When analyzing risk, one can 
choose from a number of privacy risk models and frameworks that may be employed individually or in 
combination. Click each title below to learn more. 
Models: 
 
• Compliance: Delineates risks as the failure to do what is required or avoid what is prohibited by law 
or regulation 
• FIPPs-based: Prescribes, and in some cases proscribes, specific qualities and behaviors of systems 
that handle personal information based on the Fair Information Practice Principles (FIPPs) 
• Factor Analysis of Information Risk (FAIR): Breaks down risk by its constituent parts, then breaks 
down those parts to find factors that estimate the overall risk 
Frameworks/Standards: 
https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-friend-cayla-doll-spy-on-children
https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-friend-cayla-doll-spy-on-children
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#564b2a7f6668
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#564b2a7f6668
https://en.softonic.com/articles/predictim-babysitter-scanning
13 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• The National Institute of Standards and Technology (NIST) Frameworks: Provide standards, 
guidelines and best practices for managing cybersecurity-related risks, including: 
• Risk Management Framework 
• Cybersecurity Framework 
• Privacy Framework 
• National Initiative for Cybersecurity Education (NICE) Framework 
• ISO/IEC 27701 Standard: Specifies requirements and provides guidance for establishing, 
implementing, maintaining and continually improving a Privacy Information Management System 
(PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management 
within the context of the organization 
• The CNIL’s (Commission Nationale de l'informatique et des Libertés/ French Data Protection 
Authority) Methodology for Privacy Risk Management: Uses risk maps to determine the severity of 
a breach and its likelihood of occurence 
Privacy design strategies 
Two major groups of privacy design strategies can play an important role in an organization’s application 
of privacy by design: process-oriented and data-oriented. 
Process-oriented strategies for data protection are based on an organization’s commitment to processing 
personal information in a privacy-friendly way and ensuring that these commitments are honored. 
Process-oriented strategies guide the processes that ensure the responsible handling of personal data 
by: 
• Enforcing established policies and processes 
• Demonstrating compliance with policies and processes 
• Informing the individual about how their data will be handled 
• Providing users with control over how their data will be handled 
 
Data-oriented strategies focus on the technical ways that data can be processed with the maximization of 
privacy in mind. 
Data-oriented strategiesuse technical measures to protect personal data by: 
• Separating the processing of data, either logically or physically 
• Minimizing how much data is collected and processed 
• Abstracting data (by summarizing, grouping or approximating) to limit the amount of detail in the 
data 
• Hiding data in ways that make it unconnectable or unobservable to others 
 
Summary 
• Privacy by design (PbD) embeds privacy into the design of technology, systems and practices to 
help ensure the existence of privacy from the outset. 
• Privacy by design is based on seven foundational principles: 
1. Proactive, not reactive; preventative, not remedial 
2. Privacy as the default 
3. Privacy embedded into design 
4. Full functionality—positive-sum, not zero-sum 
5. End-to-end security—life cycle protection 
6. Visibility and transparency 
14 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
7. Respect for user privacy 
• Data protection by design and default is called out in the GDPR, with requirements and 
consequences for noncompliance. Its goal is to build information privacy into the design process and 
protect privacy by default. 
• Several privacy risk models and frameworks can be used individually or in combination to analyze 
risk. Models include compliance; Fair Information Practice Principles (FIPPs)-based; and Factor Analysis 
of Information Risk (FAIR). NIST frameworks include Risk Management Framework; Cybersecurity 
Framework; Privacy Framework; and NICE Framework. 
• Two major groups of privacy design strategies for applying PbD are process-oriented and data-
oriented. Process-oriented strategies are based on an organization’s commitment to processing 
personal information in a privacy-friendly way; data-oriented strategies focus on technical ways to 
process data that maximize privacy. 
Quiz 
1. True or false? Security focuses on information and the people represented by that information. 
True 
False 
2. True or false? The existence of information processing risks means that data is not secure. 
True 
False 
3. Which of the following is an example of a process-oriented privacy design strategy? 
Demonstrating compliance with policies and processes 
Separating the processing of data, either logically or physically 
Abstracting data to limit the amount of detail in the data 
Hiding data in ways that make it unconnectable or unobservable to others 
4. What type of security control may rely on segregation of duties? 
Cryptography 
Physical and environmental security 
Access control 
Systems acquisition, development and maintenance 
5. A scorecard of risk factors may assist an organization in doing what? 
Evaluating security controls 
15 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Writing information security policies 
Identifying risk 
Determining the business purpose for processing personal information 
6. True or false? A key difference between the U.S. and EU concepts of invasion of privacy is based on 
whether the invasion caused actual harm to the individual. 
True 
False 
7. Which of the following is an administrative control? 
Responding to data subject access requests within one week of reception 
Automatically aggregating personal information to render it anonymous 
Using a vendor to encrypt outgoing email messages 
Using a platform to mask sensitive information from users who do not need it 
8. True or false? Data processing principles, such as those found in the GDPR, may be used to successfully 
implement privacy by design. 
True 
False 
 
Closing slide 
You have completed Module 5: Privacy operational life cycle—Protect: Protecting personal information 
 
Quiz answers 
 
1. False 
2. False 
3. Demonstrating compliance with policies and processes 
4. Access control 
5. Evaluating security controls 
6. True 
7. Responding to data subject access requests within one week of reception 
8. True 
 
 
 
*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to 
represent actual certification exam questions.