673395254-CIPM-Onl-Mod2Transcript

Prévia do material em texto

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
 
 
 
 
PRIVACY PROGRAM MANAGEMENT 
ONLINE TRAINING TRANSCRIPT 
MODULE 2: PRIVACY PROGRAM FRAMEWORK: 
 PRIVACY GOVERNANCE 
Introduction 
Module introduction 
For most major organizational initiatives to be successful, there must be structure, consistency and buy-in 
at the highest levels. Privacy governance is no different. Successful privacy program management 
requires a structured team, thoughtful strategy and supporting stakeholders who remain committed 
throughout the program’s life cycle. 
This module will help you understand the key components of privacy governance within the organization, 
as well as how to position them for success. 
 
Defining a privacy program and strategy 
Learning objectives 
• Define privacy governance and identify its components 
• Analyze the components of a privacy vision/privacy mission statement 
• Summarize considerations for defining the scope and charter of a privacy program 
• Explain the purpose of a privacy strategy 
Privacy governance 
Building a strong privacy program starts with establishing the appropriate governance of the program. 
Privacy governance refers to the components guiding a privacy function toward compliance with privacy 
laws and regulations and enabling them to support the organization’s broader business goals. 
 
These components include: 
• Creating the organizational privacy vision and mission statement 
• Defining the scope of the privacy program 
• Selecting an appropriate privacy framework 
• Developing the organizational privacy strategy 
• Structuring the privacy team 
 
Where does the privacy program fit within your organization? 
2 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
When positioning privacy within an organization, you may wish to consider: 
• Which department has the most influence with the business? 
• Which has global scope? 
• Which is the best funded? 
• Which executes enterprise projects the best? 
• Which is the strongest supporter of privacy? 
There is no standard organizational structure for privacy across organizations. As these survey results 
from the Annual Privacy Governance Report show, the privacy function may live within legal, regulatory 
compliance, privacy and data protection, information security, corporate ethics, information technology or 
elsewhere. 
What is your organization’s privacy vision and mission? 
The privacy vision or privacy mission statement of an organization concisely communicates its privacy 
stance to all stakeholders. 
A mission statement should define what you do to protect individuals’ privacy in a tangible way. It should 
be easy to understand and actionable by the organization. 
A vision statement is a values statement regarding what the organization hopes to achieve. 
This requires: 
• Acquiring knowledge on privacy approaches 
• Evaluating the intended objective 
• Gaining executive sponsor approval 
Do you know the privacy vision or privacy mission statement of your organization? 
Examples: 
https://www.apple.com/privacy/ 
https://www.omeda.com/aboutus/privacy-mission-vision/ 
Common elements of a privacy vision and mission 
Mission: what we do, who we do it for, and how we do it different or better 
Vision: description of what we believe or want to achieve 
Click on the highlighted phrases in the text below to see elements of a company privacy vision or privacy 
mission statement. 
“The Australian Banking Association (‘ABA’) and its member banks believe that an individual's right to 
privacy of their personal information is very important, and are committed to protecting and maintaining 
the privacy, accuracy and security of an individual’s personal and financial information. Every ABA 
member bank has a Privacy Policy, which generally can be found on their website home pages.” 
- Australian Banking Association (https://www.ausbanking.org.au/privacy-policy/) 
Value of privacy to the organization 
Organizational objectives 
https://www.apple.com/privacy/
https://www.omeda.com/aboutus/privacy-mission-vision/
https://www.ausbanking.org.au/privacy-policy/
3 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
“We respect your privacy and we promise: 
• to implement computer, physical and procedural safeguards to protect the security and 
confidentiality of the personal data we collect 
• to limit the personal data collected to the minimum required to provide services requested by you 
• to permit only our properly trained, authorized employees to access personal data 
• not to disclose your personal data to external parties unless you have agreed, we are required by 
law or we have previously informed you.” 
- Hong Kong Trade Development Council (HKTDC) (https://home.hktdc.com/en/s/privacy-policy-
statement) 
Strategies to achieve intended outcomes 
Roles and responsibilities 
Defining program scope and charter 
Mary is in the process of defining her privacy program’s scope and charter. What are some of the high-
level elements she should consider? Brainstorm your ideas, then click “Submit” to reveal the items on her 
list. 
Mary’s list: 
• Global and local laws, regulations and standards 
• Cultural expectations and perspectives, including risk acceptance 
• Business-sector requirements 
• Types of personal information the organization collects/stores and how it is used 
• Regulatory challenges 
Basics of a privacy strategy 
Once Mary knows what she will need to consider in defining her program’s scope and charter, she can 
start thinking about the basics of her organization’s privacy strategy. 
A privacy strategy should lay out the goals of an organization’s privacy program. Development of this 
strategy may be complex and challenging, as the process may involve several stakeholders with 
potentially disparate objectives. Key considerations for developing a privacy strategy include business 
alignment, data governance of personal information and procedures for handling inquiries or complaints. 
Read the task lists below and determine whether they relate to business alignment, data governance or 
inquiry- and complaint-handling procedures. (Note that these are not exhaustive lists.) 
Business alignment 
Make an operational business case for privacy 
Obtain budget for privacy and the privacy team 
Identify stakeholders and internal partnerships 
Make connections and foster relationships 
Create a privacy committee for interfacing within the organization 
Align organizational culture and privacy objectives 
 
Data governance of personal information 
List applicable privacy laws, regulations and standards 
Design an approach to handling and protecting personal information 
Consider the entire data life cycle: collection, use, access, sharing, transferring, security and 
destruction 
https://home.hktdc.com/en/s/privacy-policy-statement
https://home.hktdc.com/en/s/privacy-policy-statement
4 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
 
Inquiry/complaint-handling procedures 
Consider processes for regulators, customers and employees 
Train individuals handling requests 
Explore the use of technology to increase efficiency of responses 
 
From an expert: Creating a privacy strategy 
Liisa Thomas, Partner and Lead, Privacy and Cybersecurity Practice, Sheppard Mullin 
One the of things people often worry about is creating a privacy strategy, and how do we create a privacy 
strategy, and really what does that mean, and do we all have the same impression about privacy strategy. 
So, if we think about Mary, who’s sitting in the privacy office trying to put together her company’sapproach for privacy, one of the first things that I want Mary to think about, but may not be something 
that people think about, are: What is our company’s underlying strategy? What are the goals of the 
organization? Because Mary’s got to convince all these people within the organization—different 
stakeholders, different groups, people who may feel threatened by the things that Mary wants to do—
she’s going to have to convince them to implement the compliance perspective, the policies, the 
procedures, that she wants them to do in order to address privacy laws. 
So, I like to think about what is it that the company is trying to achieve? So, let’s take—I’m sitting here 
with furniture that some people may recognize from a store that you may recognize, and so my fictitious 
store, this is not really this store—might have as its underlying mission that it wants to provide affordable 
furniture to the masses. Style-y, design-y, affordable furniture. So, if that’s the company’s underlying goal 
and underlying mission, if we think about privacy from a value-add approach, and privacy from a strategic 
approach, our question is, how can privacy compliance help that goal? 
And we can sort of brainstorm about this in this virtual world where you’re hearing me, but I don’t see 
you, and you might come up with a bunch of different things that might make sense. But if you’re Mary 
and you’re sitting there in the privacy office, you’re probably going to want to go out and talk to people 
about, “How could we help you? What are you looking for? How would you like to use consumer 
information?” And kind of take off your compliance hat and just have conversations with people about 
what are they trying to achieve. Maybe if they knew more about consumers and the way they use their 
furniture, the different things that furniture did during the day—it’s the dining table at one point, it’s the 
office at another table, some people work in really small spaces, some people need to spread out into 
larger spaces—understanding that information, understanding who’s in the house, all those kinds of 
things, those are, that’s personal information and it might be a lot of personal information. But, knowing 
that and collecting that information in a way that that information can be used and in a way that’s 
compliant with the law can really align your privacy office and align your privacy function in a way that 
you can support the mission of the organization. 
So, to me, that’s that missing piece and it’s the part that is really misunderstood about how we put 
together a strategy. We in the privacy office or privacy compliance lawyers, compliance function, we can’t 
do that without really thinking about who we are in our organization. So, let’s say Mary used to be at a 
healthcare company and she had a really clear approach about how she wanted to deal with privacy 
strategy at that company. That’s not going to work at our affordable furniture company. Cause they’re 
very different organizations. There are things in her toolkit that she may be able to use in this new 
organization, but we want her to take a step back and think about what does this company need, and 
what is this company trying to accomplish? 
So, we’re working on putting together a privacy compliance approach for our organization. We’re sitting 
down and we’ve got policies that maybe we’ve inherited, policies that need to be updated, procedures. 
We’ve got business teams that are, frankly, feeling a little bit threatened by the things that we’re trying to 
do and not sure what this change is going to mean for them. Does that mean that they can’t use the 
consumers’ information anymore? 
5 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
You may not have experienced this yet, or you may be an old hat at sitting down with the business team 
asking a question and everybody getting really defensive. And, so, I will share you with my tip, which is, 
for those of you have sat in a room with me before, you know I will say, “This is just a question. I’m just 
trying to get background. I don’t mean to imply that anything you’re doing is wrong. That is not where 
we’re going. I just want to understand what it is that you’re doing and what you’re trying to accomplish.” 
People feel really threatened by these things and so we have to remember that. 
So, we’ve got all of those different pieces that are happening, and we want to think about ourselves in 
listen mode. And it is so hard, because our job is to solve things, is to fix things and is to get things done. 
But, when we’re trying to bring these pieces together, it’s so important to put ourselves into the mode of 
hearing and listening—not just what people are saying, but what they might actually need. Ask as many 
questions as you can. “How will this help?” In a positive way. Not in a negative way, like, “How will that 
help you?” But, “How will that help you? What would you be able to accomplish? Tell me more about that. 
That’s really interesting. I’m really interested in that.” Get all of that information and feel free to take a 
step, take a step back, whatever you need to do to take a breath. Think through, and maybe you don’t do 
it in that same meeting, but, “You know, these are really important things that you’re raising. I hear you 
and I hear your needs. Let me think about ways that we can achieve this.” 
Once you get to that point, you want to work with your business team to ask questions about, “I’ve been 
thinking more about that need that you identified, and I would love to know, what do you think about this 
approach for collecting information? Do you think this would work? Do you think this mechanism for 
getting consent would work? Wow, it sounds like providing rights and responding to rights the way you 
have data structured right now could be really complicated. These are five different ways that I’ve seen 
other organizations approach this. Does that make sense for you? Do any of these make sense? Let’s 
iterate together.” 
Another thing we like to use, and one of my favorite catch phrases, is design thinking. Pilots, testing, let’s 
just give it a try. It’s interesting in the legal world that we feel very uncomfortable launching anything—
privacy compliance—unless it’s perfect. It’s got to be the best, and the best ever. I don’t know why! No 
other part of the organization does that. They say, “Oh, we’re launching this test, we’re going to do this 
trial…” Why don’t we do that? Now, I’m not saying that it should be something that doesn’t comply with 
the law. Yes. And that doesn’t match our current policies and procedures, but there’s lots of ways that we 
can accomplish things and trying things, trialing things, we should feel comfortable doing that. So, just 
give it a try and work collaboratively with your business team. 
 
Summary 
• Privacy governance refers to components guiding a privacy function toward compliance with 
privacy laws and regulations and enabling them to support the organization’s broader 
business goals, which are: 
o Creating a privacy vision and mission statement 
o Defining program scope 
o Selecting a privacy framework 
o Developing a privacy strategy 
o Structuring the privacy team 
• There is no standard organizational structure for privacy across organizations. When determining 
where privacy will sit in the organization, you may wish to consider which department has the most 
influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the 
strongest supporter of privacy. 
 
Program and policy frameworks 
6 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Learning objectives 
• Define privacy program frameworks 
• Discuss common privacy program frameworks 
• Outlinethe phases of the privacy policy life cycle 
Privacy program framework: Definition 
Once a privacy strategy is confirmed, an organization can move on to determine a privacy framework. 
What distinguishes a privacy strategy from a privacy framework? 
A privacy strategy can be thought of as the “why”: Why is privacy important to our organization? 
A privacy framework can be considered the “what”: What form or structure will our privacy program take? 
Privacy program frameworks provide implementation roadmaps that guide the privacy team through 
privacy management and prompt them for the details to determine all privacy-relevant decisions for the 
organization. 
Privacy program frameworks: 
• Provide a benchmark to measure your program. 
• Generally include policies, procedures and processes to ensure the organization knows how to be 
compliant with the framework. 
• Offer structure or checklists to guide the privacy team through privacy management, including 
controls or statements which need to be operationalized. 
• Can be either a standard, a law/regulation, or an industry standard framework. There is no one-
size-fits-all framework. Usually, an organization combines components from multiple sources (for 
example, ISO 27001, ISO 27701, GDPR and U.S. state privacy laws) to create their framework. 
Connect the statements below to determine some of the benefits of privacy program frameworks. 
Reduce… risk 
Avoid/plan for… incidents of data loss 
Sustain… market value and reputation 
Provide… measurements in compliance with laws, regulations and standards 
Develop and implement the privacy program/policy framework 
Take the time to thoroughly develop your privacy program or policy framework so that it rests on a strong 
foundation. 
A program framework includes organizational policies, standards and guidelines, as well as clearly defined 
program activities. 
To implement the developed framework, you must communicate it to internal and external stakeholders 
and ensure continuous alignment to applicable laws and regulations. 
7 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Current privacy frameworks 
The term framework is used broadly for the various processes, templates, tools, laws and standards that 
may guide the privacy professional in privacy program management. 
Privacy frameworks began emerging in the 1970s. They can be broadly grouped into three categories: 
principles and standards; laws, regulations and programs; and privacy program management solutions. 
Click on the tabs to learn more about example frameworks listed within each category. 
Principles and standards 
Fair Information Practices (FIPs), sometimes referred to as Fair Information Practice Principles 
(FIPPS), provide basic privacy principles central to several modern frameworks, laws and regulations. 
Practices and definitions vary: rights of individuals (notice, choice and consent, data subject access); 
controls on information (information security, information quality); information life cycle (collection, 
use and retention, disclosure); and management (management and administration, monitoring and 
enforcement). 
The Organisation for Economic Co-operation and Development (OECD) Guidelines on the 
Protection of Privacy and Transborder Flows of Personal Data are the most widely accepted 
privacy principles; together with the Council of Europe’s Convention 108, they are the basis for the 
EU’s General Data Protection Regulation (GDPR). 
The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered 
Accountants (CICA), which have formed the AIPCA/CICA Privacy Task Force, developed the 
Generally Accepted Privacy Principles (GAPP) to guide organizations in developing, 
implementing and managing privacy programs in line with significant privacy laws and best practices. 
The Canadian Standards Association (CSA) Privacy Code became a national standard in 1996 
and formed the basis for PIPEDA. 
The APEC Privacy Framework enables Asia-Pacific data transfers to benefit consumers, businesses 
and governments. 
ETSI is a nonprofit organization that provides standards related to information and communication 
technology, especially in Europe. 
ISO is an international standard setting body. Standards 27701, the 8000 series, 15489, the 2700 
series and 22301 are particularly relevant to the privacy professional. 
Laws, regulations and programs 
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and 
Australian Privacy Principles (APPs) provide well-developed and current examples of generic privacy 
principles implemented through national laws. 
EU data protection legislation includes the General Data Protection Regulation (GDPR), which 
offers a framework for data protection with increased obligations for organizations and far-reaching 
effects. 
Brazil’s Lei Geral de Proteção de Dados (LGPD), inspired by the GDPR, creates a new legal 
framework for the use of online and offline personal data in Brazil in the private and public sectors. 
8 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
China’s new law, the Personal Information Protection Law (PIPL), forms an overarching 
framework along with the Cybersecurity Law and the Data Security Law to govern data protection, 
cybersecurity and data security in China. 
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create 
national standards for electronic healthcare transactions, among other purposes. HIPAA required the 
U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and 
security of personal health information. The basic rule is that patients must opt in before their 
information can be shared with other organizations—although there are important exceptions, such as 
for treatment, payment and healthcare operations. 
Local data protection authorities, such as France’s Commission nationale de l’informatique et des 
libertés (CNIL), provide guidance on legal frameworks. 
Binding corporate rules (BCRs) are legally binding internal corporate privacy rules for transferring 
personal information within a corporate group. Article 47 of the GDPR lists minimum requirements of 
BCRs (e.g., application of GDPR principles). Under the GDPR, BCRs must be approved by the 
appropriate regulators. 
Privacy program management solutions 
Privacy-by-design (PbD) solutions are built by organizations to ensure consumers’ privacy 
protections at every stage in developing their products. These include reasonable security for 
consumer data, limited collection and retention of such data, and reasonable procedures to promote 
data accuracy. 
The National Institute of Standards and Technologies (NIST) has published “An Introduction to 
Privacy Engineering and Risk Management in Federal Systems,” introducing concepts of privacy 
engineering and risk management for federal systems: a common vocabulary to facilitate better 
understanding and communication of privacy risk within federal systems and effective 
implementation of privacy principles. Two key components support the application of privacy 
engineering and risk management: privacy engineering objectives and a privacy risk model. 
NIST also published the “Framework for Improving Critical Infrastructure Cybersecurity,” (April 
2018), which enables all types of organizations to apply the principles and best practices of risk 
management to improving security and resilience. The framework provides a common organizing 
structure for multiple approaches to cybersecurity by assembling effective standards, guidelines and 
practices. 
The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered 
Accountants(CICA) created WebTrust, now managed by the Chartered Professional Accountants of 
Canada (CPA Canada), through which accountants can become certified to conduct privacy 
evaluations. 
Vendors may provide tools and frameworks for privacy compliance and management. 
The policy life cycle 
Within an organization, the people involved in privacy governance must understand the privacy policy life 
cycle. Doing so will help them keep their policies active, effective and known throughout the organization. 
Privacy policies are discussed in more depth in module 6. 
Click on each phase of the policy life cycle to learn what is involved. 
9 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• Draft inward-facing policies that are practical, simple and easy to understand. Work with legal to 
ensure compliance with legal requirements. Make sure policies are aligned and consistent. 
• Get approval from decision-makers and stakeholders. 
• Disseminate and socialize policies to all employees. Look for formal and informal opportunities to 
spread the word. 
• Train employees and enforce policies. Consequences of noncompliance should be clear and 
consistent. 
• Review and revise policies regularly: at least annually, after a breach or another major incident, or 
when business circumstances change, such as via an acquisition or merger. 
Summary 
• Privacy program frameworks provide implementation roadmaps that guide the privacy team 
through privacy management and prompt for the details to determine privacy-relevant decisions for 
the organization. While strategies provide the why (why privacy is important), frameworks provide 
the what (what form the program will take). 
• Common privacy program frameworks include principles and standards such as FIPs, OECD 
guidelines, GAPP, CSA, the APEC Privacy Framework, ETSI, and ISO; laws, regulations and 
programs such as PIPEDA and APPs, the GDPR, HIPAA, CNIL, and BCRs; and privacy program 
management solutions such as PbD, NIST, and WebTrust. 
• The privacy policy life cycle phases involve: 
o Drafting inward-facing policies that are practical, simple and easy to understand 
o Getting approval from decision-makers and stakeholders 
o Disseminating and socializing policies to all employees 
o Training employees and enforcing policies 
o Reviewing and revising policies regularly 
 
Governance: Team structure and roles 
Learning objectives 
• Compare and contrast privacy governance models 
• Describe a data protection officer’s (DPO) required skill set and typical responsibilities 
• Discover ways to receive buy-in for a privacy program 
Privacy governance models (1) 
Within an organization, privacy governance may be centralized, localized or a combination of both. 
When creating your privacy office governance model, consider the existing organizational structure, any 
existing governance models, the position and authority of the privacy team, the maturity of the program, 
the involvement level of senior leadership and internal stakeholders and the development of internal 
partnerships. 
The governance model utilized may change over time. 
Click on each governance model to learn more. 
Centralized 
10 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
In a centralized approach, one team or person is responsible for privacy-related affairs. This model 
works best in organizations that use single-channel functions with planning and decision-making 
completed by one group. 
Localized/decentralized 
In a local or decentralized approach, decision-making is delegated to lower levels of the 
organization. This model widens the span of control and allows decisions and information to flow 
from bottom to top. 
Hybrid 
The hybrid model combines centralized and local or decentralized governance. It is most common 
when a large organization assigns an individual or team responsibility for privacy-related affairs for 
the rest of the organization. Local entities support the central governing body. 
Privacy governance models (2) 
There is no perfect privacy governance model. Review the lists of advantages and disadvantages below, 
then match them to the relevant model. 
Centralized 
Advantages: Streamlined processes and procedures 
Disadvantages: Individual employees cannot make decisions 
 
Local 
Advantages: Bottom-to-top flow of information 
Disadvantages: Lack of centralized process can create duplication of efforts 
 
Hybrid 
Advantages: Offers the resources of a larger, centralized organization 
Disadvantages: Decentralized decision-making provides less big-picture vision 
Structure the privacy team 
The structure of the privacy team will also vary by organization size. In a large organization, the team 
may include a chief privacy officer, global privacy officer, privacy manager and analysts, business line 
privacy leaders and designated “first responders” to a privacy incident. 
Small organizations may designate a single privacy officer who manages privacy in addition to his or her 
other duties. Regardless of size, it is important that an organization has a point of contact for privacy 
issues. The organization should consider using project or program management resources to orchestrate 
the program, especially during program initiation. 
Some legislation requires organizations to appoint a data protection officer under certain circumstances. 
Even if an organization does not need to appoint a DPO, it is good practice to review this requirement 
periodically. 
Privacy champions, executives who serve as privacy program sponsors and act as advocates to further 
foster privacy as a core organizational concept, are also crucial to an organization’s privacy team. 
The DPO role 
The European Union’s General Data Protection Regulation, or GDPR, requires all public authorities in the 
EU, and many private organizations within and outside the EU, to appoint a data protection officer. 
11 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Organizations that fall under the scope of the GDPR, whose core activities involve processing personal 
data on a large scale, or who consistently process highly sensitive data, must appoint a DPO. Further, the 
Article 29 Working Party recommended that most organizations err on the side of caution by appointing a 
DPO, whether or not strictly obligated to by law. Voluntarily appointed DPOs will also be subject to GDPR 
compliance. 
The DPO position is a professional role with many responsibilities. According to Article 37(5) of the GDPR, 
it must be filled with someone “designated on the basis of professional qualities” with “expert knowledge 
of data protection law and practices.” 
Click on the “Continue” buttons to reveal the tasks and skills required of a DPO. 
DPO Job Description 
Tasks 
• Work closely with regulators and advise stakeholders to work toward compliance 
• Ensure organizations are aware of their training and awareness obligations 
• Keep up with changes in law and technology 
• Build, implement and manage privacy programs 
Skills 
• Risk/IT: Experience assessing risk and best practice mitigation 
• Legal expertise/independence: Knowledge of relevant laws and regulations (including 
outsourcing activities) 
• Communication: Interpersonal flexibility and ability to effectively communicate with 
business functions (legal, IT, etc.) 
• Leadership/broad exposure: Project management and ability to manage own professional 
development 
• Self-starter/board level: Able to fulfill the role autonomously 
• Common touch/teaching: Able to speak to citizens, handle requests/complaints and train 
others to assist data subjects 
• Credible/no conflicts of interest 
Operationalizingthe DPO role (1) 
One Earth Medical has placed Mary in charge of hiring its first DPO. She must review the following 
responsibilities of the DPO, and those of the organization as well, which are set out by the GDPR and 
further explained by the Article 29 Working Party’s* “Guidelines on Data Protection Officers.” 
Click “Continue” to review these responsibilities. 
*Upon enactment of the GDPR, May 25, 2018, the Article 29 Working Party was replaced by the European 
Data Protection Board. However, the opinions from the Working Party are still valid. 
DPO Job Description 
DPO’s responsibilities 
• Working with regulators: The DPO should be acquainted with relevant regulators (in 
jurisdictions where the organization does business) and have a positive working relationship 
with them 
• Accessibility to data subjects: The Article 29 Working Party stressed the importance of DPOs 
being available to answer data subjects’ questions 
12 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• Assessing privacy risk: Privacy impact assessments or data protection impact assessments 
should be conducted to understand and mitigate privacy and data protection risks to 
individuals whose personal data is being collected. It is also a requirement under GDPR and 
other privacy regulations. The DPO should provide advice regarding when and how these 
are conducted. 
Organization’s responsibilities 
• DPO independence: The DPO may hold another position within the organization as long as 
that position’s functions do not conflict with that of the DPO and is not a position, such as 
the CEO, that makes decisions about the means of processing personal data 
• DPO involvement: The organization must ensure open communication with the DPO and 
involvement of the DPO in all issues related to personal data protection 
• DPO resources: The DPO must be provided with all necessary resources to carry out the 
tasks required of the role, including: 
o Access to personal data and processing operations 
o Sufficient time to fulfill duties 
o Financial resources 
o Continuous training 
• DPO reporting structure: The DPO should report to the highest levels of management 
• DPO dismissal and penalties: A DPO may not be dismissed or penalized for performing DPO-
related duties 
Operationalizing the DPO role (2) 
Mary’s supervisor approaches her with some concerns about the DPO role. 
Click on the speech bubbles to follow Mary’s conversation with her supervisor. But before revealing Mary’s 
answers, consider each question using your own existing knowledge. 
Does the individual in this position need to be located in Europe? 
The Article 29 Working Party’s “Guidelines on DPOs” recommended the DPO be located in Europe. 
Logistics, such as ability to communicate with data subjects and regulators, should be of top 
importance. In addition, we must keep in mind that this individual should be involved in all issues 
related to the protection of personal data and be in a position to communicate important issues to 
the highest level of management. 
How can we ensure the DPO is not in a position that poses a conflict of interest? 
While the DPO may hold another position within the company, the Article 29 Working Party 
recommended against appointing someone with a role that requires determining the “the means of 
the processing of personal data.” This includes most senior management roles, as well as others. 
Would it be possible for us to contract with an external service provider to fulfill this role? 
Yes. According to the Article 29 Working Party, a DPO may be an internal staff member or external 
provider. If external, there should be a lead designated contact, and tasks of the DPO’s team 
should be clearly allocated. 
Can we appoint the same DPO to serve all divisions of One Earth Medical? 
The Article 29 Working Party stated, “A group of undertakings may designate a single DPO.” Yet we 
need to ensure the DPO is accessible to the data subjects, supervisory authorities and One Earth 
Medical employees. This includes the ability to communicate in appropriate languages. A team may 
be required to help the DPO with these responsibilities. 
13 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Could the DPO be held personally responsible for noncompliance with the GDPR? 
No. The Article 29 Working Party clearly stated that it would be the organization, acting as the data 
controller or processor, that would be held responsible for noncompliance with the GDPR. 
Receiving buy-in for a privacy program 
Building a privacy strategy may mean changing the mindset and perspective of an entire organization. 
Get buy-in by building relationships and finding a champion outside the privacy office. Pitch privacy both 
formally and informally. For example, you will need to demonstrate where and how privacy can both 
generate revenue and cut costs. Stakeholders should be mobilized across functions by creating steering 
groups, designating responsibilities and following up on discussions and decisions. 
View the IAPP series, “The Privacy Imperative,” for more on developing a culture of privacy in your 
organization and explicating the need to elevate privacy as a business asset: 
https://iapp.org/train/imperative/. 
Communication and awareness 
Once your privacy program has been established, you must create awareness of the program both 
internally and externally. 
Building privacy awareness and generating support for the organization’s privacy program involves 
communicating that privacy success can only happen with organization-wide effort. Each department 
needs to know that its activities have actual, lasting impacts on data protection. 
In an era of increasing regulation, advanced privacy programs can help protect consumer data and create 
the trusting and intimate customer relationships that marketers want. Communicating your privacy 
program externally can help build customer confidence in your organization and deliver measurable 
returns. 
From an expert: Collaborating across the organization 
Kulwinder Johal, Group Data Protection Officer, Severn Trent PLC 
The “ivory tower.” I think a lot of DPOs are lawyers. Not all, but a lot are. And I think that feels a lot 
trickier to navigate to a lot of individuals and companies because they don’t always feel like they’re able to 
approach someone in the legal team. 
I think the other aspect is that the ivory tower syndrome comes from, as a DPO or as a privacy manager, 
you don’t have that proper engagement, don’t take time out to listen to other individuals, you don’t go 
and sit face-to-face with people, I think. If you just send emails, if you don’t pick up the phone when 
people call you, I think they’re the symptoms of being “ivory tower/unapproachable,” always saying no. I 
have people who joke with me about, “Well, I’m going to ask you something and I’m pretty sure you’re 
going to say no.” 
And that’s how they start the conversation. And halfway through when they realize—actually, either I’ve 
given them a more practical solution or actually agreed that in this instance they actually needed all of 
that data for that purpose and it’s absolutely fine. But we need to put in some actions to make sure that 
we remove the risk as far as possible. I think once people have gone through that, they feel that, actually, 
it is ok. There isn’t always going to be a no. It’s always about helping them to think more clearly about 
what they really need and why. And then asking for the support on the data protection elements; of 
actions and approach and practicality, really. So, I think, that’s what I like to think I’ve been able to 
provide, is that, sort of. I’ve been the conscience of the organization. And people have actually said that 
https://iapp.org/train/imperative/14 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
to me now. Because I have challenged. I haven’t always said no. And I do always make sure that people 
can approach me, whether it’s walking down the corridor, or whether it’s calling or messaging. And 
actually, tend not to use email a lot because I find it quite formal. And I think other people find it formal. 
And they have a different perception of you. I think you just have to be a real person who is contactable. 
Certainly, from the perspective of working in a company with 7,000 employees, it’s difficult sometimes 
when people call you, but it’s also making time to answer those calls. And a lot of people tend to be quite 
shocked when you answer, because they don’t think you’re going to. And even when it’s 8 o’clock on a 
Friday night, which is generally when most breaches happen. So, I’m not saying that it’s a 24-hour hotline 
but, I think on the odd occasions when people call at those sort of times, I think if you don’t answer, they 
stop trying to reach out to you. And the minute they stop trying to reach out to you there’s a real chance 
that they’re either not doing the right thing, or they found an easier way to do it, which is probably not 
compliant. So, building that rapport, having those relationships makes it far easier for you. Either as DPO 
or even as privacy manager to make sure that things continue to run compliantly. And that when 
something is wrong, that you are told about it sooner rather than later. And I think by not being 
approachable the real issue that you’ll have is that you don’t find out about a breach until it’s too late. And 
with only 72 hours to report the breach, it makes it very, very difficult when you’ve just found out about it 
in the 71st hour. So, I think certainly my experience has been I tend to find out about any sort of incident 
usually within half an hour of it happening, rather than at the end of the time frame. And it gives you a lot 
more options about what you need to do. It gives you time to do assessments. It gives you a good feeling 
really about people trusting the process and reporting as soon as possible to help mitigate any risks that 
may make either for them individually, for you as a DPO, or even for the organization. And I think that 
shows the seriousness with which people take data protection. 
Having been in the role of running a privacy program as privacy manager, it’s absolutely essential to work 
with the DPO. And I think I’ve been really lucky to have that experience where I have worked together. I 
think the key aspects of being able to work together have been around building that rapport. But also 
having the transparency and making sure there’s clear governance around the deliverables, around the 
program, and in terms of the transparency, to make it really clear, what has been done, what hasn’t been 
done, the time frames but also that the obstacles and what support is required. I think the difficulty with 
some elements with the privacy program are that it can be quite tricky to get everything delivered on time 
because there are lots of parallels; work streams and timeframes are pretty much the same probably for 
all of them. And you’re probably relying on very similar people to get things delivered. So, there will 
always be some tension, there’ll always be some issues on timeframe or resources. And I think by making 
it really clear what the priorities are, getting that stakeholder engagement, above and below actually, and 
getting the DPO to help with that, I think that’s been a real key to delivering the priorities. 
But I think you also have to look at what are the essential deliverables and focus on those. And sometimes 
as a privacy manager there is so much to do that you try and juggle all those plates at once and try and 
deliver it, but then you actually end up not doing any of those successfully. So, by carving out the top 
three, working through those and then adding more in as you can. Because otherwise, as a privacy 
manager, you’re also quite stretched and you won’t have the time to assess things properly, monitor, 
intervene when you need to. And more importantly, the stakeholder engagement and communications, 
which to me was one of the key pieces, it made it not only the biggest part of the role in terms of 
deliverables. Because if you can get that bit right, the other bits come easy. But also, just making sure 
that, again, that approachable nature sort of comes out and makes it easier for people to come up to you 
when there is a problem; to tell you when they aren’t able to do something; to ask the “stupid questions” 
and say, “I really don’t understand this,” or, “I need more help,” or, “I need you to define this more 
clearly for me.” Whatever it is. I think if you don’t have that sort of engagement and communication skill, 
it makes delivering any program far more difficult. 
Summary 
• The privacy governance models are centralized, localized/decentralized, or hybrid (a combination of 
both). 
• In the centralized model, one team or person is responsible for privacy-related affairs. 
15 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• In the local/decentralized model, decision-making is delegated to lower levels of the organization, 
allowing decisions and information to flow from bottom to top. 
• The hybrid model combines the centralized and local models and is most common when a large 
organization makes an individual or team responsible for privacy-related affairs for the rest of the 
organization. 
• The DPO position is a professional role with many responsibilities. Examples of the skills a DPO 
needs include: 
o Experience assessing risk and best practice mitigation 
o Knowledge of relevant laws and regulations 
o Interpersonal flexibility; effective communication with business functions 
o Project management and ability to manage own professional development 
o Ability to fulfill the role autonomously 
o Ability to handle requests/complaints and train others to help data subjects 
o Credibility/no conflicts of interest 
• Getting buy-in for a privacy strategy may mean changing an organization’s mindset. 
Recommendations include building relationships and finding a champion outside the privacy office; 
pitching privacy; and creating steering groups of stakeholders. 
• Once your privacy program has been established, you must create awareness of the program both 
internally and externally. 
 
Other program contributors and vendors 
Learning objectives 
• Review considerations for keeping a record of ownership 
• Explore ways key functional areas are involved in creating and enforcing privacy policies 
• Analyze considerations for choosing a privacy technology product 
Keeping a record of ownership 
Once the importance of the program has been established, key internal stakeholders may form a steering 
committee to ensure clear ownership of assets and responsibilities. Keep a record of these discussions as 
a tool for communication and to ensure stakeholders can refer to what was decided. 
A RACI matrix can be a useful tool to embed responsibilities and to identify: 
• Who is responsible 
• Who is accountable 
• Who needs to be consulted, and 
• Who needs to be informed 
A spreadsheet, such as the one shown here, can help document stakeholder ownership. With your own 
organization in mind, check off which party is responsible for each task. There are no right or wrong 
answers. 
 Legal DPO CPO Information 
Technology 
Information 
Security 
16 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Manage the 
data privacy 
program 
 
Classify data 
Develop and 
maintain 
privacy policiesMonitor and 
audit policy 
compliance 
 
Investigate 
data breaches 
 
 
Ongoing involvement of key functional areas 
Key functional areas help create and enforce the privacy program on an ongoing basis. For example, a 
marketing privacy manager should advise and sign off on new marketing initiatives and email campaigns 
from a privacy perspective. 
Match the following groups within an organization to roles they may play in creating and enforcing a 
privacy program. 
Learning and development 
Translates policies and procedures into teachable content to help contextualize privacy principles 
into tangible operations and processes 
Communications 
Publishes periodic intranet content, email, posters and other collateral that reinforce good privacy 
practices 
IT 
Enhances the effectiveness of the privacy program by adding processes and controls that support 
privacy principles 
Procurement 
Helps ensure contracts are in place with third-party service providers who process personal 
information on behalf of the organization 
17 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Internal audit and risk management functions 
Auditing and analyzing performance of a governance structure is essential to its success. 
The internal audit (IA) and risk management functions review and analyze operations across all 
departments within an organization and are responsible for communicating those results. 
IA typically reports to an audit committee, and its independence from management helps ensure unbiased 
reporting. Its tasks include evaluating the organization’s risk management culture and identifying risk 
factors within all systems, processes and procedures; evaluating control design and implementation; and 
testing controls to ensure the proper operation. 
Risk management ensures business and regulatory requirements are met through detailed market, credit, 
trade and counterparty analysis. It then communicates risk and issues throughout the organization. 
Considerations for choosing the right privacy tech vendor 
Some organizations choose to use privacy tech vendors to help them achieve compliance. A privacy tech 
vendor may offer a range of solutions, from assessment management to data mapping to deidentification 
and incident response. 
Note that a product itself cannot be compliant, but if it is used as part of a properly thought-out privacy 
program, then it may help the organization achieve compliance. 
Click on the images to reveal items an organization may want to consider when selecting a privacy tech 
vendor. 
“Privacy pain points”: The need for architectural, policy and technical controls 
Organizational needs 
Costs vs. savings, risks vs. benefits 
Need to “vet” vendors (stability, reputation) 
Usability and ability to customize 
Contract negotiations 
Implementation and training needs 
Categories of privacy tech vendors 
Privacy tech vendors in the category of privacy program management typically work directly with the 
privacy office. They include: 
• Privacy assessment management 
• Consent management 
• Data mapping 
• Data subject request management 
• Incident response 
• Privacy information management 
• Website scanning and cookie compliance tools 
Enterprise program management services provide solutions designed to support the needs of the privacy 
office alongside the overall business needs of an organization. They include: 
• Data discovery 
• Activity monitoring 
• Deidentification or pseudonymization 
• Enterprise communications 
18 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Why is privacy technology experiencing rapid growth? 
Click to reveal 
Countries are increasingly enacting comprehensive data protection laws and privacy regulations that 
include strict requirements and significant fines for noncompliance. In addition to the GDPR, other laws, 
such as CCPA, CPRA and HIPAA in the U.S., the EU’s ePrivacy Regulation, Canada’s PIPEDA, and China’s 
PIPL, will continue to drive the market for privacy technologies. 
Growing consumer awareness of data breaches and increasing demands that organizations protect their 
information are also, in part, driving development, as is a rise in capital investments in privacy tech 
vendors. 
GRC tools 
Governance, risk management, and compliance, or GRC, is an umbrella term whose scope touches the 
privacy office as well as other departments, including HR, IT, compliance and the C-suite. 
GRC tools aim to synchronize various internal functions toward “principled performance”—integrating the 
governance, management and assurance of performance, risk and compliance activities. 
Summary 
• It is important to document the ownership of internal stakeholders’ assets and 
responsibilities. Some organizations use a RACI matrix, a tool used to embed responsibilities and 
identify: 
o Who is responsible 
o Who is accountable 
o Who needs to be consulted 
o Who needs to be informed 
• Key functional areas help create and enforce the privacy program on an ongoing basis. 
Examples of these areas include marketing, learning and development, communications, IT and 
procurement. 
• Auditing and analyzing a governance structure’s performance is essential to its success. The internal 
audit (IA) and risk management functions review and analyze operations across all 
departments and communicate their results. IA typically reports to an audit committee, helping to 
ensure it remains unbiased. Risk management ensures business and regulatory requirements are met 
through detailed analysis. 
• Some organizations use privacy tech vendors to help achieve compliance. Solutions may relate 
to areas such as assessment management, data mapping, deidentification and incident response. 
• Privacy technology is experiencing rapid growth. Reasons for this include the emergence of 
comprehensive data protection laws and privacy regulations along with strict requirements 
and significant fines for noncompliance under many privacy laws, such as the GDPR. Another factor 
is growing consumer awareness of data breaches and increasing demands that organizations 
protect their information. 
Quiz 
1. The chief privacy officer for a telecommunications company wants to revise its privacy mission 
statement. What steps would be involved in this process? Select all that apply. 
Evaluating the intended objective 
19 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Acquiring knowledge on privacy approaches 
Gaining executive sponsor approval 
Communicating the organization’s privacy stance to all stakeholders 
Monitoring compliance with the company’s privacy policies 
2. In differentiating between a privacy strategy and a privacy framework, how can strategy be defined? 
As the why 
As the what 
3. True or false? A law or regulation may constitute a privacy framework. 
True 
False 
4. What type of privacy governance model is defined by a one-team or one-person approach? 
Localized/decentralized 
Centralized 
Hybrid 
5. True or false? The privacy team should always comprise more than one person. 
True 
False 
6. Which business function ensures business and regulatory requirements are met through detailed 
market, credit, trade and counterparty analysis? 
Internal audit 
Procurement 
Learning and development 
Risk management 
 
Closing slide 
 
You have completed Module 2: Privacy program framework: Privacy governance. 
 
 
20 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
 
 
Quiz answers 
 
1. All responses are correct EXCEPT “Monitoring compliance with the company’s privacy policies” 
2. As the “why.”Privacy strategies answer the question of why privacy is important to an organization. 
3. True 
4. Centralized 
5. False 
6. Risk management 
 
 
*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to 
represent actual certification exam questions.