Introdução ao Gerenciamento de Programas de Privacidade

Prévia do material em texto

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
 
 
 
 
PRIVACY PROGRAM MANAGEMENT 
ONLINE TRAINING TRANSCRIPT 
MODULE 1: INTRODUCTION TO PRIVACY PROGRAM MANAGEMENT 
 
Introduction 
Course introduction 
Module introduction 
Welcome to the IAPP’s Privacy Program Management online training. This first module introduces the role 
of the privacy program manager, including responsibilities and accountability for privacy within an 
organization. Key motivators, such as compliance requirements, reputation and consumer trust drive an 
organization to develop and maintain a privacy program. We’ll review these, as well as the holistic 
approach to a privacy program that is required for its successful implementation. 
Navigating this course 
To begin learning, click on the first chapter within this module. In addition, you may access the transcript 
to follow along with a text version of the module by clicking the “Transcript” button. After you have viewed 
each module, quiz yourself to check your knowledge and comprehension. You may use the navigation bar 
in the left-hand column of your player to revisit specific topics. You may access a list of additional reading 
to supplement the information in this course, as well as a map showing the alignment between this 
training and the Privacy Program Management certification body of knowledge, by clicking the “Resources” 
button. For a more detailed breakdown of how each module aligns to the CIPM certification body of 
knowledge and exam blueprint, click the “Module breakdown” button. 
This training now includes a supplemental module titled "How to Prepare for Certification," which 
highlights how to get the most out of your training and build a successful exam study plan. 
 
Responsibilities and accountability 
Learning objectives 
• Define privacy program management and the phases of the privacy operational life cycle 
• Summarize privacy program manager responsibilities 
• Explore the relationship between accountability and privacy program management 
• Identify privacy program stakeholders 
Privacy program management 
2 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
“We now live in an interconnected world where data is as valuable as gold.” 
- Russell Densmore, Privacy Program Management, Third Edition 
 
The interaction and sharing of data between individuals and service providers is growing at an exponential 
pace, and there are increasing demands on organizations to handle data properly. Privacy program 
management is the structured approach to combining several projects into a framework and life cycle to 
protect personal information and individuals’ rights. 
 
The privacy operational life cycle provides the means to assess, protect, sustain and respond to positive 
and negative effects of influencing factors on the program. 
 
Click on each number for more about the privacy operational life cycle phases. 
 
Phase 1: Assess 
• Provides steps, checklists and processes for assessing a privacy program 
• Involves comparing the program to industry best practices, corporate privacy policies, applicable 
laws and regulations and the organization’s privacy framework 
 
Phase 2: Protect 
• Provides information security practices and principles to protect personal information 
• Embeds privacy principles and information security management practices within the organization 
to address, define and establish privacy practices 
 
Phase 3: Sustain 
• Provides monitoring, auditing and communication aspects of the management framework 
• Ensures “business as usual” by monitoring throughout multiple functions in the organization for 
identifying, mitigating and reporting risk 
 
Phase 4: Respond 
• Seeks to reduce organizational risk and bolster compliance 
• Involves the respond principles of information requests, legal compliance, incident response 
planning and incident handling 
• Requires organizations to be accountable for data they collect and how they use it 
What are privacy program managers' responsibilities? 
Privacy program managers and teams are responsible for compliance, accountability and alignment with 
organizational strategy. While their core duties are typically consistent across different organizations, the 
individual responsibilities of a privacy officer may vary. 
Read the list and check off each privacy responsibility that applies to you or your department. 
Responsibilities that apply to you 
Policies, procedures and governance 
Privacy-related awareness and training 
Incident response 
Communications 
Design and implementation of privacy controls 
Privacy issues with existing products and services 
Privacy-related monitoring 
Performing privacy impact assessments 
Development of privacy staff 
Privacy-related investigations 
Privacy-related data committees 
Privacy by design in product development 
Privacy-related vendor management 
3 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Privacy audits 
Proper international data transfers 
Preparation for legislative and regulatory change 
Privacy-related subscriptions 
Privacy-related travel 
Redress and consumer outreach 
Privacy-specific or -enhancing software 
Privacy-related web certification seals 
While there are no right or wrong answers, it is useful to see the scope of the tasks for which a privacy 
program manager may be responsible. 
Accountability 
Accountability is, debatably, the most important aspect of privacy program management. Privacy program 
managers are accountable for the safekeeping and responsible use of personal information—not just to 
investors and regulators, but to the everyday consumer, as well as their fellow employees. 
Click on the images to reveal the diverse stakeholders that hold organizations accountable for privacy. 
Customers, clients, patients 
The public 
Regulators/DPAs 
Professional organizations and associations 
Employees and business partners 
Investors 
Industry watchdogs 
The media 
From an expert: Accountability 
Antonis Patrikios, CIPP/E, CIPM, FIP, Partner, Privacy & Cybersecurity, Dentons 
To me, accountability is one of the most interesting concepts that we now are starting to see into the law. 
Could you tell me what accountability is about? It’s about evidence. It’s no longer enough to be compliant. 
You need to be able to show how you comply. So that’s spot on. 
At a higher level, what does this idea of accountability tell us? It’s this idea that when we collect and 
process information about people, we must be responsible for it. We need to own it. We need to take 
ownership and take care of it throughout the data life cycle, as we said earlier. And in doing so, we can be 
held accountable, and we need to account for our actions and decisions. If our evidence says, this is a 
policy I have in place, for instance, in response … you know, just conveniently, cybersecurity incident 
response team within 70 hours, as opposed to straight away, we have to explain to people our decision. 
The other thing that I’d like to mention about accountability is that, in some respects, it’s a great thing. 
And the reason why it’s a great thing is because, yes it imposes this obligation to take ownership and be 
able to explain how you are compliant, but, in exchange, what it gives organizations that process personal 
information is a degree of flexibility as to how exactly you’re going to comply with your obligations. 
Summary 
• Privacy program management is the structured approach of combining several projects into a 
framework and life cycle to protect personal information and individuals’ rights. 
• The privacy operational life cycle involves four phases: assess, protect,sustain and respond. 
• The assess phase involves comparing the program to industry best practices, corporate privacy 
policies, applicable laws and regulations and the organization’s privacy framework. 
4 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• The protect phase embeds privacy principles and information security management practices to 
address, define and establish privacy practices. 
• The sustain phase provides monitoring, auditing and communication aspects of the management 
framework. 
• The respond phase involves the principles of information requests, legal compliance, incident 
response planning and incident handling, as well as accountability for data collected. 
• Privacy program managers and teams are responsible for compliance, accountability and 
alignment with organizational strategy. 
• Accountability is the most important aspect of privacy program management. Privacy program 
managers are accountable for safekeeping and responsible use of personal information. 
 
Scenario 1 
One Earth Medical hires a privacy officer 
Mary Johnson has been hired as the global privacy officer for One Earth Medical. 
Her broad charge is to create a consistent global privacy program for all divisions of the company and 
define how the elements of that program will be implemented company wide. 
Read along as the company’s CEO briefs Mary on the events that led to her hire. 
One Earth Medical deals with a lot of personal information, including sensitive information, both internally 
and through its network of third-party vendors. This includes patient records, financial information and 
experimental trial results. 
Recently, a central One Earth Medical database that contains patient information was hacked. Until this 
attack, all privacy issues were addressed at local functional levels in each division, rather than at the 
corporate level. 
The company had no global privacy policy in place, and different functional levels of responsibility in the 
company had developed policies and procedures for their discrete areas of operation without considering 
how their functions might interact with other organizations or divisions. 
Many local functional solutions had no applicability outside the business unit’s particular operations. 
The attack turned out to be amateurish and low-risk; however, the lack of a plan for company-wide 
response was clear. Mary, you will need to coordinate many variables to successfully create and 
implement a company-wide global privacy program. Where do you think you will start? 
Help Mary get started by brainstorming a list of a privacy program manager’s tasks. 
Review the general responsibilities of a privacy program manager listed here. How many overlapped with 
your list? 
• Identify privacy obligations 
• Identify business, employee and customer privacy risks 
• Identify existing documentation, policies and procedures 
• Create, revise and implement policies and procedures that effect positive practices and together 
comprise a privacy program 
• Demonstrate compliance with applicable laws and regulations (at a minimum) 
• Promote consumer trust and confidence 
• Enhance organization’s reputation 
5 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• Facilitate privacy program awareness, where relevant, of employees, customers, partners and 
service providers 
• Respond effectively to privacy breaches 
• Continuously maintain and improve the privacy program 
 
 
Beyond law and compliance 
Learning objective 
• Explain motivations for creating an effective privacy program 
It is not just about law and compliance 
Why does an organization need a privacy program? While compliance with applicable laws and regulations 
is a key motivator, it is not the only purpose a privacy program serves. The Annual Privacy Governance 
Report shows trending privacy team responsibilities in order of priority to those surveyed. 
Can you identify the top three privacy team responsibilities in order of priority? 
Why does an organization need a privacy program? 
Enhance marketplace reputation and brand 
Meet regulatory compliance obligations, including the GDPR 
Enable global operations and entry into new markets 
Safeguard data against attacks and threats 
Increase revenues from cross-selling and direct marketing 
Reduce scrutiny from privacy watchdog groups 
Provide a competitive differentiator 
Maintain or enhance the value of information assets 
Reduce risk of employee and consumer lawsuits 
Be a good corporate citizen 
Meet expectations of business clients and partners 
Meet consumer expectations/enhance trust 
See below for the correct answers 
Meet regulatory compliance obligations, including the GDPR 
Meet expectations of business clients and partners 
Safeguard data against attacks and threats 
Answers based on 370 responses to a 2019 online survey sent to IAPP Daily Dashboard subscribers. 
From an expert: Engaging with stakeholders and thinking beyond compliance 
Julie McEwen, Principal Cybersecurity & Privacy Engineer, Privacy Capability Area Lead, MITRE 
6 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
If I was starting out in privacy right now, the two things that I think for people starting out that are 
important to know are, first off, you really do need to engage with all the stakeholders. That’s critical. I 
mean, I know that sounds so easy; like, everybody knows that. But it’s not easy, and I have a project 
management background as a PMP, Project Management Professional, and so I’ve worked to develop 
communications matrices and stakeholder engagement plans and things like that. You really need to do 
that in privacy. It’s very important. So, I think that’s really key. 
The other thing that’s important about privacy is to think beyond compliance. And I know so much of 
privacy is about compliance. We look at laws and guidance and regulations and we say, “How do we meet 
that? Are we okay?” And there are a lot of attorneys who work in privacy for that reason, but it’s time to 
move beyond that, because it needs to be more risk based. That’s something that we’re seeing in the 
federal government side of privacy. Both NIST, the National Institute of Standards and Technology, and 
also the Office of Management and Budget have come out with guidance that says you need to—
government agencies, you need to move to risk-based management of privacy. And that means that you 
think ahead of time about privacy and the implications of it and designing it into your systems from the 
beginning. And you have this broader view that moves beyond compliance. It’s not just about meeting the 
laws. It’s also about, what’s the right thing to do? What’s the most effective practice? So, I think that’s 
also very important to remember. And compliance is important, no argument about that, but moving 
beyond it is also important to do. 
Summary 
• While compliance with applicable laws and regulations is a key motivator for having a privacy 
program, it is not the only purpose of a program. 
• Other important reasons to institute a privacy program are meeting expectations of business 
clients and partners, and safeguarding data against attacks and threats. 
 
Privacy across the organization 
Learning objective 
• Recognize privacy concerns of diverse functions within an organization 
Awareness, alignment and involvement 
A successful privacy program will integrate privacy requirements and representation into functional areas 
across the organization. 
Click on each organizational area to learn about the related functions or tasks impacted by privacy 
concerns. Note that these are just examples and do not include all possible privacy-relatedconcerns. 
The HR department looks at the personal information life cycle of specific HR data to ensure the handling 
of all information by HR personnel is compliant with the organization’s privacy policies and procedures. 
Multinational organizations are required to meet local regulations and privacy expectations of their 
employees in all countries in which they operate. Employee privacy issues relate to how employees are 
treated in the workplace, including how the organization manages and responds to complaints, 
whistleblowing and investigations. 
While not all companies have a separate ethics office, an ethics function must exist. It serves as a trusted 
place where employees can take their concerns or whistleblowing. Ethics will often function outside the 
normal chain of command, properly empowered and staffed to perform necessary tasks. 
7 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Marketing and business development must be concerned with any activities where personal 
information is processed—collected, used and shared—as a function of marketing and media purposes. 
These activities may include digital advertising or providing a privacy notice to website visitors. Consumer 
rights and choices play a major part in how telemarketers contact them. 
To safeguard these rights, several laws exist that advertisers must understand and abide by. One 
important regulatory example is the Do Not Call Registry, which affords consumers the choice about 
whether they want to receive telemarketing calls in some countries. In addition, internet marketing has 
tremendous potential for businesses and consumers but may also cause privacy violations, such as 
improper monitoring or unwanted solicitation. Balancing beneficial uses of these data sources with privacy 
rights of individuals is one of the most challenging public policy issues of the information age. 
Financial functions should align with the privacy framework, HR, legal, security, risk and other 
governance factors of the organization. The financial team should ensure they collaborate with the privacy 
team regarding financial regulations, such as the Payment Card Industry Data Security Standard (PCI 
DSS). 
At the highest level, information security provides standards and guidelines for applying management, 
technical and operational controls to reduce the probable damage, loss, modification or unauthorized 
access to systems, facilities or data. To help this process, many organizations use the National Institute of 
Standards and Technology (NIST) Privacy Framework, a risk-based approach to identifying and managing 
privacy risk. 
 
Three common information security principles are known as the C-I-A triad, or information security triad: 
• Confidentiality means preventing the unauthorized disclosure of information 
• Integrity means protecting information from unauthorized or unintentional alteration, modification or 
deletion 
• Availability means making information accessible to authorized users 
IT works closely with privacy and security to ensure alignment. For example, security may designate who 
has access to information, while IT would enable access to those with the proper permissions. The IT team 
should implement privacy principles into technology development, for instance, building in functions to 
allow data to be easily deleted according to a retention schedule. 
Legal and compliance functions will be discussed in more depth in module 3, but it is important to know 
that an organization must conduct factual and legal due diligence to align privacy practices and minimize 
legal liability. Legal should have controls, documentation management practices and tracking mechanisms 
in place. Compliance can exist within any of the core business functions. There are advantages and 
disadvantages to separating or combining the legal, compliance, internal audit and security functions. 
Learning and development teams manage activities related to employee training, which may include 
privacy-related training and awareness. They can help translate policies and procedures into teachable 
content and can help operationalize privacy principles. 
Internal audit assesses whether controls are in place to protect personal information and whether people 
and processes in the organization comply with the controls. It is good practice to align with internal audit 
in developing a framework to monitor privacy policies, controls and procedures already implemented to 
ensure they are working as they should. 
Procurement typically helps ensure contracts are in place with third-party providers that process 
personal information on behalf of the organization, and that appropriate privacy language is in the 
contracts with providers. 
Communications teams assist with producing intranet content, emails, posters and other collateral that 
reinforce good privacy practices in line with the organization’s branding, objectives and tone of voice. This 
function can also advise on the best methods of communication to boost higher employee engagement. 
8 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
From an expert: Working with IT 
Nick Merker, Partner, Baker McKenzie 
 
OK, I’d like to talk about the role of IT in a privacy program, and in particular how privacy professionals or 
privacy managers can work with IT successfully. And I think the way I’d like to phrase this is an example 
that we learned in the information security world. So, I’m a former information security professional and I 
would create policies and procedures for my clients, and my company at the time, that I would try to get 
people to actually follow. And as you can imagine, in the information security world, one of the hardest 
things is to get people to actually adhere to your policies. And we’ve learned in the information security 
context that there’s two traditional ways to think about a policy. One, that you have the carrot approach, 
where you reward someone for following a policy, like if I have a clean desk policy and I’m walking 
around, I see that you have a clean desk, I might give you a $5 gift card for some coffee. Or, if I can use 
the stick approach, where I walk by your desk and I see you don’t have a clean desk, then I’m going to 
write you up or give you some penalty. We’ve actually learned that both of those don’t work. 
The way that works for information security policies is to explain to the individual the purpose behind the 
policy. Because if we don’t explain why we’re doing what we’re doing, the individual on the other hand 
does not have any agency or any skin in the game for that policy. So, if you explain, “Hey, we have this 
clean desk policy because what we don’t want to have happen is someone comes by and you’ve written 
down some company information, or personal information, on a piece of paper and that is taken, and now 
we have a data breach on our hands because of information you wrote on a piece of paper.” Or similarly, 
“We require encryption of all removeable media because if you take this USB drive home and you 
accidently leave it in a taxicab, we have a potential data breach or loss of proprietary information on the 
company.” So, if you explain the purpose of what you’re doing to the individual, you give them skin in the 
game, you make them understand the importance of what’s going on. Then they have buy-in into what 
you’re doing. I think that’s from a privacy professional’s … what we need to do with IT folks. If we’re 
coming down with mandates or red tape, or we’re just trying to tell IT, “This is the way it is, this is what 
you’re going to do,” and we don’t tell them why, or we don’t make them part of the process, then they’re 
going to resist our activities. 
And I’ve actually found withclients where a privacy professional will be in a room during the business 
requirements stage, or maybe they’re communicating with IT about some new privacy program thing that 
is being implemented, and what they’ll do is they’ll say, “Here’s what we’re doing.” Or they’ll start putting 
up what IT would perceive as red tape, and what that privacy professional finds is they’re no longer 
invited to those meetings, and they’re just cut out of the process. And that’s not what we want to have 
happen. What we want to do is, in my opinion, never say no in a meeting, always say, “Yes, we can do 
this, but here’s how we’re going to do it together.” So, if the IT folks are resisting some change, you listen 
to their feedback and you say, “Well, here’s why we’re doing this and here’s how we’re going to get there 
together.” And you make it more of a team process instead of mandates coming down on high from the 
privacy office. 
Privacy concerns of specific business functions 
Match the privacy concern example with the relevant business function. 
HR: Whistleblowing 
Marketing: Providing privacy notices 
Finance: Bonus calculations 
Information security: Information access policy 
IT: Enabling systems access 
Legal: Vendor contracts 
While tasks and roles will vary from one organization to the next, the business functions and privacy 
concerns matched here will typically align. 
Summary 
9 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
• A successful privacy program integrates privacy requirements and representation into 
functional areas across the organization. 
• Examples of organizational areas that typically have specific privacy concerns include: HR, marketing 
and business development, finance, information security, IT, and legal and compliance 
functions. 
 
Quiz 
1. What is the most important aspect of privacy program management? 
Vendor management 
Audits 
Data mapping 
Accountability 
2. True or false? Regulatory compliance is often the primary motivation for organizations to develop a 
privacy program. 
True 
False 
3. A privacy program should integrate privacy requirements and representation into which of the following 
functional areas? Select all that apply. 
 
Human resources 
 
Marketing and business development 
 
Finance 
 
Information security 
 
IT 
 
Legal and compliance 
 
4. Customer service employees for a health insurance company are granted access to subscribers’ 
sensitive personal information to help with questions about coverage and billing. What business function is 
most likely responsible for determining which employees may access subscribers’ sensitive personal 
information? 
 
Human resources 
 
IT 
 
Information security 
 
Legal 
5. Which of the following is NOT a phase of the privacy operational life cycle? 
10 
 
©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 
Sustain 
Respond 
Consider 
Assess 
 
 
 
Closing slide 
 
You have completed Module 1: Introduction to Privacy Program Management. 
 
 
 
Quiz answers 
 
1. Accountability 
2. True 
3. All responses are correct 
4. Information security 
5. Consider 
 
*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to 
represent actual certification exam questions.