IAPP CIPM Certified Information Privacy Manager Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Authors

Introduction

The CIPM Exam

What Does This Book Cover?

CIPM Exam Objectives

CIPM Certification Exam Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: Developing a Privacy Program

Introduction to Privacy

What Is Privacy?

What Is Personal Information?

What Isn't Personal Information?

Why Should We Care about Privacy?

Generally Accepted Privacy Principles

Developing a Privacy Program

Data Governance

Managing the Privacy Budget

Communicating about Privacy

Privacy Program Operational Life Cycle

Summary

Exam Essentials

Review Questions

Chapter 2: Privacy Program Framework

Develop the Privacy Program Framework

Implement the Privacy Program Framework

Develop Appropriate Metrics

Summary

Exam Essentials

Review Questions

Chapter 3: Privacy Operational Life Cycle: Assess

Document Your Privacy Program Baseline

Processors and Third-Party Vendor Assessment

Physical Assessments

Mergers, Acquisitions, and Divestitures

Privacy Assessments and Documentation

Summary

Exam Essentials

Review Questions

Chapter 4: Privacy Operational Life Cycle: Protect

Privacy and Cybersecurity

Cybersecurity Controls

Data Protection

Policy Framework

Identity and Access Management

Privacy by Design

Privacy and the SDLC

Vulnerability Management

Data Policies

Summary

Exam Essentials

Review Questions

Chapter 5: Privacy Operational Life Cycle: Sustain

Monitor

Audit

Summary

Exam Essentials

Review Questions

Chapter 6: Privacy Operational Life Cycle: Respond

Data Subject Rights

Handling Information Requests

Incident Response Planning

Incident Detection

Coordination and Information Sharing

Incident Handling

Post-Incident Activity

Planning for Business Continuity

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Developing a Privacy Program

Chapter 2: Privacy Program Framework

Chapter 3: Privacy Operational Life Cycle: Assess

Chapter 4: Privacy Operational Life Cycle: Protect

Chapter 5: Privacy Operational Life Cycle: Sustain

Chapter 6: Privacy Operational Life Cycle: Respond

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Height and weight information

TABLE 1.2 Deidentified height and weight information

TABLE 1.3 Aggregated height and weight information

TABLE 1.4 Sample data classification matrix

Chapter 2

TABLE 2.1 Metric examples

Chapter 4

TABLE 4.1 Secure data destruction options

List of Illustrations

Chapter 1

FIGURE 1.1 Excerpt from ISO 27701

FIGURE 1.2 Organizational example

Chapter 4

FIGURE 4.1 The three key objectives of cybersecurity programs are confidenti...

FIGURE 4.2 The relationship between privacy and cybersecurity

FIGURE 4.3 Excerpt from CMS roles and responsibilities chart

FIGURE 4.4 Excerpt from UC Berkeley Minimum Security Standards for Electroni...

FIGURE 4.5 Biometric authentication with a (a) retinal scanner (b) fingerpri...

FIGURE 4.6 Authentication token

FIGURE 4.7 High-level SDLC view

FIGURE 4.8 The Waterfall SDLC model

FIGURE 4.9 The Spiral SDLC model

FIGURE 4.10 Agile sprints

FIGURE 4.11 Vulnerability management life cycle

Chapter 6

FIGURE 6.1 Incident response checklist

Guide

Cover

Title Page

Copyright

Acknowledgments

About the Authors

Introduction

Table of Contents

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

250

IAPP® CIPMCertified Information Privacy ManagerStudy Guide

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-394-15380-0ISBN: 978-1-394-16006-8 (ebk.)ISBN: 978-1-394-15381-7 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. IAPP and CIPM are registered trademarks or service marks of the International Association of Privacy Professionals, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022951786

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

Acknowledgments

Even though only the authors' names appear on the front cover, the production of a book is a collaborative effort involving a huge team. Wiley always brings a top-notch collection of professionals to the table, and that makes the work of authors so much easier.

In particular, we'd like to thank Jim Minatel, our acquisitions editor. Jim is a consummate professional, and it is an honor and a privilege to continue to work with him on yet another project. Here's to many more!

We also greatly appreciated the editing and production team for the book, including Kristi Bennett, our project editor, who brought great talent to the project. Our technical editors, Joanna Grama and John Bruggeman, provided indispensable insight and expertise. This book would not have been the same without their valuable contributions. Magesh Elangovan, our production editor, guided us through layouts, formatting, and final cleanup to produce a great book. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who made the book and companion materials into a finished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families, who supported us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Mike Chapple, Ph.D., CIPM, CIPP/US, CISSP, is the author of the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 9th edition, 2021) and the CISSP (ISC)2Official Practice Tests (Sybex, 3rd edition, 2021). He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as a teaching professor in the IT, Analytics, and Operations Department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike is technical editor for Information Security Magazine and has written more than 35 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional/US (CIPP/US), Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP) certifications.

Learn more about Mike and his other security and privacy certification materials at his website, CertMike.com.

Joe Shelley, M.A., CIPM, CIPP/US, is a leader in higher education information technologies. He is currently the vice president for Libraries and Information Technology at Hamilton College in New York. In his role, Joe oversees central IT infrastructure, enterprise systems, information security and privacy programs, IT risk management, business intelligence and analytics, institutional research and assessment, data governance, and overall technology strategy. Joe also directs the Library and Institutional Research. In addition to supporting the teaching and research mission of the college, the library provides education in information sciences, digital and information literacy, and information management.

Before joining Hamilton College, Joe served as the chief information officer at the University of Washington Bothell in the Seattle area. During his 12 years at UW Bothell, Joe was responsible for learning technologies, data centers, web development, enterprise applications, help desk services, administrative and academic computing, and multimedia production. He implemented the UW Bothell information security program, cloud computing strategy, and IT governance, and he developed new initiatives for supporting teaching and learning, faculty research, and e-learning.

Joe earned his bachelor's degree in interdisciplinary arts and sciences from the University of Washington and his master's degree in educational technology from Michigan State University. Joe has held certifications and certificates for CIPM, CIPP/US, ITIL, project management, and Scrum.

Introduction

If you're preparing to take the Certified Information Privacy Manager (CIPM) exam, you'll undoubtedly want to find as much information as you can about privacy. The more information you have at your disposal and the more hands-on experience you gain, the better off you'll be when attempting the exam. We wrote this study guide with that in mind. The goal was to provide enough information to prepare you for the test—but not so much that you'll be overloaded with information that's outside the scope of the exam.

We've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. If you're already working in the privacy field, we recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 90 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

 Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The CIPM Exam

The CIPM certification is designed to be the gold standard credential for privacy professionals who are either currently working in management roles or aspire to become leaders in the field. It is offered by the International Association of Privacy Professionals (IAPP) and complements its suite of geographic-based privacy professional certifications.

The exam covers six major domains of privacy knowledge:

Developing a Privacy Program

Privacy Program Framework

Privacy Operational Life Cycle: Assess

Privacy Operational Life Cycle: Protect

Privacy Operational Life Cycle: Sustain

Privacy Operational Life Cycle: Respond

These six areas include a range of topics, from building a privacy program to understanding the full privacy operational life cycle. You'll find that the exam focuses heavily on scenario-based learning. For this reason, you may find the exam easier if you have some real-world privacy experience, although many individuals pass the exam before moving into their first privacy role.

The CIPM exam consists of 90 multiple-choice questions administered during a 150-minute exam period. Each of the exam questions has four possible answer options. Exams are scored on a scale ranging from 100 to 500, with a minimum passing score of 300. Every exam item is weighted equally, but the passing score is determined using a secret formula, so you won't know exactly what percentage of questions you need to answer correctly in order to pass.

Exam Tip

There is no penalty for answering questions incorrectly. A blank answer and an incorrect answer have equal weight. Therefore, you should fill in an answer for every question, even if it is a complete guess!

IAPP charges $550 for your first attempt at the CIPM exam and then $375 for retake attempts if you do not pass on the first try. More details about the CIPM exam and how to take it can be found in the IAPP Candidate Certification Handbook at http://iapp.org/certify/candidate-handbook.

You should also know that certification exams are notorious for including vague questions. You might see a question for which two of the possible four answers are correct—but you can choose only one. Use your knowledge, logic, and intuition to choose the best answer and then move on. Sometimes, the questions are worded in ways that would make English majors cringe—a typo here, an incorrect verb there. Don't let this frustrate you; answer the question and move on to the next one.

 Certification providers often use a process called item seeding, which is the practice of including unscored questions on exams. They do this as part of the process of developing new versions of the exam. So, if you come across a question that does not appear to map to any of the exam objectives—or for that matter, does not appear to belong in the exam—it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the IAPP website to purchase your exam voucher:

http://iapp.org/store/certifications

IAPP partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”

http://home.pearsonvue.com/iapp

In addition to the live testing centers, you may also choose to take the exam at your home or office through Pearson VUE's OnVUE service. More information about this program is available here:

http://home.pearsonvue.com/iapp/onvue

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam. One important note: Once you purchase your exam on the IAPP website, you have one year to register for and take the exam before your registration will expire. Be sure not to miss that deadline!

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials into the exam with you.

 Exam policies can change from time to time. We highly recommend that you check both the IAPP and Pearson VUE sites for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

After the CIPM Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification

IAPP certifications must be renewed periodically. To renew your certification, you must either maintain a paid IAPP membership or pay a $250 non-member renewal fee. You must also demonstrate that you have successfully completed 20 hours of continuing professional education (CPE).

IAPP provides information on the CPE process via its website at

http://iapp.org/certify/cpe

What Does This Book Cover?

This book covers everything you need to know to pass the CIPM exam.

Chapter 1

: Developing a Privacy Program

Chapter 2

: Privacy Program Framework

Chapter 3

: Privacy Operational Life Cycle: Assess

Chapter 4

: Privacy Operational Life Cycle: Protect

Chapter 5

: Privacy Operational Life Cycle: Sustain

Chapter 6

: Privacy Operational Life Cycle: Respond

Appendix

: Answers to Review Questions

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

 The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

 The Exam Essentials focus on major exam topics and critical knowledge that you should take into the test. The Exam Essentials focus on the exam objectives provided by IAPP.

Chapter Review Questions

 A set of questions at the end of each chapter will help you assess your knowledge and whether you are ready to take the exam based on your knowledge of that chapter's topics.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They include the following.

 Go to www.wiley.com/go/Sybextestprep to register your book to receive your unique PIN, and then once you receive the PIN by email, return to www.wiley.com/go/Sybextestprep and register a new account or add this book to an existing account. After adding the book, if you do not see it in your account, please refresh the page or log out and log back in.

Sybex Online Learning Environment

Sybex's online learning environment software lets you prepare with electronic test versions of the review questions from each chapter and the practice exams that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of CIPM exam objectives using randomized tests.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Practice Exams

In addition to the practice questions for each chapter, this book includes two full 90-question practice exams. We recommend that you use them both to test your preparedness for the certification exam.

 Like all exams, the CIPM certification from IAPP is updated periodically and may eventually be retired or replaced. At some point after IAPP is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

CIPM Exam Objectives

IAPP goes to great lengths to ensure that its certification programs accurately reflect the privacy profession's best practices. They also publish ranges for the number of questions on the exam that will come from each domain. The following table lists the six CIPM domains and the extent to which they are represented on the exam.

Domain

Questions

Developing a Privacy Program

13–17

Privacy Program Framework

9–11

Privacy Operational Lifecycle: Assess

13–17

Privacy Operational Lifecycle: Protect

12–16

Privacy Operational Lifecycle: Sustain

5–7

Privacy Operational Lifecycle: Respond

9–11

CIPM Certification Exam Objective Map

The objective mapping below takes each of the learning objectives found in the IAPP body of knowledge v3.0 and identifies where in the book you will find coverage of each objective.

Objective

Chapter

I. Developing a Privacy Program

I.A. Create an organizational vision

1

I.A.a. Evaluate the intended objective

1

I.A.b. Gain executive sponsor approval for this vision

1

I.B. Establish a Data Governance model

1

I.B.a. Centralized

1

I.B.b. Distributed

1

I.B.c. Hybrid

1

I.C. Define a privacy program

1

I.C.a. Define program scope and charter

1

I.C.b. Identify the source, types, and uses of personal information (PI) within the organization and applicable laws

1

I.C.c Develop a privacy strategy

1

I.D. Structure the privacy team

1

I.D.a. Establish the organizational model, responsibilities, and reporting structure appropriate to the size of the organization (e.g., Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, “First responders”)

1

I.D.b. Designate a point of contact for privacy issues

1

I.D.c. Establish/endorse the measurement of professional competency

1

I.E. Communicate

1

I.E.a. Create awareness of the organization's privacy program internally and externally (e.g., PR, Corporate Communication, HR)

1

I.E.b. Develop internal and external communication plans to ingrain organizational accountability

1

I.E.c. Ensure employees have access to policies and procedures and updates relative to their role

1

II. Privacy Program Framework

II.A. Develop the Privacy Program Framework

2

II.A.a. Develop organizational privacy policies, procedures, standards, and/or guidelines

2

II.A.b. Define privacy program activities

2

II.B. Implement the Privacy Program Framework

2

II.B.a. Communicate the framework to internal and external stakeholders

2

II.B.b. Ensure continuous alignment with applicable laws and regulations to support the development of an organizational privacy program framework

2

II.B.c. Understanding data-sharing agreements

2

II.C. Develop Appropriate Metrics

2

II.C.a. Identify the intended audience for metrics

2

II.C.b. Define reporting resources

2

II.C.c. Define privacy metrics for oversight and governance per audience

2

II.C.d. Identify systems/application collection points

2

III. Privacy Operational Lifecycle: Assess

III.A. Document the current baseline of your privacy program

3

III.A.a. Education and awareness

3

III.A.b. Monitoring and responding to the regulatory environment

3

III.A.c. Assess policy compliance against internal and external requirements

3

III.A.d. Data, systems, and process assessment

3

III.A.e. Risk assessment methods

3

III.A.f. Incident management, response, and remediation

3

III.A.g. Determine desired state and perform gap analysis against an accepted standard or law (including GDPR)

3

III.A.h. Program assurance, including audits

3

III.B. Processors and third-party vendor assessment

3

III.B.a. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer

3

III.B.b. Understand and leverage the different types of relationships

3

III.B.c. Risk assessment

3

III.B.d. Contractual requirements and review process

3

III.B.e. Ongoing monitoring and auditing

3

III.C. Physical assessments

3

III.C.a. Identify operational risk

3

III.D. Mergers, acquisitions, and divestitures

3

III.D.a. Due diligence procedures

3

III.D.b. Review contractual and data-sharing obligations

3

III.D.c. Risk assessment

3

III.D.d. Risk and control alignment

3

III.D.e. Post-integration planning and risk mitigation

3

III.E. Privacy Assessments and Documentation

3

III.E.a. Privacy Threshold Analysis (PTAs) on systems, applications, and processes

3

III.E.b. Define a process for conducting privacy assessments (e.g., PIA, DPIA, TIA, LIA)

3

IV. Privacy Operational Life Cycle: Protect

IV.A. Information security practices

4

IV.A.a. Access controls for physical and virtual systems

4

IV.A.b. Technical security controls (including relevant policies and procedures)

4

IV.A.c. Incident response plans

4

IV.B. Privacy by Design (PbD)

4

IV.B.a. Integrate privacy throughout the system development life cycle (SDLC)

4

IV.B.b. Establish privacy gates as part of the system development framework

4

IV.B.c. Integrate privacy through business processes

4

IV.B.d. Communicate with stakeholders the importance of PIAs and PbD

4

IV.C. Integrate privacy requirements and representation into functional areas across the organization (e.g., Information Security, Human Resources, Marketing, Legal and Contracts, and Mergers, Acquisitions & Divestitures)

4

IV.D. Technical and organizational measures

4

IV.D.a. Quantify the costs of technical and organizational controls

4

IV.D.b. Manage data retention with respect to the organization's policies

4

IV.D.c. Define the methods for physical and electronic data destruction

4

IV.D.d. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use

4

IV.D.e. Determine and implement guidelines for secondary uses (e.g.: research, etc.)

4

IV.D.f. Define policies related to the processing (including collection, use, retention, disclosure, and disposal) of the organization's data holdings, taking into account both legal and ethical requirements

4

IV.D.g. Implement appropriate administrative safeguards, such as policies, procedures, and contracts

4

V. Privacy Operational Life Cycle: Sustain

V.A. Monitor

5

V.A.a. Environment (e.g., systems, applications) monitoring

5

V.A.b. Monitor compliance with established privacy policies

5

V.A.c. Monitor regulatory and legislative changes

5

V.A.d. Compliance monitoring (e.g., collection, use, and retention)

5

V.B. Audit

5

V.B.a. Align privacy operations to an internal and external compliance audit program

5

V.B.b. Audit compliance with privacy policies and standards

5

V.B.c. Audit data integrity and quality and communicate audit findings with stakeholders

5

V.B.d. Audit information access, modification, and disclosure accounting

5

V.B.e. Targeted employee, management, and contractor training

5

VI. Privacy Operational Life Cycle: Respond

VI.A. Data-subject information requests and privacy rights

6

VI.A.a. Access

6

VI.A.b. Redress

6

VI.A.c. Correction

6

VI.A.d. Managing data integrity

6

VI.A.e. Right of Erasure

6

VI.A.f. Right to be informed

6

VI.A.g. Control over the use of data, including objection to processing

6

VI.A.h. Complaints including file reviews

6

VI.B. Privacy incident response

6

VI.B.a. Legal compliance

6

VI.B.b. Incident response planning

6

VI.B.c. Incident detection

6

VI.B.d. Incident handling

6

VI.B.e. Follow incident response process to ensure meeting jurisdictional, global, and business requirements

6

VI.B.f. Identify incident reduction techniques

6

VI.B.g. Incident metrics—quantify the cost of a privacy incident

6

 IAPP occasionally makes minor adjustments to the exam objectives. Please be certain to check their website for any recent changes that might affect your exam experience.

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur. In order to submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.com with the subject line “Possible Book Errata Submission.”

Assessment Test

Max is a freelance database specialist operating in Spain. He helps companies organize their data and clean up legacy databases. From a legal perspective, what role is Max playing when it comes to handling personal information?

Data processor

Business associate

Data controller

Data manager

Adrian is reviewing a new application that will be used by his organization to gather health information from customers. The application is now in testing and about to be released into production. After his review, Adrian realizes that the way the software is implemented is not compliant with the organization's HIPAA obligations. What is the root cause of this issue?

Failure to use strong encryption

Failure to integrate privacy into the SDLC

Failure to incorporate customer requirements

Failure to minimize data collection

NIST provides an example of which of the following?

Industry self-regulatory framework

Privacy regulation

Privacy program framework

Core privacy principles

Which of the following factors is not a primary consideration when developing a privacy program framework?

Compliance with applicable regulations

Scope and scale of the organization's data processing

Technological infrastructure for data storage and protection

Alignment with business objectives

Lena runs a mid-sized data analytics company in Paris. She is considering moving her databases to a cloud computing solution. What is she required to do first?

Consult her DPA.

Conduct a vendor assessment.

Conduct a PIA.

Conduct a DPIA.

A graph that shows a decrease in privacy incidents over time is an example of which of the following?

Statistical analysis

Compliance metric

Performance target

Trend analysis

David is an IT professional responsible for applying, monitoring, and maintaining access controls to a filesystem containing sensitive information used by the human resources department. He works closely with the management of that department to identify appropriate permissions. What term best describes David's role in relation to this data?

Data custodian

Data steward

Data owner

Data subject

Harold recently completed leading the postmortem review of a privacy incident. What documentation should he prepare next?

Remediation list

Risk assessment

Lessons-learned document

Mitigation checklist

Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?

Identification of the source of the attack

Containment

Remediation

Recovery

Brianna is reviewing the dataflows for one of her organization's information systems and discovers that records are not destroyed when they are no longer needed. What privacy by design principle is most directly violated?

Full functionality

End-to-end security

Privacy embedded into design

Visibility and transparency

Sally is a new privacy manager at an accounting firm. She decides to get started by evaluating the privacy program currently in place. She notes that processes are well documented and there is a written privacy policy. When she asks for records of the last privacy program review, she learns that the privacy program performance is managed “on the go” and “in real time”; when”. If employees find problems with the program, they fix them, so formal reviews and feedback processes just haven't seemed necessary. Since there doesn't seem to be much of a program assessment process in place, where should Sally start?

Initiate tabletop drills.

Request a program audit to measure performance.

Ensure that the training and awareness programs include the need to periodically review procedures.

Establish the program's baseline performance.

Xavier is a data custodian responsible for maintaining databases with sensitive information, including Social Security numbers. He would like to protect those SSNs from prying eyes but will need to be able to retrieve the original value on occasion. What data protection technique would be most appropriate for his use?

Redaction

Tokenization

Masking

Hashing

Conducting audits is most closely associated with which part of the privacy operational life cycle?

Respond

Sustain

Assess

Protect

Paula is a privacy manager at a data management company. She has well documented procedures for executing PIAs when required, but she keeps hearing about planned changes to IT systems when it's almost too late for a PIA. What part of the privacy operational life cycle might help Paula fix this problem?

Compliance monitoring

Monitoring regulatory changes

IT audit

Monitoring the environment

Marco owns an electronics store in Barcelona, and he's interested in hiring a contractor to help build and manage a new customer database and help him dive into the world of online sales. Marco would prefer an individual contractor to a larger agency so that he can develop a strong relationship with someone who really learns about his business. Thanks to modern cloud technology, Marco thinks that a single individual will be able to do the job just as well as a large company anyway. Why should Marco be concerned about cloud computing technology when selecting a contractor?

The cloud computing vendor may profit by selling Marco's customer data to third parties.

Cloud computing is less secure.

Cloud computing vendors usually comingle the data of multiple customers.

Cloud providers may store data outside of the EU.

Jasmine is responsible for responding to data subject requests to exercise their rights under GDPR. Jasmine keeps a record of each request and the resolution, even after the requests are fulfilled. What is the primary reason for this recordkeeping?

To establish ROI for her position

For records retention

To create an audit trail

To establish ROI for her position

Which of the following best defines the Monitor phase of the privacy operational life cycle?

Sustain and improve a program over time.

Measure program effectiveness.

Establish outcomes and objectives for the program.

Effectively manage incidents when they occur.

Norm is reviewing his organization's privacy practices and observes that the privacy notice is not posted on their website in a location that is accessible to customers. What GAPP principle is most directly violated by this action?

Notice

Choice and Consent

Communication

Collection

Which one of the following ISO standards is not commonly used in the design and implementation of cybersecurity and privacy programs?

ISO 9001

ISO 27001

ISO 27002

ISO 27701

Marcia runs a boulangerie in Lyon, France. She has a new computer system that allows her to capture data on regular customers. She can record what they ordered, the date and time of their visits, and additional data on their transactions. Marcia is contracting with another company to compile the data and give her insights into customer habits, preferences, and patterns so that she can understand which products she should offer at different times of the day. In this case, Marcia is acting as which of the following?

Data processor

Data collector

Data controller

Data owner

Answers to Assessment Test

A. Since Max is operating in the European Union, his role is defined by the General Data Protection Regulation (GDPR). A data processor manages and manipulates personal information on a data controller's behalf. For more information, see

Chapter 1

.

B. While any of these options may be true, we are looking for the root cause of the HIPAA compliance failure in this question. The root issue is that Adrian did not identify the failure to meet HIPAA requirements until the testing phase of the process. These privacy requirements should have been identified during the requirements phase of the SDLC before any software was written. There is no indication that the software fails to meet customer requirements, only that it fails to meet privacy requirements that come from a regulatory (not customer) source. While the system may (or may not) fail to use strong encryption or minimize data collection, those would be symptoms of the same root cause—a failure to integrate privacy into the SDLC. For more information, see

Chapter 4

.

C. The National Institute of Standards and Technology (NIST) has published a broadly applicable privacy program framework called the NIST Privacy Framework. The NIST Privacy Framework may be required by some regulations or industry self-regulatory frameworks and used to uphold core privacy principles. For more information, see

Chapter 2

.

C. Privacy program frameworks help ensure that a privacy framework achieves all intended outcomes and manages all private information without neglecting any part of an organization's operations. The scope and scale of an organization's data processing, regulatory compliance, and alignment with the organization's business objectives all help to design a comprehensive program. A good program framework should be able to manage privacy regardless of the technology infrastructure in place and should be flexible enough to account for changes in technology. For more information, see

Chapter 2

.

D. Since Lena is in France, she is subject to GDPR. GDPR requires her to complete data protection impact assessments (DPIAs) before implementing any change to data processing that might impact privacy protections. For more information, see

Chapter 3

.

D. Tracking changes to a given measurement over time gives the audience a sense of whether a given measurement is increasing or decreasing over time. This is known as trend analysis and helps to track metrics that are pegged to a rate of change rather than to an absolute value. For more information, see

Chapter 2

.

A. Data custodians, or data processors, are the individuals who actually store and process sensitive information. As an IT professional implementing the directions of the data owners and stewards in the HR department, David is a data custodian. Data subjects are the individuals referred to in these records. Technically, David may also be a data subject because he is likely an employee of the organization and would be in the HR database. However, the question is asking for the role that best describes David, which is his primary role as the data custodian for the entire dataset rather than the incidental fact that he is one of many data subjects described in the records. For more information, see

Chapter 1

.

C. A lessons-learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response if an incident occurs. For more information, see

Chapter 6

.

B. Tamara's first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority. For more information, see

Chapter 6

.

B. The principle of end-to-end security calls for full data life cycle protection. This means that information must be protected from the time it is collected until it is securely destroyed at the end of its useful life. Brianna's organization is failing to complete the end of the life cycle process by securely destroying information. For more information, see

Chapter 4

.

D. Sally must first establish a baseline of performance to find out how well the program is currently doing before she can start to use assessments to measure program improvement. For more information, see

Chapter 3

.

B. Tokenization replaces sensitive values in a table with a nonsensitive token value. Employees with access to the lookup table may use these tokens to retrieve the original value when necessary. Masking, redaction, and hashing are all techniques that destroy the original value, making it impractical to retrieve it. For more information, see

Chapter 4

.

B. Audits are a key tool for sustaining a program through formal monitoring over time. Audits provide accountability to ensure ongoing compliance with the privacy program and ensure that the privacy program itself remains compliant with regulations. For more information, see

Chapter 5

.

D. The process of monitoring the environment includes policies and procedures for planning changes to IT systems in a timely manner so that other processes, such as completing PIAs, can take place as required. For more information, see

Chapter 5

.

D. When evaluating vendors, it is critical to know where private information will be physically located. Marco's business is subject to GDPR and if he unknowingly exports his customer data to another country, it may trigger compliance risks with GDPR. For more information, see

Chapter 3

.

C. Audits look for evidence of compliance. By keeping records of activities related to complying with requests under GDPR, Jasmine can streamline her response to any GDPR audit by having evidence at the ready. This is known as creating an audit trail. For more information, see

Chapter 5

.

A. The Monitor phase is about sustaining a program through ongoing management and alignment activities. Measuring program effectiveness is part of the Assess phase, setting objectives is part of developing the program, and incident management is part of the Respond phase. For more information, see

Chapter 5

.

A. The second GAPP principle, notice, requires that organizations inform individuals about their privacy practices. One of the criteria for this principle includes writing privacy notices in plain and simple language and posting them conspicuously. Norm's organization is not doing this. This does not directly impact the principles of Choice and Consent or Collection. Communication seems like an obvious answer here, but it is not one of the 10 GAPP principles. For more information, see

Chapter 1

.

A. ISO 27001 and 27002 are used in the design of cybersecurity programs. ISO 27701 is used in the design of privacy programs. ISO 9001 is a standard used for quality management programs. For more information, see

Chapter 1

.

C. Marcia's company is subject to GDPR because she is in France. She is acting as a data controller because she collects and determines how customer data are to be used. For more information, see

Chapter 2

.

Chapter 1Developing a Privacy Program

THE CIPM EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:

Domain I. Developing a Privacy Program

I.A. Create an organizational vision

I.A.a. Evaluate the intended objective

I.A.b. Gain executive sponsor approval for this vision

I.B. Establish a data governance model

I.B.a. Centralized

I.B.b. Distributed

I.B.c. Hybrid

I.C. Define a privacy program

I.C.a. Define program scope and charter

I.C.b. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws.

I.C.c. Develop a privacy strategy

I.D. Structure the privacy team

I.D.a. Establish the organizational model, responsibilities, and reporting structure appropriate to the size of the organization (e.g., Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, “First responders”)

I.D.b. Designate a point of contact for privacy issues

I.D.c. Establish/endorse the measurement of professional competency

I.E. Communicate

I.E.a. Create awareness of the organization's privacy program internally and externally (e.g., PR, Corporate Communication, HR)

I.E.b. Develop internal and external communication plans to ingrain organizational accountability

I.E.c. Ensure employees have access to policies and procedures and updates relative to their role.

Organizations around the world find themselves under increasing scrutiny for their privacy practices. Legal and regulatory requirements, consumer pressure, and ethical obligations drive them to identify the personal information that they use and to implement controls to protect the privacy of that information.

As privacy functions flourish within organizations, they need qualified managers and leaders to ensure their success. From top-level chief privacy officers to mid-level managers, demand continues to increase for privacy experts.

Introduction to Privacy

Privacy is one of the core rights inherent to every human being. The term is defined in many historic works, but they all share the basic tenet of individuals having the right to protect themselves and their information from unwanted intrusions by others or the government. Let's take a brief look at the historical underpinnings of privacy in the United States.

In 1890, lawyers Samuel D. Warren and Louis D. Brandeis wrote an article for the Harvard Law Review titled “The Right to Privacy.” In that article, they wrote:

Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right “to be let alone.” Instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.” For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons; and the evil of the invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.

Reading that excerpt over a century later, we can easily see echoes of Warren and Brandeis's concerns about technology in today's world. We could just as easily talk about the impact of social media, data brokerages, and electronic surveillance as having the potential to cause “what is whispered in the closet” to be “proclaimed from the house-tops.”

The words written by Warren and Brandeis might have slipped into obscurity were it not for the fact that 25 years later one author would ascend to the Supreme Court where, as Justice Brandeis, he would take the concepts from this law review article and use them to argue for a constitutional right to privacy. In a dissenting opinion in the case Olmstead v. United States, Justice Brandeis wrote:

The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness …. They conferred, as against the Government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.

This text, appearing in a dissenting opinion, was not binding upon the courts, but it has surfaced many times over the years in arguments establishing a right to privacy as that right “to be let alone.” Recently, the 2018 majority opinion of the court in Carpenter v. United States cited Olmstead in an opinion declaring warrantless searches of cell phone location records unconstitutional, saying:

As Justice Brandeis explained in his famous dissent, the Court is obligated as “[s]ubtler and more far-reaching means of invading privacy have become available to the Government”—to ensure that the “progress of science” does not erode Fourth Amendment protections. Here the progress of science has afforded law enforcement a powerful new tool to carry out its important responsibilities. At the same time, this tool risks Government encroachment of the sort the Framers, “after consulting the lessons of history,” drafted the Fourth Amendment to prevent.

This is just one example of many historical precedents that firmly establish a right to privacy in U.S. law and allow the continued reinterpretation of that right in the context of technologies and tools that the authors of the Constitution could not possibly have imagined.

What Is Privacy?

It would certainly be difficult to start a book on privacy without first defining the word privacy, but this is a term that eludes a common definition in today's environment. Legal and privacy professionals asking this question often harken back to the words of Justice Brandeis, describing privacy simply as the right “to be let alone.”

In their Generally Accepted Privacy Principles (GAPP), the American Institute of Certified Public Accountants (AICPA) offers a more hands-on definition, describing privacy as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.”

The GAPP definition may not be quite as pithy and elegant as Justice Brandeis's right “to be let alone,” but it does provide privacy professionals with a better working definition that they can use to guide their privacy programs, so it is the definition that we will adopt in this book.

What Is Personal Information?

Now that we have privacy defined, we're led to another question. If privacy is about the protection of personal information, what information fits into this category? Here, we turn our attention once again to GAPP, which defines personal information as “information that is or can be about or related to an identifiable individual.”

More simply, if information is about a person, that information is personal information as long as you can identify the person that it is about. For example, the fairly innocuous statement “Mike Chapple and Joe Shelley wrote this book” fits the definition of personal information. That personal information might fall into the public domain (after all, it's on the cover of this book!), but it remains personal information.

 You'll often hear the term personally identifiable information (PII) used to describe personal information. The acronym PII is commonly used in privacy programs as a shorthand notation for all personal information.

Of course, not all personal information is in the public domain. Many other types of information fit into this category that most people would consider private. Our bank balances, medical records, college admissions test scores, and email communications are all personal information that we might hold sensitive. This information fits into the narrower category of sensitive personal information (SPI). SPI tends to designate the type of information that a person might want to keep confidential. SPI can have differing levels of sensitivity and may also be protected by law. For example, General Data Protection Regulation (GDPR) in the European Union (EU) has a listing of “special categories of personal data,” which includes:

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data used for the purpose of uniquely identifying a natural person

Health data

Data concerning a natural person's sex life or sexual orientation

GDPR uses this list to create special boundaries and controls around the categories of information that EU lawmakers found to be the most sensitive.

What Isn't Personal Information?

With a working knowledge of personal information under our belts, it's also important to make sure that we have a clear understanding of what types of information do not fit the definition of personal information and, therefore, fall outside the scope of privacy programs.

First, clearly, if information is not about a person, it is not personal information. Information can be sensitive, but not personal. For example, a business's product development plans or a military unit's equipment list might both be very sensitive but they aren't about people, so they don't fit the definition of personal information.

Second, information is not personal information if it does not provide a way to identify the person that the information is about. For example, consider the height and weight information in Table 1.1.

TABLE 1.1 Height and weight information

Name

Age

Gender

Height

Weight

Mary Smith

43

F

5′ 9″

143 lbs

Matt Jones

45

M

5′ 11″

224 lbs

Kevin Reynolds

32

M

5′ 10″

176 lbs

This information clearly fits the definition of personal information. But what if we remove the names from this table, as shown in Table 1.2?

TABLE 1.2 Deidentified height and weight information

Age

Gender

Height

Weight

43

F

5′ 9″

143 lbs

45

M

5′ 11″

224 lbs

32

M

5′ 10″

176 lbs

Here, we have a set of information (or attributes) that are about an individual, but it doesn't seem to be about an identifiable individual, making the information deidentified and falling outside the definition of personal information. However, we must be careful here. What if this table was known to be the information about individuals in a certain department? If Mary Smith is the only 43-year-old female in that department, it would be trivial to determine that the first row contains her personal information, making the height and weight information once again identifiable information.

This leads us to the concept of anonymization, the process of taking personal information and making it impossible to identify the individual to whom the information relates. As illustrated in our height and weight example, simply removing names from a table of data does not necessarily anonymize that data. Anonymized data should never be related back to a specific individual, and the anonymization process is actually a quite challenging problem and requires the expertise of privacy professionals.

Exam Tip

It's important to understand that deidentification and anonymization are similar, but not identical, concepts. Deidentification is the removal of identifying characteristics from data, as was done in Table 1.2. Anonymization is the process of altering information to a point that makes it impossible to tie it back to a specific individual person.

The U.S. Department of Health and Human Services (HHS) publishes a deidentification standard that may be used to render information unidentifiable using two different techniques:

 The HHS deidentification standards cover medical records, so they include fields specific to medical records. You may use them as general guidance for the deidentification of other types of record, but you must also supplement them with industry-specific fields that might identify an individual. You can read the full HHS deidentification standard at www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard.

Expert determination

requires the involvement of a trained statistician who analyzes a deidentified data set and determines that very little risk exists that the information could be used to identify an individual, even if that information is combined with other publicly available information.

Safe harbor

requires the removal of 18 different types of information and indirect links to an individual. These include:

Names

Geographic divisions and ZIP codes containing fewer than 20,000 people

The month and day of a person's birth, death, and hospital admission or discharge or the age in years of a person over 89

Telephone numbers

Vehicle identifiers and serial numbers, including license plate numbers

Fax numbers

Device identifiers and serial numbers

Email addresses

Web URLs

Social Security numbers

IP addresses

Medical record numbers

Biometric identifiers, including finger and voice prints

Health plan beneficiary numbers

Full-face photographs and any comparable images

Account numbers

Any other uniquely identifying number, characteristic, or code

Certificate/license numbers

We will cover how this standard fits into the broader requirements of the Health Insurance Portability and Accountability Act (HIPAA) in Chapter 2, “Privacy Program Framework.” We only discuss it here as an example of the difficulty of deidentifying personal information.

Closely related to issues of anonymization and deidentification is the process of aggregation, summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person. For example, we might survey all the students at a university and ask them their height and weight. If the students included any identifying information on their survey responses, those individual responses are clearly personal information. However, if we provide the summary table shown in Table 1.3, the information has been aggregated to an extent that renders it nonpersonal information. There is no way to determine the height or weight of an individual student from this data.

TABLE 1.3 Aggregated height and weight information

Gender

Average Height

Average Weight

F

5′ 5″

133 lbs

M

5′ 10″

152 lbs

Why Should We Care about Privacy?

Protecting privacy is hard work. Privacy programs require that organizations invest time and money in an effort that does not necessarily provide a direct financial return on that investment. This creates an opportunity cost, as those resources could easily be deployed in other areas of the organization to have a direct financial impact on the mission. Why, then, should organizations care about privacy?

Privacy is an ethical obligation.

 Organizations who are the custodians of personal information have a moral and ethical obligation to protect that information against unauthorized disclosure or use.

Laws and regulations require privacy protections.