Privacy Program

Management
Tools for Managing Privacy Within Your Organization
Third Edition

E
PL
Executive Editor and Contributor
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP
M
Contributors
Susan Bandi, CIPP/E, CIPP/US, CIPM, CIPT, FIP
João Torres Barreiro, CIPP/E, CIPP/US
SA

John Brigagliano
Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Jonathan Fox, CIPP/US, CIPM
Jon Neiditz, CIPP/E, CIPP/US, CIPM
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Liisa Thomas
Amanda Witt, CIPP/E, CIPP/US
Edward Yakabovicz, CIPP/G, CIPM, CIPT

An IAPP Publication
 E
PL
©2022 by the International Association of Privacy Professionals (IAPP)
M
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, mechanical, photocopying,
SA

recording, or otherwise, without the prior written permission of the publisher,

International Association of Privacy Professionals, Pease International Tradeport,
75 Rochester Ave., Portsmouth, NH 03801, United States of America.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM, and CIPT are registered
trademarks of the International Association of Privacy Professionals, Inc. registered in
the United States. CIPP, CIPP/E, CIPM, and CIPT are also registered in the European
Union as Community Trademarks (CTM).

Indexer: Hyde Park Publishing Services

ISBN: 978-1-948771-55-9

Library of Congress Control Number: 2021949927

 Contents

About the IAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

E
CHAPTER 1
Introduction to Privacy Program Management

PL
1.1 Responsibilities of a Privacy Program Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Beyond Law and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Why Does an Organization Need a Privacy Program? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
M
1.5 Privacy Across the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Championing Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SA

CHAPTER 2
Privacy Program Framework: Privacy Governance
2.1 Create an Organizational Privacy Vision and Mission Statement . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Define Privacy Program Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Develop a Privacy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Develop and Implement a Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5 Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.6 Privacy Technology and Governance, Risk, and Compliance Vendors and Tools . . . . . . . . . . . 33
2.7 Structure the Privacy Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.8 Establishing the Organizational Model, Responsibilities, and Reporting Structure . . . . . . . . . 38
2.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

iii
CHAPTER 3
Privacy Program Framework: Applicable Privacy Laws and Regulations
3.1 Global Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2 Self-Regulation: Industry Standards and Codes of Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.3 Cross-Border Data Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4 Organizational Balance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.5 Understanding Penalties for Noncompliance with Laws and Regulations . . . . . . . . . . . . . . . . . 63
3.6 Understanding the Scope and Authority of Oversight Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.7 Other Privacy-Related Matters to Consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.8 Monitoring Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9 Third-Party External Privacy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

E
3.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

CHAPTER 4
Privacy Operational Life Cycle: Assess: Data Assessments
PL
4.1 Data Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2 Inventories and Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
M
4.3 Records of Processing Activities Under the EU General Data Protection Regulation . . . . . . . . 80
4.4 Assessments and Impact Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.5 Physical and Environmental Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
SA

4.6 Assessing Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.7 Mergers, Acquisitions, and Divestitures: Privacy Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

CHAPTER 5
Privacy Operational Life Cycle: Protect: Protecting Personal Information 
5.1 Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.2 Data Protection by Design and Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.3 Diagramming Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.4 Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.5 Data Privacy and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.6 Privacy Policy and Technical Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

iv
CHAPTER 6
Privacy Operational Life Cycle: Protect: Policies
6.1 What Is a Privacy Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
6.2 Privacy Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.3 Interfacing and Communicating with an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.4 Communicating the Privacy Policy within the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.5 Policy Cost Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
6.6 Design Effective Employee Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
6.7 Procurement: Engaging Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6.8 Data Retention and Destruction Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.9 Implementing and Closing the Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

E
6.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

CHAPTER 7
Privacy Operational Life Cycle: Sustain: Monitoring and Auditing Program Performance
PL
7.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.2 Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
M
7.3 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.5 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
SA

CHAPTER 8
Privacy Operational Life Cycle: Sustain: Training and Awareness
8.1 Training and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
8.2 Leveraging Privacy Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
8.3 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
8.4 Creating Awareness of the Organization’s Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
8.5 Awareness: Operational Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
8.6 Identifying Audiences for Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.7 Training and Awareness Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.8 Training and Awareness Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.9 Using Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
8.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

v
CHAPTER 9
Privacy Operational Life Cycle: Respond: Data Subject Rights
9.1 Privacy Notices and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
9.2 Choice, Consent, and Opt-Outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
9.3 Obtaining Consents from Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.4 Data Subject Rights in the United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
9.5 Data Subject Rights in Europe and the United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
9.6 Responding to Data Subject Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.7 Handling Complaints: Procedural Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
9.8 Data Subject Rights Outside the United States and Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
9.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

E
CHAPTER 10
Privacy Operational Life Cycle: Respond: Data Breach Incident Plans
PL
10.1 Incident Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.2 How Incidents Occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
10.3 Terminology: Security Incident versus Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
M
10.4 Getting Prepared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
10.5 Roles in Incident Response Planning by Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
10.6 Integrating Incident Response into the Business Continuity Plan . . . . . . . . . . . . . . . . . . . . . . . 261
SA

10.7 Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.8 Roles Different Individuals Play During an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.9 Investigating an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
10.10 Reporting Obligations and Execution Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
10.11 Recovering from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
10.12 Benefiting from a Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
10.13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

About the Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

vi
 About the IAPP

The International Association of Privacy Professionals (IAPP) is the largest and

most comprehensive global information privacy community and resource, helping
practitioners develop and advance their careers and organizations manage and protect
their data.
The IAPP is a not-for-profit association founded in 2000 with a mission to define,

E
support, and improve the privacy profession globally. We are committed to providing
a forum for privacy professionals to share best practices, track trends, advance privacy
PL
management issues, standardize the designations for privacy professionals, and provide
education and guidance on opportunities in the field of information privacy.
The IAPP is responsible for developing and launching the only globally recognized
credentialing programs in information privacy: the Certified Information Privacy
Professional (CIPP®), the Certified Information Privacy Manager (CIPM®), and the
M
Certified Information Privacy Technologist (CIPT®). The CIPP, CIPM, and CIPT are
the leading privacy certifications for thousands of professionals around the world who
serve the data protection, information auditing, information security, legal compliance,
SA

and/or risk management needs of their organizations.

In addition, the IAPP offers a full suite of educational and professional development
services and holds annual conferences that are recognized internationally as the leading
forums for the discussion and debate of issues related to privacy policy and practice.

vii
SA
M
PL
E
 Preface

We now live in an interconnected world where data is as valuable as gold. These

interconnected products and services are oftentimes engineered to be to “your” liking.
It makes tasks easier, such as mobile banking, ordering online, or watching television.
It can help people monitor their own health and wellness with devices like a Fitbit or
Apple watch. It allows for streaming of music services or other online content. These

E
are all designed to make your life better and improve services. However, there is a trade-
off to all these items. It requires you to allow others to use your data in ways that you
choose. PL
This interaction and sharing of data between individuals and service providers
is growing at an exponential pace. If we as privacy professionals do not stand up for
the rights and freedoms of individuals to ensure proper protection of their personal
information, then who?
M
Over the last decade, we have seen privacy ingrained into everyday operations of
organizations. The proper handling of data by organizations is demanded by society.
Probably one of the greatest changes we have seen in privacy program management
SA

is in training and awareness. Similar to how information security has been “baked”
into an organization’s training strategy, so has privacy. It is not uncommon to see an
organization emphasize that protecting data is the responsibility of each employee. Now
we see organizations adding that protecting personal information is also the employee’s
responsibility. This has been incorporated into many organizations’ standard operating
procedures. This is a good thing.
The roles of the chief privacy officer, privacy program manager, privacy analyst, and
privacy engineer are to ensure organizations are adhering to the privacy principles
outlined in various privacy laws around the globe. The laws may have specific
requirements; however, most of the regulations are based on the same principles. The
principles may be named differently but in essence are quite similar. These privacy
principles must be adhered to if an organization wishes to be compliant to the varying
regulations. This is where the privacy program manager comes into play. The privacy
program manager leads the effort to ensure privacy principles are being carried out
through information security practices. This activity will look different for every

ix
organization. The privacy program manager works with other privacy professionals, if
available, to establish the proper policies, procedures, and processes that will protect a
data subject’s personal information.
The success of the privacy compliance program for different organizations relies
heavily on how the organization has established its data governance program. Some
organizations do not have a structured data governance program. The importance of
good data governance is being highlighted as organizations race to comply with not only
privacy regulations, but also sectoral regulations, such as finance and medical. This is a
new area for which the privacy professional may play an increased role.
I would like to humbly thank the International Association of Privacy Professionals
(IAPP) for allowing me this opportunity for a third edition and everyone who assisted
with this textbook, especially the individual authors who contributed in their areas of
expertise. They are all dedicated and supportive professionals, proving we can all work

E
together as a holistic team to achieve success. This work would not be possible without
all of them. My deepest thanks to the team.
PL
Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP
October 2021
M
SA

x
 Acknowledgments

This third edition of Privacy Program Management: Tools for Managing Privacy Within
Your Organization would not have been possible without contributions and support
from the IAPP’s global community of privacy and data protection professionals.
Thank you to our Training Advisory Board. We are ever grateful for your guidance
and generosity in sharing your expertise. Current members include:

E
Shay Babb, CIPP/C, CIPM
Robin Anise Benns, CIPP/US
Jonathan Cantor, CIPP/G, CIPP/US PL
Justin Castillo, CIPP/E, CIPP/US, CIPM
Alfredo Della Monica, CIPP/E
Katrina Destrée, CIPP/E
Marta Dunphy-Moriel, CIPP/E
M
Thays Castaldi Gentil, CIPP/E
Ian Goodwin, CIPP/E, CIPM, CIPT, FIP
Wei Gu, CIPM
SA

Adam Higgins, CIPP/E, CIPM, CIPT, FIP

Kulwinder Johal, CIPP/E
Mazen Kassis, CIPM
Sakshi Katyal
Julie McEwen, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Sarah Morrow, CIPP/US, CIPM, FIP
Theresa Niland
Viviane Nobrega Maldonado, CIPP/E
Cristina Onosé, CIPP/C, CIPM
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP
Julia Palmer, CIPP/E, CIPM
Leonard Rivera, CIPP/US
Jennifer Schack, CIPP/E, CIPP/US, CIPM, FIP
Timothy Smit, CIPP/E, CIPP/US, CIPM, FIP
James Snell

xi
Garry Tyler Spence, CIPP/E, CIPP/US, CIPM, FIP
Becky Tarrant, CIPP/E, CIPM
Liisa Thomas
Michael Tibodeau, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Jessica Vaianisi, CIPP/C
Judith van de Vorle, CIPP/E, CIPM
Victoria van Roosmalen, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Rajesh Kumar Viswanathan, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP
Victoria Watts, CIPP/E, CIPT
Zhaofeng Zhou, CIPP/E
It has been my true pleasure to work with Russell Densmore, CIPP/E, CIPP/US,
CIPM, CIPT, FIP, who serves as executive editor for this book. He led our contributing
team of privacy and data protection pros from around the globe through all stages of

E
development and has supported our CIPM program from its inception. Thank you for
your guidance, advice, and continued commitment to this project.
PL
To our stellar contributors—Susan Bandi, CIPP/US, CIPM, CIPT, FIP, João Torres
Barreiro, CIPP/E, CIPP/US, John Brigagliano, Ron De Jesus, CIPP/A, CIPP/C,
CIPP/E, CIPP/US, CIPM, CIPT, FIP, Jonathan Fox, CIPP/US, CIPM, Jon Neiditz,
CIPP/E, CIPP/US, CIPM, Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM,
CIPT, FIP, Liisa Thomas, Amanda Witt, CIPP/E, CIPP/US, and Edward Yakabovicz,
M
CIPP/G, CIPM, CIPT—we are so grateful you have shared your expertise and diverse
perspectives in the pages of this book.
Many thanks to Jyn Schultze-Melling for permission to include his chapter on the
SA

rights of data subjects from European Data Protection: Law and Practice, Second Edition
as an excerpt in Chapter 9 of this book.
Wei Gu, CIPM, Adam Higgins, CIPP/E, CIPM, CIPT, FIP, Sarah Morrow, CIPP/US,
CIPM, FIP, Julia Palmer, CIPP/E, CIPM, Jennifer Schack, CIPP/E, CIPP/US, CIPM,
FIP, Timothy Smit, CIPP/E, CIPP/US, CIPM, FIP, Becky Tarrant, CIPP/E, CIPM,
and Michael Tibodeau, CIPP/E, CIPP/US, CIPM, CIPT, FIP, thank you for providing
thoughtful, constructive feedback on the draft manuscript.
Thank you to Hyde Park Publishing Services for creating the book index.
We appreciate the hard work, expertise, and dedication of the many professionals
who contributed to the publication of this book. We hope you will find it to be both a
useful tool for preparing for your CIPM certification and a practical resource for your
professional career.
Marla Berry, CIPT
Training Director
International Association of Privacy Professionals

xii
 Introduction

In 2013, when we launched the Certified Information Privacy Manager program, the
idea of operating a privacy program was still novel. Our profession largely evolved from
law and compliance, and privacy was, in many ways, binary: the privacy professional
gave the product or service a thumbs-up or thumbs-down.
Quickly, however, organizations with business models increasingly dependent

E
on data came to realize that better management and customer trust were needed.
Unless the privacy professional was involved at every step of product development,
organizations faced too much risk. PL
Further, with the passage of the EU General Data Protection Regulation (GDPR),
the idea of operational privacy, or “privacy by design,” (PbD), became law. In the years
since our last edition, the GDPR’s effects have become further cemented into business
operations, while other laws around the world continually borrow concepts from the
M
GDPR.
Moreover, the privacy world has gone through a panoply of changes. Brazil and China
now have national data protection laws. India is pondering its own law, and several other
SA

nations around the world have passed or will pass their own legislation. In the United
States, California passed not one, but two, comprehensive privacy laws. Other states
followed suit, including Colorado and Virginia. And more may be on the horizon.
Keeping up with these developments complicates the efforts of the privacy office.
Finding areas of convergence and identifying gaps is a must for risk management and
compliance. Operationally, many of these laws now require organizations to facilitate
data subject access requests, as well as rights to deletion, correction, and portability. An
entire marketplace of privacy technology vendors equipped with products and services
designed to scale the internal privacy function has grown in response.
To add on, in the wake of the Court of Justice of the European Union’s (CJEU)
decision in “Schrems II,” international data flows have become exponentially
complicated. Companies must conduct transfer impact assessments, deploy new
standard contractual clauses, and rely on alternative transfer mechanisms, such as

xiii
binding corporate rules and derogations. Data localization is taxing cloud vendors and
creating its own sources of risk.
Plus, artificial intelligence and machine learning systems, which often require
massive amounts of data collection, are proliferating across industry sectors.
As we’ve consistently observed in our annual IAPP-EY Privacy Governance Report,
organizations with mature privacy operations not only have full teams of privacy
professionals, but they also have them embedded in various business operations and
administrative departments, ranging from human resources to information technology,
marketing, and sales. They provide privacy with multimillion-dollar budgets. They buy
tech bespoke for privacy operations.
In short, privacy program management is a foundational component in modern
business, and the need for sophisticated leaders who understand the complexities of the
global digital marketplace will only increase.

E
Yet again, Executive Editor Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT,
FIP, has overseen a variety of valuable contributions in revamping Privacy Program
PL
Management: Tools for Managing Privacy Within Your Organization. There are more
practical examples, more deep dives into the “how” of privacy management, and more
information on the tools privacy professionals are using to create effective privacy
programs.
For data protection officers, privacy program managers, global privacy leaders, and
M
any number of other titles emerging around the globe, the CIPM is the perfect tool
for privacy professionals working in both the public and private sectors. This book
helps unlock the benefits of CIPM and prepare those hoping to take the exam and get
SA

certified.
I am extremely pleased with the way the CIPM continues to be accepted around the
globe as the standard for how privacy is done on the ground. I hope you—and your
organization—enjoy its benefits.
J. Trevor Hughes, CIPP
President and CEO
International Association of Privacy Professionals

xiv
 CHAPTER 1

Introduction to Privacy Program Management

Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP

What is privacy program management? It is the structured approach of combining

several projects into a framework and life cycle to protect personal information and
the rights of individuals. An organization that implements and maintains a properly
structured privacy program will enable it to comply with its legal and regulatory

E
requirements, meet the expectations of clients or customers, while at the same time
prevent and mitigate privacy risks.
PL
What is program management? It is the process of managing multiple projects across
an organization to improve performance. Program management is used widely in the
aerospace and defense industries. It allows for oversight and status of projects to ensure
goals of the program are met. It allows for a holistic view of multiple projects and change
management. It also allows for valued metrics to be viewed across the program.
M
What is a framework? A framework is the skeletal structure needed to support
program management. Each organization’s privacy program framework will be created
by analyzing the applicable laws, regulations, and best practices that are tailored
SA

specifically for the goals of each organization.

What is a life cycle? It is the series of stages that something passes through during its
existence. In privacy program management, we refer to the privacy governance life cycle
of assess, protect, sustain, and respond.
The privacy framework and life cycle follow well-known program management
principles and consider privacy laws and regulations from around the globe. They
incorporate common privacy principles and implement concepts such as privacy by
design (PbD) and privacy by default.1
The term “privacy” has varying definitions among multiple nations, states, regions,
and industries of the world. Most people agree privacy is not the same as secrecy and
thus should not be confused with data classification models used by governments of
the world, which may label information as sensitive, secret, top secret, etc. Privacy is a
dynamic object with a discrete set of attributes and actions that is difficult to observe
and measure. Therefore, the use of a privacy framework and life cycle provides the
guidance and structure necessary to ensure a successful program implementation and

1
 Privacy Program Management

ongoing adherence. The world is demanding that organizations are accountable for the
data they collect, how they manage the data, and how they use personal information to
protect and respect the rights of individuals. A structured privacy program exhibits an
organization’s thoughtful and intentional plan to protect personal information and the
rights of individuals.
Since privacy is a subject of global importance, organizations can no longer ignore the
requirements necessary to protect personal information imposed by laws, regulations,
and industry best practices. As governments continue to impose tighter laws and
regulations, consumers continue to demand more protection from organizations they
choose to entrust with their information. Consequently, organizations must meet
these demands through placement of greater controls, processes, and procedures on
information under their custodial control. With so many spheres of influence and
pressure, global privacy teams must now seek to track, manage, and monitor the

E
dynamic changes that appear to occur continuously.
As shown with all business management tasks, a privacy governance life cycle
PL
provides the methods to assess, protect, sustain, and respond to the positive and
negative effects of all influencing factors. This framework and life cycle thereby
provides reusable procedures and processes that outline the courses of action. Like
maps, frameworks provide inquiry topics and direction (e.g., problem definition,
purpose, literature review, methodology, data collection, and analysis) to ensure
M
quality through repeatable programmatic steps, thereby reducing errors or gaps in
knowledge or experience. For the purpose of this book, this framework and life cycle is
called the “privacy program framework.” Although a dedicated privacy team or privacy
SA

professional (e.g., a data protection officer) owns this framework, it shares ownership
and management aspects with other stakeholders throughout the organization,
including employees, executive leadership, managers, and external entities, such as
partners, vendors, and customers.

“Privacy professional” is a general term used to describe any member

of the privacy team who may be responsible for privacy program
framework development, management, and reporting within an
organization.

“Assess” is the first of four phases of the privacy operational life cycle that
will provide the steps, checklists, and processes necessary to assess any gaps in a
privacy program as compared to industry best practices, corporate privacy policies,
applicable privacy laws and regulations, and the privacy framework developed for

2
 Introduction to Privacy Program Management

your organization. The privacy professional should note that although the assessing
of a privacy program is explained sequentially, in actual practice, the elements may
be performed simultaneously, in separate components, or tailored to organizational
requirements. For example, you may be assessing a program through measurement and
alignment of organization standards/guidelines, privacy management to regulatory
and legislative mandates, through industry best practices, or a hybrid or combination of
both approaches.
There are currently many models and frameworks that allow measurement and
alignment of these activities to include privacy maturity models, such as the AICPA/
CICA Privacy Maturity Model, Generally Accepted Privacy Principles (GAPP)
framework, and privacy by design (PbD).
“Protect” is the second of four phases of the privacy operational life cycle. It provides
the data life cycle, information security practices, and PbD principles to protect

E
personal information. Although technical, containing information security, information
assurance, or cybersecurity practices, this chapter provides a generic, high-level
PL
overview for the privacy professional. The protect phase of the privacy operational life
cycle embeds privacy principles and information security management practices within
the organization to address, define, and establish privacy practices.
For any organization, domestic and global privacy management is further
complemented through each of the operational life cycle phases related to jurisdiction,
M
compliance, and laws. Understanding and analyzing each of these phases as they relate
to an organization provides the privacy professional a greater understanding of how to
protect personal information.
SA

Privacy spans across the entire organization, from HR, legal, and other supporting
functions to businesses and procurement. Therefore, do not forget to take into account
laws and regulations applying to other areas, such as labor or telecommunications law,
as these may well interact with privacy laws.
“Sustain” is the third of four phases of the privacy operational life cycle that provides
privacy management through the monitoring, auditing, and communication aspects
of the management framework. Monitoring throughout several functions in the
organization, to include audit, risk, and security practices, ensures “business as usual”
for identification, mitigation, and reporting of risk in variation or gaps in operations to
meet regulatory, industry, and business objectives.2 Monitoring should be continuous
and based on the organization’s risk appetite through defined roles and responsibilities
that may include privacy, audit, risk, and security roles.
“Respond” is the fourth of four phases of the privacy operational life cycle. It
includes the respond principles of information requests, legal compliance, incident-
response planning, and incident handling. The “respond” phase of the privacy

3
 Privacy Program Management

operational life cycle aims to reduce organizational risk and bolster compliance to
regulations. Every corporation needs to be prepared to respond to its customers,
partners, vendors, employees, regulators, shareholders, or other legal entities. The
requests can take a broad form, from simple questions over requests for data corrections
to more in-depth legal disclosures about individuals. No matter the type of request, you
need to be prepared to properly receive, assess, and respond to them.
Businesses are motivated today, more than ever, to ensure they are compliant with
privacy laws and regulations around the globe—in part, because they want to protect
their brand name, reputation, and consumer trust. Large data breaches frequently
make news headlines, and organizations have paid significant penalties, particularly
through class-action lawsuits to affected individuals, lost revenue, or lost consumer
trust. Millions of people have been affected by sloppy data protection practices of the
past. This must change, and organizations must take seriously how they handle personal

E
information entrusted to them.
It is time for the privacy profession to recognize the value of a holistic data privacy
PL
program and ever-important privacy program manager. This textbook delves into the
requirements for becoming a privacy program manager. The Certified Information
Privacy Manager (CIPM) certification indicates that a privacy program manager has the
proper understanding of concepts, frameworks, life cycles, and regulations to hold the
role of privacy program manager for their employer. 3
M
1.1 Responsibilities of a Privacy Program Manager
SA

The role and responsibilities of a privacy program manager may vary widely depending
on the type, size, complexity of the organization, and its business objectives and may be
performed by one of more privacy professional(s) who form part of the central privacy
team. This role also may not always carry such job title, e.g., a data protection officer
and a data privacy analyst could undertake specific responsibilities of a privacy program
manager in some organizations. It is important to remember to align the various parts
of a privacy program to business objectives so as not to be in contention. The privacy
program and operations should align and support the business as a valued partner, not
be seen as a “blocker.” The person who ultimately leads the endeavor is usually referred
to as the privacy program manager.
The goals of a privacy program manager are to:
• Define privacy obligations for the organization
• Identify and mitigate business, employee, vendor, and customer privacy risks

4
 Introduction to Privacy Program Management

• Identify existing documentation, policies, and procedures around the

management of personal information
• Create, revise, and implement policies and procedures that effect positive
practices and together comprise a privacy program
• Raise the data IQ of the organization to drive and embed a privacy-orientated
culture
The goals of a privacy program (at a minimum) are to:
• Demonstrate an effective and auditable framework to enable compliance with
applicable data protection laws and regulations
• Promote trust and confidence in the data entrusted by individuals, including
consumers and employees

E
• Highlight that an organization takes its data privacy obligations seriously
PL
• Respond effectively to privacy breaches and data subject requests
• Continually monitor, maintain, and improve the maturity of the privacy
program
The specific responsibilities of the privacy program manager include:
M
• Policies, privacy notices, procedures, and governance
• Privacy-related awareness and training
SA

• Incident response and privacy investigations

• Regulator complaints
• Data subject requests
• Communications
• Privacy controls
• Privacy issues with existing products and services
• Privacy-related monitoring
• Privacy impact assessments
• Development of privacy staff
• Privacy-related data committees

5
 Privacy Program Management

• PbD in product development

• Privacy-related vendor management
• Privacy audits
• Privacy metrics
• Cross-border data transfers
• Preparation for legislative and regulatory change
• Privacy-related subscriptions
• Privacy-related travel
• Redress and consumer outreach

E
• Privacy-specific or -enhancing software
• Privacy-related certification seals
PL
• Cross-functional collaboration with legal, information technology (IT),
information security (sometimes referred to as IS or infosec), cybersecurity,
and ethics teams, among others
M
• Internal and external reporting
As you can see by the preceding list, which is not exhaustive, the roles and
responsibilities of the privacy program manager can be far and wide. This text is not
meant to clarify every obligation of the privacy program manager but instead give a
SA

holistic view so you may tailor a specific privacy program for your organization.

1.2 Accountability
What is accountability? Accountable organizations have the proper policies and
procedures to promote best practices in handling personal information and, generally,
can demonstrate they have the capacity to comply with applicable privacy laws. They
promote trust and transparency to provide individuals with confidence in their abilities
to protect their personal information and respect their data rights.
The concept of accountability is one of the most important concepts introduced by
new data protection laws. It is about not only saying the organization is taking action,
but also being able to prove that it is. In other words, the organization is accountable
for the actions it takes or does not take to protect personal data. The idea is that, when

6
 Introduction to Privacy Program Management

organizations collect and process information about people, they must be responsible
for it. They need to take ownership and take care of it throughout the data life cycle.
If an organization has a data protection policy in place, the organization should
comply with that policy and document any deviations and actions taken for any failures
in complying with the policy.
Accountability, as defined by laws, can benefit organizations, although it may impose
obligations to take ownership and demonstrate how the organization is compliant. In
exchange, it can give organizations a degree of flexibility about exactly how they will
comply with their obligations. Privacy program managers, as well as chief information
security officers (CISOs) and data protection officers (DPOs), may be accountable for
the safekeeping and responsible use of personal information—not just to investors and
regulators, but also to everyday consumers and their fellow employees.

E
1.3 Beyond Law and Compliance
PL
Numerous laws and requirements affect businesses today, and the topic of privacy is
receiving extra attention from legislators and non-privacy regulators. However, it is not
just about laws and compliance. There are various motivators driving businesses to be
more responsible with an individual’s personal data.
One such motivator is consumer trust. Fines and fees from regulators are usually
M
clearly defined and have a finite value to them. However, consumer trust can be broad,
unbounded, and have much more severe repercussions. Loss of consumer trust can be
ruinous to organizations. It is hard to obtain and harder to get back once lost. Therefore,
SA

many organizations are motivated to have a mature privacy program to ensure they do
not lose consumer trust.
Obviously, organizations that are business-to-consumer (B2C) will be more
interested in consumer trust than business-to-business (B2B) companies. However,
all organizations have an interest in keeping trust with their partners, employees,
contractors, and customers. Proper handling of personal data is in every organization’s
best interest.

1.4 Why Does an Organization Need a Privacy Program?

There are many reasons why an organization should have a privacy program. Foremost
of all is simple accountability. Showing proper respect for individuals’ personal
information shows that the organization is reputable.

7
 Privacy Program Management

The reasons for having a privacy program may include but are not limited to:
• Enhancing an organization’s brand and public trust
• Meeting regulatory obligations
• Encouraging ethical data-processing practices
• Enabling global operations, such as mergers and acquisitions (M&A)
• Preventing and mitigating the effects of data breaches
• Providing a competitive differentiator
• Increasing the value and quality of data (business asset)
• Reducing the risk of employee and consumer class-action lawsuits

E
• Being a good corporate citizen
• Meeting expectations of consumers and business clients
PL
• Integrating data ethics into organizations decision making
Good accountability through a robust privacy program may lead to trust with an
organization. Trust, especially when it is consumer trust, may have great benefit to
M
the organization. Being transparent, accountable, and good data stewards of personal
information shows an organization is trustworthy of the information entrusted to them.

1.5 Privacy Across the Organization

SA

Managing privacy within an organization requires the contribution and participation of

many members of that organization and particularly functions that process high volumes
of data, such as HR (employee data) and customer services (consumer data) teams.
Privacy should continue to develop and mature over time within an organization
so it is important that functional groups understand how they contribute and support
the overall privacy program, as well as the privacy principles themselves. Importantly,
individual groups must have a fundamental understanding of data privacy because,
in addition to supporting the vision and plan of the privacy officer and privacy team,
these groups may need to support independent initiatives and projects from other
stakeholders.
In some larger organizations, members of the privacy team may sit within other
functional groups and have a dedicated privacy role—for example, marketing privacy
managers may advise and sign off on new marketing initiatives and email campaigns

8
 Introduction to Privacy Program Management

from a privacy perspective. They may report to both the senior marketing manager and
head of privacy. Buy-in and a sense of ownership from key functions also assist with
better acceptance of privacy and sharing of the responsibility across the organization
rather than in one office. Based on the individual culture, politics, and protocols of
the organization, privacy professionals will need to determine the best methods, style,
and practices to work within the organization or individual functions. Initially, this
effort may be onerous, but building and maintaining good relationships with other key
stakeholders ensure privacy is built into the DNA of business process and design rather
than just an afterthought.
Many functions directly support the various activities required by the privacy
program. Among these activities are the adoption of privacy policies and procedures,
development of privacy training and communications, deployment of privacy- and
security-enhancing controls, contract development with and management of third

E
parties that process the personal information of the organization, and the assessment of
compliance with regulations and established control mechanisms.
PL
Privacy policies and procedures should be created and enforced at a functional level,
i.e., by the central privacy team. Policies imposing general obligations on employees
may also reside with other functions, such as ethics, legal, and compliance; therefore, it
is important to align with other policy owners and reference other policies as applicable.
Information technology (IT) may be responsible for policies and procedures related to
M
employee use of technical infrastructure. Policies that govern privacy requirements for
providers of third-party services that have implications for personal data typically sit
with procurement, while those concerning the use and disclosure of employee health
SA

information typically reside with HR.

Since activities that contribute to the protection of employee, customer, and another
data subject’s personal information span the entire organization, most groups within the
organization should have some policies to address the appropriate use and protection
of personal information specific to their own functional areas; all such policies will
need to be produced in close consultation with the privacy office. There needs to
be an awareness of the difference between having appropriate policies in place and
using appropriate controls. Examples of the different functions involved in creating
procedures related to privacy include:
• The learning and development team manages activities related to employee
training. (Training and awareness—with the intention of changing bad
behaviors and reinforcing good ones—are integral to the success of the privacy
program.) This function enables policies and procedures to be translated into
teachable content and can help contextualize privacy principles into tangible

9
 Privacy Program Management

operations and processes. In smaller companies, these responsibilities may fall

on the privacy function. Whatever the size of the organization, the privacy team
will always need to approve the privacy training output that has been produced
and closely monitor completion rates.
• The communications team assists with publishing periodic intranet content,
email communications, posters, and other collateral that reinforce good privacy
practices in line with the company’s branding, objectives, and tone of voice.
This function can also advise on the best methods of communication to boost
higher engagement. For example, an animated video might work better for
certain employees, rather than a physical poster or intranet blog post.
• The information security team aligns more closely to the privacy team than
any other function in the organization. Every security-enhancing technology

E
that information security deploys—from encryption to perimeter security
controls and data loss prevention (DLP) tools—helps the privacy program
PL
meet its requirements for implementing security controls to protect personal
information. As an example, EU data protection law incorporates security
provisions into the law as one of its key principles. The information security
team ensures that appropriate technological controls are employed (e.g.,
complex passwords, encryption, role-based access) and determines whether
M
the various groups within an organization are aware of and comply with
the organizational and technical controls that govern their activities and
behaviors.
SA

• The IT team can enhance the effectiveness of the privacy program by adding
processes and controls that support privacy principles. For example, creating
processes to develop and test software and applications in a manner that does
not require the use of production data may decrease the chances that the data
will be compromised. This may also keep individuals who have no business
need to view personal data from accessing it. Creating systems that support
role-based access also supports the larger purposes of the privacy program by
specifically identifying and limiting who can access the personal information
in a particular system. The IT team should carry the mantle of PbD by
implementing privacy principles into the realm of technology development, for
instance, by limiting the data fields built into a tool or application to only those
actually required to perform a process or action, or by building in functions that
enable the user to easily delete data according to a retention schedule.

10
 Introduction to Privacy Program Management

• An internal audit team assesses whether controls are in place to protect

personal information and whether people and processes within the organization
are abiding by these controls. This group can be considered an ally of the
privacy program and, in a sense, a member of the privacy program, although
it traditionally functions independently. It is good practice to align with the
internal audit team, particularly as the privacy program matures, for help and
assistance in developing a framework to monitor privacy policies, controls,
and procedures already implemented to ensure they are being adhered to and
working as they should. This can also make it a much smoother process when it
comes to the internal audit team themselves carrying out their own review of
the privacy program.
• Procurement plays an important role in ensuring that contracts are in place
with third-party service providers that process personal information on

E
behalf of the organization and that the appropriate data privacy contractual
language is imposed on these service providers. Most privacy laws require data
PL
controllers or other entities directly subject to data protection laws to ensure
their privacy requirements are fulfilled. Procurement teams usually support
the privacy and/or legal teams in facilitating or, in some cases, performing
due diligence, taking action based on the results, and making sure contractual
M
language reduces the organization’s exposure. In smaller organizations, a legal
department may create contract requirements if there is no procurement.
• Human resources (HR) ensures employee information is handled in
SA

accordance with privacy policies and procedures. This function is most likely to
handle sensitive employee information, such as health information and, in some
organizations’ information collected, for vetting staff.
• Ethics and compliance manages whistleblowing and complaints relating to
how an individual’s personal data may have been handled.
• Marketing and advertising creates awareness on how to handle customer
personal data for marketing and media purposes.
• Business development and strategy helps understand how “good data
protection” can drive more business.
• Finance ensures Payment Card Industry (PCI), Sarbanes-Oxley (SOX), and
other financial regulations are collaborated on with the privacy office.

11
 Privacy Program Management

• Legal keeps current on privacy regulations and requirements that affect your
organization.
• Risk ensures data protection risks are included in the organization’s Enterprise
Risk Management framework.
• Data governance develops a data governance framework that supports data
privacy requirements.
• Product research and development performs privacy impact assessments
(PIAs), as well as privacy by design and default (PbDD) consulting in new
product development.

1.6 Championing Privacy

E
Protecting personal data and building a program that drives privacy principles into the
organization cannot be the exclusive job of the privacy officer or privacy team, any more
PL
than playing a symphony is the exclusive responsibility of the conductor. As with an
orchestra, many people, functions and talents will merge to execute on a vision.
Many organizations create a privacy committee, council composed of the
stakeholders, or representatives of functions, often referred to as “privacy champions,”
M
that were identified at the start of the privacy program implementation process. These
individuals and functions will launch the privacy program, and their expertise and
involvement will continue to be tapped as remediation needs—some of which may sit
within their areas of responsibility—are identified. They will be instrumental in making
SA

strategic decisions and driving them through their own departments.

Organizations with a global footprint often create a governance structure consisting
of representatives from each geographic region and business function to ensure that
proposed privacy policies, processes, and solutions align with local laws and to modify
them where necessary.
Discuss ways these teams can work together to champion privacy, creating an even
greater awareness of your privacy program. Another benefit of this approach to building
an organization’s awareness program could be that, through the process of looking
at the various awareness programs in place throughout the organization, you have an
opportunity to assess existing programs. Collating feedback through questionnaires
can help to reveal both strengths and weaknesses in individual programs, which itself
is a positive result, contributing to an overall strengthening of all internal awareness
programs.

12
 Introduction to Privacy Program Management

1.7 Summary
Privacy program managers are responsible for the safekeeping and responsible use
of personal information—not just to investors and regulators, but also to everyday
consumers and their fellow employees. Privacy program managers should be ready to
demonstrate compliance with applicable data privacy laws, reduce risk, build trust and
confidence in the brand, and enhance competitive and reputational advantages for the
organization.

Endnotes
1 Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, accessed November 2018,
https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf.

E
2 “Business As Usual,” Mr. Simon McDougall, interview, November 15, 2012.
3 “CIPM Certification,” IAPP, accessed November 2018, https://iapp.org/certify/cipm/.

PL
M
SA

13
SA
M
PL
E
 About the Contributors

Executive Editor and Contributor

Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP

Russell Densmore is the global data protection leader for Raytheon Technologies. With
more than 30 years of experience, he brings a multidisciplinary understanding to data
protection, data governance, data compliance, digital forensics, and enterprise risk
management. He has been recognized by the U.S. attorney general and Federal Bureau

E
of Investigation for support against cybercriminals.
Densmore is renowned for information security, cyber forensic investigations,
PL
privacy program management, and physical security. He is a proven cybersecurity
professional with a record of establishing and managing multiple cross-functional data
protection teams.
Densmore co-chairs the National Defense Industrial Association (NDIA)
cybersecurity, privacy subcommittee with longtime colleague and contributing author
M
Edward Yakabovicz. He is actively involved with the Privacy Engineering Section
of the IAPP and, as a privacy pioneer, often speaks at IAPP and other privacy events
to promote the profession. He chairs the OneTrust Privacy Connect chapter for Los
Angeles, as well as mentoring others on how to obtain the most benefit from privacy
SA

program management platforms.

Densmore holds a master’s of engineering degree in cybersecurity policy and
compliance from The George Washington University and a bachelor’s of science degree
in computer information systems/networking from Regis University.

295
 Privacy Program Management

Contributors

Susan Bandi, CIPP/E, CIPP/US, CIPM, CIPT, FIP

Susan Bandi currently serves as a compliance professional at Oracle. With more than 25
years of information technology experience, she has served in multiple leadership and
executive roles responsible for application development, infrastructure, and information
security. For the past 17 years, her focus has been on IT security, privacy, business
continuity/disaster recovery, and data governance. She has served as global chief privacy
officer for Monsanto/Bayer and was the assistant vice president and chief information
security officer (CISO)/chief privacy officer (CPO) for Enterprise Holdings, Inc.

E
She is experienced in providing thought leadership and implementing effective,
comprehensive global solutions in the areas of enterprise risk management, data
PL
governance, data privacy, IT security, and business continuity. She also serves as an adjunct
professor in the Cybersecurity Master’s Program at Washington University in St. Louis.
She is an active member of the IAPP, Executive Women in Privacy, Chief Privacy
Council Board, Future of Privacy Forum (FPF), ISACA, CISO Coalition, and FBI
Citizen Academy. 
M
João Torres Barreiro, CIPP/E, CIPP/US
João Torres Barreiro is a privacy leader with a long experience on designing and
implementing privacy programs in multinationals operating in the pharmaceutical, IT,
SA

and financial sectors.

He is currently the chief privacy officer (CPO) of BeiGene, a global commercial-stage
biopharmaceutical company, focused on developing and commercializing innovative
molecularly targeted and immuno-oncology drugs for the treatment of cancer. He also
serves as a member of the Research Advisory Board of the IAPP. 
Before joining BeiGene, he was the CPO of Willis Towers Watson and previously
HCL Technologies. He also practiced as an attorney in law firms and as a legal counsel at
Celgene, IBM, the European Medicines Agency, and the Portuguese Ministry of Health.
In 2020, he was listed as a “Global Top 100 Data Visionaries: Leaders who are vividly
innovating with analytics without compromising on trust and privacy,” mostly because
of his work as a consultative expert member on digital ethics/artificial intelligence (AI)
at the European Insurance and Occupational Pensions Authority (EIOPA), where he
helped to develop a framework for a sustainable use of AI by the insurance industry in
compliance with data ethics and privacy principles. 

296
 About the Contributors

John Brigagliano
John Brigagliano focuses his practice on data privacy and technology licensing with
a particular emphasis on guiding clients through California Consumer Privacy Act
(CCPA)/California Privacy Right Act (CPRA) and EU General Data Protection
Regulation (GDPR) compliance issues. With respect to California privacy, for
example, Brigagliano currently co-leads CCPA and CPRA compliance for a marketing
automation platform and regularly advises a cloud-based security and interactive home
services provider on CCPA compliance matters. He also regularly advises U.S. retailers
on CCPA-related digital advertising issues.
Prior to launching his legal career, Brigagliano was a special education teacher at
Seaford Senior High School in Seaford, Delaware, where he was placed as part of Teach
for America and, along with teaching students with disabilities, he coached varsity golf.
He earned an undergraduate degree from Wake Forest University and graduated from

E
Vanderbilt Law School.

PL
Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP
Ron De Jesus is the head of global privacy at Grindr, the world’s largest social
networking application for the LGBTQ+ community, and founder and CEO of De Jesus
Consulting, a boutique privacy consulting firm specializing in privacy program and
privacy strategy development, controls implementation, and privacy assessments and
M
reviews.
Previously, De Jesus led the privacy function at Tinder, where he was responsible
for developing and operationalizing the company’s EU General Data Protection
SA

Regulation (GDPR) strategy. De Jesus later served as privacy program manager for all
North American brands owned and operated by Match Group, Inc., including Tinder,
PlentyOfFish, OKCupid, Match.com, and Hinge.
Prior to Tinder, De Jesus served as the global privacy director for Tapestry, Inc.,
based in New York, where he developed its global privacy program and managed privacy
compliance efforts for all its brands, including Coach, Stuart Weitzman, and Kate Spade.
In 2013, De Jesus helped establish PwC’s Data Protection & Privacy Practice in
New York, where he led privacy engagements globally. Prior to PwC, he consulted
with Deloitte, where he designed functional privacy controls and managed company
registrations with EU authorities. In his early career, De Jesus consulted for Anzen, Inc.,
a boutique data privacy firm based in Toronto, Ontario, where he led numerous privacy
impact assessments (PIAs) for large health IT system implementations across Canada.
De Jesus has also served as privacy director for American Express’s Global Network
Services (GNS), where he developed the business unit’s privacy policy, developed its

297
 Privacy Program Management

privacy-by-design (PbD) program, led its strategy to comply with the EU ePrivacy
Directive, and served on the Amex Privacy Board.
De Jesus sits on the IAPP Diversity in Privacy Advisory Board and was a former
member of the IAPP Publications Board and CIPT Exam Development Board. He
previously co-chaired the Los Angeles IAPP KnowledgeNet and New York IAPP
KnowledgeNet chapters and is a regular contributor to the Privacy Advisor. De Jesus is
also an IAPP Training Partner and Faculty Member and delivers both IAPP-approved
and IAPP-sponsored trainings.

Jonathan Fox, CIPP/US, CIPM

Jonathan Fox, director of privacy by design, is a member of Cisco’s chief privacy office
and coauthor of The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to
Value.

E
With more than 20 years of privacy experience, Fox’s principal areas of focus have
been product development, government relations, mergers and acquisitions (M&A),

Security Manager (CISM).

PL
and training. In addition to being a CIPP/US and CIPM, he was a Certified Information

Prior to Cisco, Fox was senior privacy engineer at Intel. His previous roles include
director of data privacy at McAfee, director of privacy at eBay, deputy chief privacy
officer at Sun Microsystems, and editor-in-chief at Sun.com.
M
Fox frequently speaks at industry events and is a member of the IEEE P7002 Personal
Data Privacy Working Group and chair of the U.S. Technical Advisory Group for ISO/
PC 317 Consumer protection: privacy by design for consumer goods and services.
SA

Jon Neiditz, CIPP/E, CIPP/US, CIPM

Jon Neiditz co-leads the Cybersecurity, Privacy and Data Governance Practice at
Kilpatrick Townsend. One of the first lawyers to focus broadly on data governance and
knowledge asset protection, he remains the only person recognized by Best Lawyers in
America both for Information Management Law and for Privacy and Data Security Law.
Most recently, he has been recognized for Technology Law, as well.
For decades, Neiditz has helped clients anticipate, obviate, and manage information
privacy and security risks; appropriately monetize information; comply with privacy,
data protection, and cybersecurity laws around the world in pragmatic ways; and
contain and prevent harm from incidents while maximizing resilience and minimizing
regulatory issues.
Neiditz has always collaborated with clients and peers on pragmatic innovation;
for example, in the 1990s, he helped to define what accountable health care and health
care reform might look like; in the 2000s, he helped to invent multidisciplinary

298
 About the Contributors

incident response and the role of the “breach coach,” as well as define proportionate
search in e-discovery; and in the 2010s, he helped pioneer governance of “big
data” and protection of “crown jewels.”
Neiditz has been selected as a “Cybersecurity Trailblazer” by the National Law
Journal, Ponemon Fellow, and by Who’s Who Legal for Data Law. Neiditz’s JD is from
Yale Law School his bachelor’s of arts from Dartmouth College.

Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP

Chris Pahl is the manager of cybersecurity governance for a West Coast utility
company, overseeing cyber standards, policies, and technical controls and requirements,
as well as supply chain risk management. He is responsible for managing the strategic
plan to ensure cybersecurity governance functions align with different company
stakeholders’ priorities.

E
During the prior 12 years at the same company, as a privacy professional, Pahl
helped develop overarching enterprise privacy programs while providing ongoing
PL
advisory services to business units, including customer service, information technology
(IT), human resources (HR), sales, marketing, legal, and procurement, determining
compliance with ethical and regulatory requirements pertaining to the collection,
protection, use, and transfer of personally identifiable information (PII). He was
responsible for privacy-related activities on matters such as privacy impact assessments
M
(PIAs), regulatory audits, and company due diligence encompassing 14 million
customers and 50,000 employees and retirees.
Pahl chaired the multidisciplinary Privacy Incident Response Teams investigating
SA

potential privacy incidents and managing remediation actions. He has built and
operationalized privacy compliance programs, completing multiple privacy assessments
in the areas of enterprise data transfers and customer and employee support systems.
Pahl worked on engagements supporting system inventories and audits, data
encryption, and implementation of data loss prevention (DLP) applications in live
operating environments and implemented DLP solutions. He excels in developing
ground-up privacy and programs for large companies.
Pahl holds a doctorate degree in Strategic Leadership, certifications in privacy
and project management, and Six Sigma green and black belts. He actively writes for
industry publications.

Liisa Thomas
Liisa Thomas is a partner in Sheppard Mullin’s Chicago and London offices and lead of
its privacy and cybersecurity team, providing thoughtful legal analysis combined with
real-world practical advice. She also serves as an adjunct professor at Northwestern

299
 Privacy Program Management

Law School teaching privacy and data security courses, where she is the recipient of the
Edward Avery Harriman Law School Lectureship award.
Thomas is the author of the definitive treatise on data breach, Thomas on Data Breach:
A Practical Guide to Handling Worldwide Data Breach Notification, described as “a no-
nonsense roadmap for in-house and external practitioners alike.” She is also the author
of the new treatise on data privacy, Thomas on Big Data: A Practical Guide to Global
Privacy Laws, described as a “key text” and “perfect for the busy practitioner.”
As an industry leader in the privacy and data security space, she has been recognized
by Leading Lawyers Network, Chambers, and the Legal 500 for her depth of privacy
knowledge. Thomas was named to Cybersecurity Docket’s “Incident Response 30,”
recognized as 2017 Data Protection Lawyer of the Year–USA by Global 100, 2017
“U.S. Data Protection Lawyer of the Year” by Finance Monthly, and a “Leading Woman
Lawyer” by Crain’s in 2018.

E
Thomas received her JD from the University of Chicago and is admitted to the bar in
Illinois and the District of Columbia.

Amanda Witt, CIPP/E, CIPP/US

PL
Amanda Witt is a partner at Kilpatrick Townsend & Stockton LLP and co-leader of the
firm’s Technology, Privacy & Cybersecurity team.
Witt advises clients on U.S., EU, and global privacy; cybersecurity; technology
M
transactions; e-commerce; outsourcing; licensing and procurement; intellectual
property protection; strategic alliances; software and mobile application development,
licensing and global manufacturing; and distribution agreements relating to internet-
SA

connected devices.
She is a frequent presenter on topics related to U.S., EU, and global privacy, as well
as technology-related topics, such as artificial intelligence (AI), and has published
articles on cybersecurity, privacy, cloud computing, electronic signatures, security laws,
outsourcing, and media.
Witt earned her LLM in international intellectual property, magna cum laude, from
Catholic University at Leuven, Belgium, and her JD, cum laude, from Emory University
School of Law. She earned a bachelor’s of arts, magna cum laude, from the University of
Florida, where she was inducted into Phi Beta Kappa.

Edward Yakabovicz, CIPP/G, CIPM, CIPT

Edward Yakabovicz is a Northrop Grumman fellow with specialization in cybersecurity,
information security management, engineering, and privacy management. With more
than 32 years of experience, Yakabovicz is an experienced speaker who is published
by the SANS Institute, International Council on Systems Engineering (INCOSE),

300
 About the Contributors

National Defense Industrial Association (NDIA), Information Systems Security

Association (ISSA), and International Association of Privacy Professionals (IAPP).
Yakabovicz currently chairs the NDIA Privacy Subcommittee and has held board
positions with several colleges and universities and with the Information Systems
Security Association and the IAPP.
He coauthored the first and second editions of Privacy Program Management: Tools
for Managing Privacy Within Your Organization textbook and contributed to many
cybersecurity and privacy publications, both in print and online. In addition to his
Certified Information Systems Security Professional (CISSP) accreditation, Yakabovicz
holds numerous certifications across security and privacy industries and has received
numerous awards for leadership, excellence, and innovation.

E
PL
M
SA

301
SA
M
PL
E
 Index

A APEC (Asia-Pacific Economic Cooperation)

AAPI (Agency of Access to Public Information, Privacy Framework, 29, 49
Argentina), 66 APPI (Act on the Protection of Personal
Acceptable use policies (AUP) Information, Japan), 239
for cloud computing, 155–156 Apple Corp., 17
for employee information protection, 150–151 ARCO rights (access, rectification, cancellation,
Access and opposition [Mexico]), 238
acceptable use policies and, 150 Argentina Agency of Access to Public
in data subject rights, 223–225 Information (AAPI), 66
to employee information, 156–158 Article 29 Working Party (WP29), 87–89, 91

E
withdrawals of, 234–235 Artificial intelligence (AI) systems, 47, 91–93
Access, rectification, cancellation, and Asia-Pacific Economic Cooperation (APEC)
opposition rights (ARCO rights [Mexico]), Privacy Framework, 29, 49
238
Access control, 122, 132–133
Accountability, 6–7
PL Assess, 2–3. See also Data assessments
Asset management, 122
Attestation, 93–94
Acquisitions, divestitures, and mergers, data Audience, 168, 197
assessments in, 103–105 Auditing, 177–181. See also Sustain phase:
M
Active scanning tools for monitoring, 176 monitoring and auditing performance
Activity monitoring, 34 Audit log wiping, 152
Act on the Protection of Personal Information AUP (acceptable use policies). See Acceptable
(APPI, Japan), 239 use policies (AUP)
SA

AdChoices, 208 Australia, data subject rights in, 240–241

Administrative controls, 122 Australia Office of the Australian Information
Advertising, unsolicited, 151 Commissioner (OAIC), 66
AFL-CIO, 259–260 Automated decision-making, 233–234
Age Appropriate Design code (UK Information Autoridade Nacional de Proteção de Dados
Commissioner’s Office), 211–212 (ANPD, Brazil), 66
Agency of Access to Public Information (AAPI, Awareness. See Sustain phase: training and
Argentina), 66 awareness
AICPA/CICA Privacy Maturity Model, 3
AI (artificial intelligence) systems, 47, 91–93
American Institute of Certified Public
B
Bandi, Susan, 47, 296
Accountants (AICPA), 29
Barreiro, João Torres, 75, 296
American National Standards Institute (ANSI),
BCRs (binding corporate rules), 32, 61
41
Benchmarking, 165. See also Sustain phase:
ANPD (Autoridade Nacional de Proteção de
monitoring and auditing performance
Dados, Brazil), 66
Benefiting from data breaches, 292

303
 Privacy Program Management

Best practices California Online Eraser law, 217

data breaches, 263–264 California Online Privacy Protection Act
in information security, 119–121 (CalOPPA), 216–217
for internal partnership development, 26–27 California Privacy Rights Act (CPRA) of 2020
Binding corporate rules (BCRs), 32, 61 (Proposition 24), 54, 218
Biometric Information Privacy Act (BIPA, California Shine the Light law, 217
Illinois), 219–220 Call center launches to report data breaches,
Board of directors role 278, 286–287
in data breaches, 280 CAM4 website, 187
in incident planning, 260–261 Canada Office of the Privacy Commissioner of
Brazil Autoridade Nacional de Proteção de Canada (OPC), 66
Dados (ANPD), 66 Canadian anti-spam legislation (CASL), 238
Brazil’s Lei Geral de Proteção de Dados Canadian Institute of Chartered Accountants
(LGPD), 54–55, 83–84, 238 (CICA), 29
Breaches. See Data breaches Canadian Standards Association (CSA) Privacy

E
Brigagliano, John, 205, 297 Code, 29
Brown University’s Executive Master in CAN-SPAM (Controlling the Assault of Non-
Cybersecurity, 41
PL
B2B (business-to-business) organizations, 7
B2C (business-to-consumer) organizations, 7
Business continuity management, 123
Solicited Pornography and Marketing) Act of
2003, 59, 214
Carnegie Mellon’s Master of Science in
Information Technology—Privacy
Business continuity plan, incident response in, Engineering (MSIT-PE), 41
M
261–264 Carnegie Mellon University, 209
Business development team CARU (Children’s Advertising Review Unit)
in data breaches, 277 Advertising Guidelines, 60
in incident planning, 257, 259 CASL (Canadian anti-spam legislation), 238
privacy procedures and, 11 Cavoukian, Ann, 31, 111–113, 115
SA

Business line privacy leaders, 38 CCPA (California Consumer Privacy Act).

Business resiliency, metrics for, 171 See California Consumer Privacy Act (CCPA)
Business-to-business (B2B) organizations, 7 CDPA (Consumer Data Protection Act,
Business-to-consumer (B2C) organizations, 7 Virginia), 22, 85, 218–219
Centralized governance, 36
CEO role
C in data breaches, 279–280
CAC (Cyberspace Administration of China), 67
in incident planning, 257, 260
California Consumer Privacy Act (CCPA)
Certified Information Privacy Manager (CIPM)
approach of, 22
certification, 4, 30
awareness guide for, 53–54
Change management, 1
penalties for noncompliance with, 64
Chief information security officers (CISO), 7
privacy notices delivery requirements
Chief privacy officer (CPO), 38
of, 208
Children, consents of, 211–213
privacy right extended by, 217–218
Children’s Advertising Review Unit (CARU)
vendor assessment under, 102 –103
Advertising Guidelines, 60

304
 Index

Children’s Online Privacy Protection Act audits for monitoring, 175

(COPPA), 22–23, 58, 211–213 demonstrating, 33–34
China Cyberspace Administration of China governance, risk, and compliance (GRC)
(CAC), 67 tools, 34–35, 79
China-People’s Republic of China Personal in incident planning, 257–258
Information Protection Law (PIPL), 55, 84 in information security, 123
Chinese National Information Security measurement of, 82
Standardization Technical Committee penalties for noncompliance, 63–64
(TC260), 239 in privacy policies, 143, 149
Choice and consent, in data subject rights, Comprehensive approach, 22–23
210–211 Conference of European Data Protection
CIA (confidentiality, integrity, and availability) Authorities, 18
of personal data, 222 Conferences and seminars, 41–42
CICA (Canadian Institute of Chartered Confidential category, in data classification,
Accountants), 29 133

E
CIPM (Certified Information Privacy Manager) Confidentiality, integrity, and availability (CIA)
certification, 4, 30 of personal data, 222
Cisco Privacy Maturity Benchmarking Study
(2021), 131
PL
CISO (chief information security officers), 7
CJEU (Court of Justice of the European Union),
Consent
of children, 211–213
in data subject rights, 210–211
management of, 34
32 withdrawals of, 234–235
M
Class-action lawsuits, 250 Consultative Expert Group on Digital Ethics in
Cloud-based threats, 119 insurance, 93
Cloud computing Consumer Privacy Protection Act of 2021
acceptable use of, 155–156 (Canada), 238
assessing vendors of, 98–101 Consumers, trust of, 7
SA

breach activity increases, 186 Containment, in data breaches, 280–281

Cloud Industry Forum, 99 Contract language for privacy protection, 98
CNIL (Commission Nationale de Contracts for vendor engagement, 154–155
l’Informatique et des Libertés, France), 32, 90 Controlling the Assault of Non-Solicited
Colorado Privacy Act, 219 Pornography and Marketing (CAN-SPAM)
Commission Nationale de l’Informatique et des Act of 2003, 59, 214
Libertés (CNIL, France), 32, 90 Controls
Communication in information security, 121–123
of information protection policies, 144–146 monitoring, 177
in privacy notices and policies, 209–210 technical controls for privacy, 134–136
of privacy procedures, 10 Cookie compliance, 34
for training and awareness, 193 “Cookie consents,” 210
Communications security, 123 COPPA (Children’s Online Privacy Protection
Complaint handling, 236–237 Act), 22–23, 58, 211–213
Complaint-monitoring processes, 177 Co-regulatory model, 23
Compliance Corrective controls, 121

305
 Privacy Program Management

Cost considerations Data assessments, 75–105

calculating, 290–292 artificial intelligence system assessments,
in data breaches, 250–251 91–93
in information protection, 147 attestation in, 93–94
Cost of a Data Breach Report 2020 (Ponemon compliance measurement, 82
Institute), 185, 250 data governance and, 75–77
Court of Justice of the European Union (CJEU), data protection impact assessments, 86–91
32 GDPR requirements for, 80–81
COVID-19 pandemic inventories and records, 77–79
health records privacy in, 157 in mergers, acquisitions, and divestitures,
personal data handling and, 48 103–105
privacy policies changed by, 144 overview, 75
working from home during, 57 physical and environmental assessments,
CPO (chief privacy officer), 38 94–96
CPRA (California Privacy Rights Act) of 2020 privacy impact assessment: ISO, 86

E
(Proposition 24), 54, 218 privacy impact assessment: overview, 82–84
Cranor, Lorrie Faith, 209 privacy impact assessment: U.S., 84–85
Credential theft, 186
Credit card incidents, 282
Cronk, R. Jason, 115
Cross-border data transfers, 60–62
PL vendor assessments: overview, 96–101
vendor assessments under CCPA, 102–103
vendor assessments under GDPR, 101–102
Data breaches, 249–293
Cryptography, 122 benefiting from, 292
M
CSA (Canadian Standards Association) Privacy board of directors role in, 280
Code, 29 business development role in, 277
Currency metrics, 165 CEO role in, 279–280
Customer care role of company privacy notices, 206
in data breaches, 276–277 customer care role in, 276–277
SA

in incident planning, 257, 261 finance role in, 274–275

Cyber insurance coverage, 275 functional roles in planning for, 256–261
Cyberspace Administration of China (CAC), 67 human resources role in, 273–274
Cyclical component analysis, 170 impact of, 4
incident handling, 264–269
incident planning, 249–251
D incident response in business continuity
DAA (Digital Advertising Alliance), 208
plan, 261–264
Daily Dashboard (IAPP), 69
individual roles: overview, 269–271
DAMA (Data Management Association)
information security role in, 272–273
International, 75–76
investigating, 280–282
“Dark patterns,” prohibitions against, 210
legal role in, 271
Data access
marketing and public relations role in,
acceptable use policies and, 150
275–276
in data subject rights, 223–225
monitoring, 177
to employee information, 151–153
new tools, methods, and practices leading to,
withdrawals of, 234–235
156–157

306
 Index

occurrences of, 251 records of processing activities and, 80–81

outside resources role in, 277–279 reporting structure of, 43
overview, 249 at vendors, 98
of personally identifiable information (PII), Data retention and destruction, 136, 158–160,
185 177
Ponemon Institute study of, 185–186 Data subject access requests (DSARs), 34,
preparing for, 252–256 234–237
recovering from, 289–292 Data subject rights
reporting obligations, 282–289 in Australia and New Zealand, 240–241
terminology related to, 251–252 children’s consents, 211–213
union leadership role in, 279 choice and consent, 210–211
Data Breach Investigations Report 2020 complaint handling, 236–237
(Verizon), 186 East Asian, 239–240
Data classification, 133–134, 151–153 European and UK: automated decision-
Data destruction, 136, 158–160 making, 233–234

E
Data discovery, 34 European and UK: data portability, 230–232
Data governance, 12, 75–77 European and UK: erasure, 227–229
Data inventory, 207
Data loss prevention (DLP) tools, 10
Data management, 75–76
Data Management Association (DAMA)
PL European and UK: overview, 220–221
European and UK: personal data protection,
220–221
European and UK: processing restrictions,
International, 75–76 229–230
M
Data mapping, 34, 207 European and UK: rectification, 226–227
Data minimization, technical controls for, 135 European and UK: restrictions of rights, 234
Data portability, in data subject rights, 230–232 European and UK: right to access, 223–225
Data privacy dashboards, 169 European and UK: right to information, 222
Data protection authorities (DPAs), 32 European and UK: right to object, 232–233
SA

Data Protection by Design and by Default, European and UK: transparency, 222–223
113–115 Latin American, 238
Data Protection Commission v. Facebook Ireland, opt-in versus opt-out, 211
Schrems, 32 overview, 205
Data protection impact assessments (DPIA) privacy notices and policies, 205–210
conditions requiring, 87–89 U.S. federal laws on, 213–216
contents of, 89–90 U.S. state laws on, 216–220
methodology of, 91 withdrawals of consent and data access,
overview, 86–87 234–235
privacy workshops on, 27 “Data transfer impact assessment” (DTIA or
supervisory authorities and, 90–91 TIA), 60–61
Data protection officers (DPOs) Data transfers, cross-border, 60–62
accountability of, 7 Decentralized governance, 36–37
need for, 42–43 Deepfakes, 120
overview, 42 Deidentification, 34
qualifications and responsibilities of, 38–39, 43 De Jesus, Ron, 15, 297–298

307
 Privacy Program Management

Delaware Online Privacy Protection Act Electronic Communications Privacy Act

(DOPPA), 216–217 (ECPA) of 1986, 58
Densmore, Russell, 1, 165, 295 Email policies, 152
Destruction of data, 158–160 Emerging laws and regulations, 55–56
Detective controls, 121 Employee information protection
Digital Advertising Alliance (DAA), 208 acceptable use policies, 150–151
Disposal Rule, in Fair and Accurate Credit access and data classification, 151–153
Transactions Act (FACTA) of 2003, 97 components of, 148–149
Divestitures, acquisitions, and mergers, data overview, 147–148
assessments in, 103–105 Employment data, privacy protections for, 57
DLP (data loss prevention) tools, 10 Energy data, privacy protections for, 57
DMA Guidelines for Ethical Business Practice, Enterprise communications, 34
59 Environment
DNC (National Do Not Call) Registry, 59, 214 assessments of, 94–96
DOC (U.S. Department of Commerce), 94 monitoring for vulnerabilities in, 176

E
DOPPA (Delaware Online Privacy Protection security of, 122
Act), 216–217 Erasure, in data subject rights, 227–229
DPAs (data protection authorities), 32
PL
DPIA (data protection impact assessments). See
Data protection impact assessments (DPIA)
DPOs (data protection officers). See Data
Ethics, 11, 150
ETSI (European Telecommunications
Standards Institute), 30
EU Code of Conduct, 60
protection officers (DPOs) EU Data Protection Directive, 29
M
Driver’s Privacy Protection Act (DPPA)of 1994, EU General Data Protection Regulation
58 (GDPR). See General Data Protection
DSARs (data subject access requests), 34, Regulation (GDPR)
234–237 European Data Protection Board (EDPB), 18, 207
DTIA (data transfer impact assessment), 60–61 European Data Protection Law and Practice: Data
SA

Dublin City University’s Master of Arts in Data Subjects’ Rights (Schultze-Melling), 220
Protection and Privacy Law, 41 Europe and UK data subject rights
Due diligence, 34 automated decision-making, 233–234
Dutch Data Protection Authority, 31 data portability, 230–232
erasure, 227–229
overview, 220–221
E personal data protection, 220–221
East Asia, data subject rights in, 239–240
processing restrictions, 229–230
ECPA (Electronic Communications Privacy
rectification, 226–227
Act) of 1986, 58
restrictions of rights, 234
EDPB (European Data Protection Board), 18,
right to access, 223–225
207
right to information, 222
Education data, privacy protections for, 56
right to object, 232–233
E-Government Act of 2002, 84
transparency, 222–223
EIOPA (European Insurance and Occupational
European Insurance and Occupational Pensions
Pensions Authority), 93
Authority (EIOPA), 93

308
 Index

European Telecommunications Standards laws, regulations, and programs in, 31–32

Institute (ETSI), 30 principles and standards in, 29–31
European Union’s Article 29 Working Party questions answered by, 28–29
(WP29), 207 rationalizing requirements by, 32–33
EU-U.S. Privacy Shield, 31–32 France’s Commission Nationale de
External announcements of data breaches, 285 l’Informatique et des Libertés (CNIL), 90
Freedom of Information Act (FOIA), 215–216
FTC (Federal Trade Commission). See Federal
F Trade Commission (FTC)
Facebook.com, 206
Fair and Accurate Credit Transactions Act
(FACTA) of 2003, 59, 97 G
Fair Credit Reporting Act (FCRA) of 1970, 57, Gap analysis, 79
213–214 GAPP (Generally Accepted Privacy Principles),
Fair information practices, 29 3, 29

E
Family Educational Rights and Privacy Act General Data Protection Regulation (GDPR)
(FERPA) of 1974, 57 access rights under, 223–225
FCRA (Fair Credit Reporting Act) of 1970, 57, Article 30 of, 20, 77–78, 80
213–214 PL
Federal Bureau of Investigation (FBI), 216
Federal Privacy Act of 1974, 58f
automated decision-making, right to not be
subject to, in, 233–234
Awareness Guide of, 52
Federal Trade Commission (FTC) children, privacy notices to, 211
on advertising to children, 23 in cross-border data transfer, 60
M
data breaches and, 271, 284–285 data assessment requirements of, 80–81
Data Privacy Day resources from, 192 data portability rights under, 230–232
Do Not Call Registry of, 214 data protection by design and by default,
enforcement actions of, 206 113–115
SA

on privacy by design, 111 data subject rights under, 220–234

privacy notice requirements of, 207 DPIA under, 86–91
Federal Trade Commission Act of 1914, 57, 206 DPO role established by, 42–43
Fileless attacks, 120 electronic consent as affirmative act under,
Finance team 210
in data breaches, 274–275 erasure rights under, 227–229
in incident planning, 257, 260 material scope, 50–51
privacy procedures and, 11 monitoring privacy performance under, 175
Financial data, privacy protections for, 56 OECD Guidelines as basis for, 29
Firewall rules, 152 overview, 31–32
First-party (internal) audits, 181 penalties for noncompliance with, 63–64
First responders, 38 privacy by design in, 111, 113
FOIA (Freedom of Information Act), 215–216 Records of processing activities in Article 30
Forensics, third-party, 282 of, 207
Fox, Jonathan, 111, 298 rectification rights under, 226–227
Frameworks reporting privacy performance under,
definition of, 1–2 172–174

309
 Privacy Program Management

restriction of processing rights under, Hybrid governance, 37

229–230
restrictions of data subjects’ rights under, 234
right to object under, 232–233
I
IaaS (infrastructure as a service), 99
subject matter and objectives, 50
IAPP-EY Privacy Governance Report 2018, 172
territorial scope, 51
IAPP-EY Privacy Governance Report 2019, 173
vendor assessments under, 101–102
IAPP-FTI Consulting Privacy Governance Report
Generally Accepted Privacy Principles (GAPP),
2020, 167
3, 29
IAPP’s Westin Research Center, 30
General organization compliance, 143
ICO (Information Commissioner’s Office, UK),
George Washington University’s Master of
19, 49. 68, 90, 210–211
Engineering—Cybersecurity Policy and
Implementing policies for information
Compliance, 41
protection, 161
GLBA (Gramm-Leach-Bliley Act), 22–23, 58
Incident management, 123
Global privacy and data protection laws, 48–49

E
Incident response
Global Privacy Enforcement Network, 18
budgeting for, 263
Global privacy teams, 2
plan for, 253–254
Governance, data assessments and, 75–77.
See also Privacy governance
PL
Governance, risk, and compliance (GRC) tools,
34–35, 79, 177
teams for, 185–186
tools for, 34
Incidents of data breaches
business continuity plan integration,
Government data, privacy protections for, 56
261–264
M
Gramm-Leach-Bliley Act (GLBA), 22–23, 58
detection of, 264
handling, 264–269
H planning for, 249–251
Health data, privacy protections for, 56 See also Data breaches
SA

Health Information Technology for Economic Industry standards, 59–60

and Clinical Health (HITECH) Act of 2009, Information and Privacy Commissioner of
59, 63 Ontario (Canada), 31
Health Insurance Portability and Accountability Information Commissioner’s Office (ICO, UK),
Act (HIPAA) of 1996, 22–23, 32, 58, 63, 214 19, 49, 68, 90, 210–211
Highly confidential category, in data Information security
classification, 133 best practices in, 119–121
Hong Kong Office of the Privacy Commissioner confidentiality, integrity, and availability in,
for Personal Data (PCPD), 67 118–119
Human resources controls in, 121–123
in data breaches, 273–274 in data breaches, 272–273
data privacy protections for, 57 data privacy and, 128–134
in incident handling, 267–268 in incident planning, 257
in incident planning, 257–258 privacy procedures and, 10
monitoring processes of, 177–178 standards and guidelines in, 123–127
privacy procedures and, 11 See also Policies for information protection;
vendors policies of, 156–158 Protecting personal information

310
 Index

Information Security Technology—Personal J

Information Security Specification (PI Security Japan Personal Information Protection
Specification, Chinese National Information Commission (PPC), 67
Security Standardization Technical
Committee), 239
Information Systems Audit and Control K
Association (ISACA), 121 Kaseya hacks, 187
Information technology (IT) team, privacy Kişisel Verileri Koruma Kurumu (KVKK,
procedures and, 10 Turkey), 68
Infrastructure as a service (IaaS), 99
Insider threats, 119 L
Insurance coverage for data breaches, 255–256, Language of privacy notices, 212
275, 281 Latin America, data subject rights in, 238
Intangible costs of data breaches, 291 Laws and regulations, 47–70
Integrity of computer systems, 150 acceptable use policies and, 150–151

E
Internal announcements of data breaches, Brazil’s Lei Geral de Proteção de Dados
284–285 (LGPD), 54–55, 238

Internal costs of data breaches, 290–291

Internal-error-related breaches, 187
PL
Internal audit team, privacy procedures and, 11

Internal partnerships in privacy strategy, 25–27

California Consumer Privacy Act (CCPA),
53–54
cross-border data transfers, 60–62
emerging, 55–56
International Assembly of Privacy EU General Data Protection Regulation
M
Commissioners and Data Protection (GDPR), 50–52
Authorities, 31 monitoring, 68, 176
International Conference of Data Protection on new technologies, 47–48
and Privacy Commissioners, 18 organizational balance and support, 62
International Organization for Standardization
SA

oversight agency authority, 65–68

(ISO), 41, 86, 123–127, 181 overview, 47–50
Internet of Things (IoT), 120, 208 penalties for noncompliance, 63–65
Internet policies, 152 People’s Republic of China Personal
Intrusion detection, 152 Information Protection Law, 55
Inventories and records, in data assessments, in privacy governance, 33–35
77–79 privacy program management beyond, 7
Investigating data breaches, 280–282 sectoral, 56–59
IoT (Internet of Things), 120, 208, 292 self-regulation by industry standards, 59–60
Irish Data Protection Commission, 17–18 third-party external privacy resources, 69
Irregular component analysis, 170 U.S. federal laws on data subject rights,
ISACA (Information Systems Audit and 213–216
Control Association), 121 U.S. state laws on data subject rights,
ISO (International Organization for 216–220
Standardization), 41, 86, 123–127, 181 See also Data subject rights
Israel Privacy Protection Authority (PPA), 67 Learning and development team, privacy
procedures and, 9–10

311
 Privacy Program Management

Least privilege concept, for access control, 132 view of, 1

Legal costs of data breaches, 290 Microsoft Corp., 16–17
Legal privilege, 281 Mission statement for privacy governance,
Legal protections, 150 15–19
Legal team ML (machine learning), 47
in data breach response, 271 Models
in incident planning, 257–258 organizational, 38–39
in litigation, liabilities, and regulatory privacy team, 35–37
scrutiny, 250 Monitoring
privacy procedures and, 12 laws and regulations, 68
Lessons learned, leveraging, 191–192 performance, 175–178
Letter drops to report data breaches, 286 technology use, 152
LGPD (Brazil’s Lei Geral de Proteção de vendors, 155
Dados), 54–55, 83–84, 238 See also Sustain phase: monitoring and
Life cycle, privacy, 1–4. See also Data auditing performance

E
assessments MSIR-PE (Carnegie Mellon’s Master of
Limited sectoral approach, 22 Science in Information Technology—Privacy
Litigation exposure, 250
Living off the land (LotL) attacks, 120
PL
Local data protection authorities (DPAs), 32
Local governance, 36–37
Engineering), 41

N
NAI (Network Advertising Initiative), 60, 208
National Do Not Call (DNC) Registry, 59, 214
M
M National Institute of Standards and Technology
Machine learning (ML), 47 (NIST)
Malicious threats, 151, 251 NIST 800-60 classification system, 94
Malvertising, 120 NIST SP 800-88 Guidelines for Media
SA

Malware protection, 151–152 Sanitization, 95–96

Marketing and public relations team Privacy Framework of, 30
in data breaches, 275–276 standards and guidelines of, 123, 127
in incident planning, 257, 259 third-party audits aligned with, 181
privacy procedures and, 11 training guidelines of, 188
Marketing data, privacy protections for, 57 National People’s Congress Standing
McAfee trust marks, 60 Committee Decision on Strengthening
McDonald, Aleecia, 209 Network Information Protection (NPCSC
Mergers, acquisitions, and divestitures, data Decision, China), 239
assessments in, 103–105 Nebrija University’s Master’s in Data Protection
Metrics and Security, 41
audience impact on, 168 Need-to-know access, for access control, 132
metric owner’s role, 168–169 Neiditz, Jon, 205, 298–299
overview, 165–167 Netherlands Organisation for Applied Scientific
for privacy measurement, 169–172 Research, 31
reporting findings based on, 172–174 Network access, 150
for training and awareness, 201–203 Network Advertising Initiative (NAI), 208

312
 Index

of Personal Data, 29, 49

Network Advertising Initiative (NAI) Code of Organizational balance and support, 62
Conduct, 60 Organization-wide privacy program
New Zealand, data subject rights in, 240–241 management, 8–12
New Zealand Office of the Privacy Outside resources
Commissioner (OPC), 67 in data breaches, 277–279
NIST (National Institute of Standards and in incident handling, 268
Technology). See National Institute of monitoring, 178
Standards and Technology (NIST) Oversight agencies, 65–68
Northam, Ralph, 218–219
NPCSC Decision (National People’s
Congress Standing Committee Decision
P
PaaS (Platform as a service), 99
on Strengthening Network Information
Pahl, Chris, 185, 299
Protection, China), 239
Password policies, 152

E
Payment Card Industry Data Security Standard
O (PCI DSS), 23, 59
Obfuscation, technical controls for, 135 PayPal trust marks, 60
OECD (Organisation for Economic PL
Co-operation and Development) Guidelines
on the Protection of Privacy and Transborder
PbD (privacy by design). See Privacy by design
(PbD)
PCPD (Office of the Privacy Commissioner for
Flows of Personal Data, 29, 49 Personal Data, Hong Kong), 67
Office of the Australian Information PDPA (Personal Data Protection Act, Malaysia)
M
Commissioner (OAIC), 66, 212 of 2010, 239–240
Office of the Privacy Commissioner (OPC, PDPA (Personal Data Protection Act, Thailand)
New Zealand), 67 of 2021, 240
Office of the Privacy Commissioner for Personal PDPC (Personal Data Protection Commission,
SA

Data (PCPD, Hong Kong), 67 Singapore), 67

Office of the Privacy Commissioner of Canada Penalties for noncompliance with laws and
(OPC), 66, 212 regulations, 63–65, 143
Online data, privacy protections for, 56 People’s Republic of China Personal
Online Privacy Alliance (OPA), 23 Information Protection Law (PIPL), 55, 84
Online tracking via “cookie consents,” 210 Performance. See Sustain phase: monitoring and
OPC (Office of the Privacy Commissioner of auditing performance
Canada), 66, 212 Personal data protection, in data subject rights,
OPC (Office of the Privacy Commissioner, 220–221
New Zealand), 67 Personal Data Protection Act of 2010 (PDPA,
Open Knowledge Foundation, 231 Malaysia), 239–240
Operational actions for awareness, 196 Personal Data Protection Act of 2021 (PDPA,
Operational security, 122 Thailand), 240
Opt-in versus opt-out, in data subject rights, 211 Personal Data Protection Commission (PDPC,
Organisation for Economic Co-operation and Singapore), 67
Development (OECD) Guidelines on the Personal Information Protection Act (South
Protection of Privacy and Transborder Flows Korea), 239

313
 Privacy Program Management

Ponemon Institute, 185–186, 250–251, 291

Personal Information Protection and Electronic PowerBI data privacy dashboards, 169
Documents Act (PIPEDA), 29, 31, 238 PPA (Privacy Protection Authority, Israel), 67
Personal Information Protection Commission PRC General Provisions of the Civil Law
(PIPC, South Korea), 68 (China), 239
Personal Information Protection Commission Preventative controls, 121
(PPC, Japan), 67 Principles and standards, in privacy governance,
Personally identifiable information (PII) 29–31
breach losses of, 185 Privacy Act of 1974, 215
collection and processing of, 19–21 Privacy Act of 2020 (New Zealand), 241
in privacy impact assessment, 84–85 Privacy analysts, 38
protection of, 3 Privacy by design (PbD)
See also Protecting personal information diagramming, 116–118
PETs (privacy-enhancing technologies), 129, 135 foundational principles of, 31
PHI (protected health information), 56 overview, 1, 3

E
Phishing attacks, 120, 186 privacy impact assessment to facilitate, 82
Physical assessments, 94–96 protecting personal information by, 113–115
Physical controls, 121
Physical security, 122, 267
PL
PII (personally identifiable information).
See Personally identifiable information (PII)
in research and development, 12
Privacy dashboard, 209
Privacy director/manager, 38
Privacy engineering, 39, 115
PIPC (Personal Information Protection Privacy-enhancing technologies (PETs), 129, 135
M
Commission, South Korea), 68 Privacy governance, 15–44
PIPEDA (Personal Information Protection and framework development, 28–33
Electronic Documents Act), 29, 31, 238 model, responsibilities, and reporting, 38–43
PIPL (People’s Republic of China Personal overview, 15
Information Protection Law), 55, 84 scope of, 19–24
SA

Platform as a service (PaaS), 99 strategy development, 24–27

PMM (Privacy Maturity Model), 171–172 team structure, 35–37
Policies for information protection, 141–163 technology and tools for, 33–35
components of, 142–144 vision and mission statement, 15–19
cost considerations, 147 Privacy impact assessments (PIAs)
data retention and destruction, 158–160 ISO on, 86
of employees, 147–153 overview, 82–84
implementing, 161 product research and development
interfacing and communicating with performance of, 12
organization about, 144–146 in United States, 84–85
overview, 141–142 Privacy incidents, leveraging, 191–192
vendor engagement, 153–158 Privacy leaders
See also Information security; Protecting conferences and seminars attended by, 41–42
personal information data protection officer (DPO) role, 42–43
Policy controls, 122 education and backgrounds of, 40–41
Polis, Jared, 219 professional certifications of, 41

314
 Index

titles of, 40 practices in information security, 119–121

Privacy/legal counsels, 38 privacy by design, 111–113
Privacy Maturity Model (PMM), 171–172 in privacy program life cycle, 3
Privacy measurement, 169–172 standards and guidelines in information
Privacy notices security, 123–127
communication considerations, 209–210 technical controls for privacy, 134–136
design challenges and solutions, 207–209 See also Information security; Policies for
elements of, 206–207 information protection
overview, 205–206 Pseudonymization, 34
privacy policy versus, 144 PTA (privacy threshold analysis), 84
Privacy program management, introduction to, Public category, in data classification, 133
1–13
accountability in, 6–7
championing, 12
Q
QR codes, 208
law and compliance versus, 7

E
manager responsibilities, 4–6
need for, 7–8 R
organization-wide, 8–12
overview, 1–2
terminology, 2–4
PL
Privacy Protection Authority (PPA, Israel), 67
Ramirez, Edith, 206
Ransomware attacks, 120, 186, 251
Records of Processing Activities (GDPR), 207
Recovering from data breaches, 289–292
Privacy technologists, 39 Rectification, in data subject rights, 226–227,
M
Privacy threshold analysis (PTA), 84 235
Privacy Tracker, 69 Regulations. See Laws and regulations
Procurement team, privacy procedures and, 11 Regulators, reporting data breaches to, 285
Product research and development team, Regulatory scrutiny, 250
privacy procedures and, 12 Remediation
SA

Professional certifications, 41 costs of, 291

Program management, 1 offers of, 279, 287–288
Progress reporting, on data breaches, 288–289 Remote work, 157, 186
Proofpoint, Inc., 261 Remote worker endpoint security, 120
Proposition 24 (California Privacy Rights Act) Reporting data breaches, 282–289
of 2020, 54, 218 call center launches, 286–287
Proprietary information, 151 external announcements, 285
Protected health information (PHI), 56 internal announcements, 284–285
Protecting personal information, 111–136 letter drops, 286
confidentiality, integrity, and availability in overview, 282–283
information security, 118–119 progress reporting, 288–289
controls in information security, 121–123 to regulators, 285
data privacy and information security, remediation offers, 287–288
128–134 requirements and guidelines, 283–284
by design and default, 113–115 worksheets for, 265–266
diagramming privacy by design, 116–118 Reputational liability, 250

315
 Privacy Program Management

Resources, third-party external, 69 Shapiro, Stuart, 115

Respond, in privacy program life cycle, 3–4 Singapore Personal Data Protection
Respond phase: data subject rights. See Data Commission (PDPC), 67
subject rights Snapchat.com, 206
Restricted category, in data classification, 133 Social attacks, 186
Restrictions of data subject rights, 234 Social media-based attacks, 121
Retention of data, 158–160 Software as a service (SaaS), 99
Return on investment (ROI) analysis, 170–171 Software-defined privacy settings, 157
“Right to be forgotten” (RTBF), 227–229 Software loading, 152
Right to information, in data subject rights, 222 SolarWinds breach, 187
Right to object, in data subject rights, 232–233 South Korea Personal Information Protection
Risk assessments, 34, 152 Commission (PIPC), 68
Risk management team, privacy procedures Stakeholders
and, 12 collaboration among, 267
ROI (return on investment) analysis, 170–171 in data breaches, 254–255

E
Routing patterns, 151 in investigations, 282
RTBF (“right to be forgotten”), 227–229 in privacy strategy, 25–27

Access and Information Management, 41

PL
Ryerson University’s Certificate in Privacy, progress reporting to, 288–289
Standard contractual clauses (SCCs), 60–61
Standards
industry, 59–60
S in information security, 123–127
SaaS (Software as a service), 99
M
for vendor selection, 96–98
Safeguards against security breaches, 151
Stanford University, 16
Safe Harbor Framework, 32
Stay Safe Online, 192
SafetyDetectives, 187
Strategy, privacy governance, 24–27
SCCs (standard contractual clauses), 60–61
Supplier monitoring, 178. See also Vendors
SA

Schultze-Melling, Jyn, 220

Sustain, in privacy program life cycle, 3
Scope of privacy program
Sustain phase: monitoring and auditing
challenges in, 21–24
performance, 165–182
laws and regulations, 21
auditing, 178–181
personal information collected and
metrics for: audience and, 168
processed, 19–21
metrics for: overview, 165–167
Scoping audits, 179–180
metrics for: owner’s role, 168–169
Second-party (supplier) audits, 181
metrics for: privacy measurement, 169–172
Sectoral regulations, 56–59
metrics for: reporting, 172–174
Security, technical controls for, 135
monitoring forms, 176–178
Security automation technologies, 186
monitoring types, 175–176
Security breaches, 151. See also Data breaches
Sustain phase: training and awareness, 185–203
Security tools, 152
audiences for, 197
Segregation of duties, for access control, 132
communication, 193
Self-assessment, attestation as, 93–94
creating awareness, 194–196
Self-regulated model, 23
difference between, 188–190
Self-regulation by industry standards, 59–60

316
 Index

leveraging privacy incidents, 191–192 TrustArc trust marks, 23, 33, 60, 130
methods for, 199–201 Turkey Kişisel Verileri Koruma Kurumu
metrics for, 201–203 (KVKK), 68
operational actions, 196
overview, 185–187
strategies for, 198–199
U
UK data subject rights. See Europe and UK data
Systems acquisition, development, maintenance,
subject rights
and disposal, 123
UK Information Commissioner’s Office (ICO),
19, 49, 68, 90, 210–211
T UN Convention on the Rights of the Child in
Tableau software, data privacy dashboards in, Child Friendly Language, 212
169 Union leadership role
Tabletop exercises, in incident training, 262 in data breaches, 279
TC260 (Chinese National Information Security in incident planning, 257, 259–260

E
Standardization Technical Committee), 239 University of Auckland’s Postgraduate Diploma
TCPA (Telephone Consumer Protection Act) of in Information Governance, 41
1991, 58 U.S. Department of Commerce (DOC), 94

TeamViewer software, 187

Technical controls, 122
PL
Team structure, privacy governance, 35–37 U.S. Department of Health and Human
Services, 285
U.S. Federal Trade Commission (FTC). See
Technology and tools Federal Trade Commission (FTC)
laws and regulations on new, 47–48
M
for privacy governance, 33–35
Telecom data, privacy protections for, 56
V
Value metrics, 165
Telephone Consumer Protection Act (TCPA)
Vendor management program (VMP), 155
of 1991, 58
Vendors
SA

Third parties
CCPA assessments of, 102–103
as external privacy resources, 69
for cloud computing, 98–101, 155–156
forensics by, 282
contract for engaging, 154–155
in incident handling, 268
contract language for privacy protection, 98
in independent audits, 181
as data breach incident sources, 256
Thomas, Liisa, 249, 299–300
GDPR assessments of, 101–102
Three Lines Model, 75
human resources policies and, 156–158
TIA (data transfer impact assessment), 60–61
monitoring, 155
Training
policies for engaging, 153–154
budgeting for, 263
print, 278
for data breach preparedness, 252–253
selection standards for, 96–98
of employees on data breaches, 264–265
Verisign trust marks, 60
monitoring, 176
Verizon, Inc., 186
See also Sustain phase: training and
Video data, privacy protections for, 57
awareness
Video Privacy Protection Act (VPPA) of 1988, 58
Transparency, in data subject rights, 222–223
Virginia’s Consumer Data Protection Act
Trend analysis, 169–170

317
 Privacy Program Management

(CDPA), 22, 85, 218–219 Wireless management, 152

Virtual technology, 157 Withdrawals of consent and data access,
Virus protection, 151–152 234–235
Vision, privacy governance, 15–19 Witt, Amanda, 205, 300
VMP (vendor management program), 155 Wombat Security, 261
VPPA (Video Privacy Protection Act) of 1988, Workarounds, 157
58 WP29 (Article 29 Working Party), 87–89, 91

W Y
Website scanning, 34 Yakabovicz, Edward, 141, 165, 300–301
WebTrust, 23 YouTube.com, 206

E
PL
M
SA

318