About three years ago, and after practicing in privacy law for a few years, I became a Certified Information Privacy Professional. Since then, I left private practice to become in-house counsel. As an in-house lawyer, one of my challenges is helping my internal clients operationalize the legal advice I provide at the point where "the rubber meets the road." As a result, I became interested in privacy management--the practical implementation of privacy law and policies. I studied the comprehensive guidebook, Privacy Program Management, published by the International Association of Privacy Professionals, and then decided to become a Certified Information Privacy Manager (CIPM).
This summary of the CIPM is for others who may be interested in pursuing the certification.
Studying Privacy Program Management involves learning about the processes that organizations use to implement privacy, as well as the benefits and detriments of each approach, at a very specific level. The materials cover, and applicants for the CIPM are given a comprehensive exam that covers, the following areas:
I. Privacy Program Governance
A.
Organization Level
a. Create a company vision
i. Acquire
knowledge on privacy approaches
ii. Evaluate
the intended objective
iii. Gain executive sponsor approval for this vision
b. Establish a privacy program
i. Define program scope and
charter
ii. Identify
the source, types, and uses of personal information (PI) within the
organization and the applicable laws
iii. Develop a privacy strategy
1. Business alignment
a. Finalize
the operational business case for privacy
b. Identify
stakeholders
c. Leverage
key functions
d. Create a
process for interfacing within organization
e. Align
organizational culture and privacy/data protection objectives
f.
Obtain funding/budget for privacy and the privacy team
2.
Develop a data governance strategy for personal information (collection,
authorized use, access, destruction)
3. Plan inquiry/complaint handling procedures (customers,
regulators, etc.)
c. Structure the privacy team
i. Governance models
1.
Centralized
2.
Distributed
3. Hybrid
ii. Establish the organizational
model, responsibilities and reporting structure appropriate to the size of the
organization
1. Large organizations
a.
Chief privacy officer
b.
Privacy manager
c. Privacy
analysts
d.
Business line privacy leaders
e. “First responders”
2. Small organizations/sole data
protection officer (DPO) including when not only job
iii.
Designate a point of contact for privacy issues
iv. Establish/endorse the measurement
of professional competency
B. Develop the Privacy Program Framework
a.
Develop organizational privacy policies, standards and/or guidelines
b. Define privacy program activities
i.
Education and awareness
ii.
Monitoring and responding to the regulatory environment
iii.
Internal policy compliance
iv.
Data inventories, data flows, and classification
v.
Risk assessment (Privacy Impact Assessments [PIAs], etc.)
vi.
Incident response and process, including jurisdictional regulations
vii.
Remediation
viii. Program assurance, including
audits
C. Implement the Privacy Policy Framework
a.
Communicate the framework to internal and external stakeholders
b. Ensure continuous alignment to
applicable laws and regulations to support the development of an organizational
privacy program framework
i.
Understand applicable national laws and regulations (e.g., GDPR)
ii. Understand
applicable local laws and regulations
iii.
Understand penalties for noncompliance with laws and regulations
iv.
Understand the scope and authority of oversight agencies (e.g., Data Protection
Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
v.
Understand privacy implications of doing business in or with countries with
inadequate, or without, privacy laws
vi.
Maintain the ability to manage a global privacy function
vii.
Maintain the ability to track multiple jurisdictions for changes in privacy law
viii. Understand international data
sharing arrangements agreements
D. Metrics
a.
Identify intended audience for metrics
b.
Define reporting resources
c. Define privacy metrics for
oversight and governance per audience
i. Compliance metrics (examples, will vary by organization)
1.
Collection (notice)
2.
Responses to data subject inquiries
3.
Use
4.
Retention
5.
Disclosure to third parties
6.
Incidents (breaches, complaints, inquiries)
7.
Employees trained
8.
PIA metrics
9.
Privacy risk indicators
10. Percent of company functions
represented by governance mechanisms
ii.
Trending
iii.
Privacy program return on investment (ROI)
iv.
Business resiliency metrics
v.
Privacy program maturity level
vi. Resource utilization
d. Identify systems/application
collection points
II. Privacy Operational Life Cycle
A. Assess Your Organization
a. Document current baseline of your privacy program
i.
Education and awareness
ii.
Monitoring and responding to the regulatory environment
iii.
Internal policy compliance
iv. Data, systems and process
assessment
1.
Map data inventories, flows and classification
2.
Create “record of authority” of systems processing personal information within
the organization
3.
Map and document data flow in systems and applications
4. Analyze and classify types and uses
of data
v.
Risk assessment (PIAs, etc.)
vi.
Incident response
vii.
Remediation
viii. Determine
desired state and perform gap analysis against an accepted standard or law
ix. Program assurance, including
audits
b. Processors and third-party vendor
assessment
i. Evaluate processors and third-party
vendors, insourcing and outsourcing privacy risks
1.
Privacy and information security policies
2. Access
controls
3.
Where personal information is being held
4. Who has access to personal
information
ii. Understand and leverage the
different types of relationships
1. Internal audit
2.
Information security
3.
Physical security
4. Data protection authority
iii. Risk assessment
1.
Type of data being outsourced
2.
Location of data
3.
Implications of cloud computing strategies
4.
Legal compliance
5. Records
retention
6.
Contractual requirements (incident response, etc.)
7. Establish minimum standards for
safeguarding information
iv.
Contractual requirements
v. Ongoing monitoring and auditing
c. Physical assessments
i. Identify operational risk
1.
Data centers
2.
Physical access controls
3.
Document destruction
4.
Media sanitization (e.g., hard drives, USB/thumb drives, etc.)
5.
Device forensics
6.
Fax machine security
7. Imaging/copier hard drive security
controls
d. Mergers, acquisitions and
divestitures
i.
Due diligence
ii. Risk assessment
e. Conduct analysis and assessments,
as needed or appropriate
i.
Privacy Threshold Analysis (PTAs) on systems, applications and processes
ii. Privacy Impact Assessments (PIAs)
1. Define a process for conducting Privacy
Impact Assessments
a.
Understand the life cycle of a PIA
b. Incorporate PIA into system,
process, product life cycles
B. Protect
a.
Data life cycle (creation to deletion)
b. Information security practices
i. Access controls for physical and
virtual systems
1.
Access control on need to know
2.
Account management (e.g., provision process)
3. Privilege management
ii.
Technical security controls
iii. Implement appropriate
administrative safeguards
c. Privacy by Design
i.
Integrate privacy throughout the system development life cycle (SDLC)
ii. Establish privacy gates/PIAs-Data Protection Impact
Assessments (DPIAs) as part of the standard process, system development
framework
C. Sustain
a. Measure
i. Quantify the costs of technical
controls
ii.
Manage data retention with respect to the organization’s policies
iii.
Define the methods for physical and electronic data destruction
iv. Define roles and responsibilities
for managing the sharing and disclosure of data for internal and external use
b. Align
i. Integrate privacy requirements and
representation into functional areas across the organization
1.
Information security
2.
IT operations and development
3.
Business continuity and disaster recovery planning
4.
Mergers, acquisitions and divestitures
5.
Human resources
6.
Compliance and ethics
7.
Audit
8.
Marketing/business development
9.
Public relations
10.
Procurement/sourcing
11.
Legal and contracts
12.
Security/emergency services
13.
Finance
14. Others
c. Audit
i. Align privacy operations to an
internal and external compliance audit program
1.
Knowledge of audit processes
2. Align to industry standards
ii.
Audit compliance with privacy policies and standards
iii. Audit
data integrity and quality
iv.
Audit information access, modification and disclosure accounting
v. Communicate audit findings with
stakeholders
d. Communicate
i. Awareness
1.
Create awareness of the organization’s privacy program internally and
externally
2.
Ensure policy flexibility in order to incorporate legislative/regulatory/market
requirements
3.
Develop internal and external communication plans to ingrain organizational
accountability
4. Identify, catalog and maintain
documents requiring updates as privacy requirements change
ii. Targeted employee, management and
contractor training
1.
Privacy policies
2. Operational privacy practices
(e.g., standard operating instructions), such as
a.
Data creation/usage/retention/disposal
b.
Access control
c.
Reporting incidents
d. Key contacts
e. Monitor
i.
Environment (e.g., systems, applications) monitoring
ii.
Monitor compliance with established privacy policies
iii.
Monitor regulatory and legislative changes
iv. Compliance monitoring (e.g.
collection, use and retention)
1.
Internal audit
2.
Self-regulation
3.
Retention strategy
4. Exit strategy
D. Respond
a. Information requests
i.
Access
ii.
Redress
iii.
Correction
iv. Managing data integrity
b. Privacy incidents
i. Legal compliance
1.
Preventing harm
2.
Collection limitations
3.
Accountability
4. Monitoring and enforcement
ii. Incident response planning
1. Understand key roles and
responsibilities
a. Identify key business stakeholders
1.
Information security
2.
Legal
3.
Audit
4.
Human resources
5.
Marketing
6.
Business development
7.
Communications and public relations
8. Other
b. Establish incident oversight teams
2.
Develop a privacy incident response plan
3.
Identify elements of the privacy incident response plan
4. Integrate privacy incident response
into business continuity planning
iii. Incident detection
1.
Define what constitutes a privacy incident
2.
Identify reporting process
3. Coordinate detection capabilities
a.
Organization IT
b.
Physical security
c.
Human resources
d.
Investigation teams
e. Vendors
iv. Incident handling
1.
Understand key roles and responsibilities
2. Develop a communications plan to
notify executive management
v. Follow incident response process to
ensure meeting jurisdictional, global and business requirements
1.
Engage privacy team
2. Review the
facts
3.
Conduct analysis
4. Determine
actions (contain, communicate, etc.)
5. Execute
6.
Monitor
7. Review and apply lessons learned
vi.
Identify incident reduction techniques
vii. Incident metrics—quantify the
cost of a privacy incident
The examination lasts two hours, and can be taken at one of the approved testing centers around the world. Examinees who pass are notified instantly, and certificates are delivered within a matter of weeks. Once certified, CIPMs must complete a significant amount of continuing privacy education each year in order to maintain the certification, which you can read about here.
If you would like to learn more about the CIPM credential, check out the Resource List, Body of Knowledge, Candidate Handbook, Exam Blueprint, preparation guide. Good luck!
No comments:
Post a Comment