PRIVACY PROGRAM MANAGEMENT

RESOURCES AND BODY OF KNOWLEDGE

Many resources linked from this training are available to IAPP members only. Reviewing the
supplemental, linked content provides the user with additional depth and detail but is not
required for completing the course. To learn more about IAPP membership, click here.

GENERAL

CIPM Exam Resources: https://iapp.org/certify/get-certified/cipm.

Densmore, Russell, ed. Privacy Program Management: Tools for Managing Privacy Within
Your Organization. 3rd ed. Portsmouth: IAPP, 2022.

MODULE 1

European Data Protection Supervisor. “Accountability on the ground Part I: Records,

Registers and when to do Data Protection Impact Assessments.” July 2019, pg. 4.
https://edps.europa.eu/sites/edp/files/publication/19-07-
17_accountability_on_the_ground_part_i_en.pdf.

IAPP and EY. IAPP-EY Annual Privacy Governance Report 2019.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/.

OPC and OIPCs of Alberta and British Columbia. Getting Accountability Right with a Privacy
Management Program. Accessed April 25, 2017.
https://iapp.org/media/pdf/knowledge_center/Canada-
Getting_Accountability_Right(Apr2012).pdf.

MODULE 2

Article 29 Data Protection Working Party. Guidelines on Data Protection Officers (‘DPOs’).
Revised April 5, 2017. http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612048.
Australian Banking Association. “Privacy Policy.” Accessed July 12, 2021.
https://www.ausbanking.org.au/privacy-policy/
Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” Recorded
June 22, 2015 at the IAPP Canada Privacy Symposium, Toronto, ON. IAPP: Portsmouth,
NH. Reprise web conference. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.
European Data Protection Supervisor. “Accountability on the ground Part 1: Records,
Registers and when to do Data Protection Impact Assessments.” July 2019.
 https://edps.europa.eu/sites/edp/files/publication/19-07-
17_accountability_on_the_ground_part_i_en.pdf.
Hong Kong Trade Development Council. “HKTDC Privacy Policy Statement.” Accessed July
12, 2021. https://home.hktdc.com/en/s/privacy-policy-statement.

IAPP Westin Research Center. “From Here to DPO: Building a Data Protection Officer.”
January 25, 2017. https://iapp.org/resources/article/from-here-to-dpo-building-a-data-
protection-officer.

IAPP. 2018 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2018TechVendorReport.pdf.

IAPP. 2019 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2019TechVendorReport.pdf.

IAPP. 2020 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2020TechVendorReport.pdf.

IAPP. “Global Comprehensive Privacy Law Mapping Chart.” April 2022.

https://iapp.org/media/pdf/resource_center/global_comprehensive_privacy_law_mappin
g.pdf.

IAPP. Privacy Tech Vendor Report. https://iapp.org/resources/article/privacy-tech-vendor-

report/.

IAPP. “The Privacy Imperative.” Accessed July 12, 2021. https://iapp.org/train/imperative/.

IAPP. “Top-5 Operational Impacts of China’s PIPL.” March 2022.

https://iapp.org/resources/article/top-5-operational-impacts-of-chinas-pipl/.

IAPP and EY. IAPP-EY Annual Privacy Governance Report 2019.

https://iapp.org/resources/article/iapp-ey-annual-governance-report-2019/.
IAPP and FTI. IAPP-FTI Consulting Annual Privacy Governance Report 2020.
https://iapp.org/media/pdf/resource_center/IAPP_FTIConsulting_2020PrivacyGovernanc
eReport.pdf
Ke, Xu, Vicky Liu, Yan Luo, and Zhijing Yu. “Analyzing China’s PIPL and how it compares to
the EU’s GDPR.” IAPP. August 24, 2021. https://iapp.org/news/a/analyzing-chinas-pipl-
and-how-it-compares-to-the-eus-gdpr/.

“Mission Statement.” An Coimisiún um Chosaint Sonraí | Data Protection Commission.

www.dataprotection.ie/en/who-we-are/mission-statement.

Monteiro, Renato. “The new Brazilian General Data Protection Law—A detailed analysis.”
IAPP. August 15, 2018. https://iapp.org/news/a/the-new-brazilian-general-data-
protection-law-a-detailed-analysis/.

OCEG. “GRC Defined.” Accessed March 8, 2017. http://www.oceg.org/about/what-is-grc.

Shaw, Thomas. “What Skills Should Your DPO Absolutely Have?” The Privacy Advisor (IAPP),
January 24, 2017. https://iapp.org/news/a/what-skills-should-your-dpo-absolutely-
have.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
“What is the difference between a mission and a vision statement?” Mission Statements.
Accessed January 19, 2022. https://www.missionstatements.com/guide-to-mission-and-
vision-statements/what-is-the-difference-between-vision-and-mission.html.

MODULE 3
“California Consumer Privacy Act (CCPA).” Office of the Attorney General, State of California
Department of Justice. Updated January 20, 2023. https://oag.ca.gov/privacy/ccpa.
Comparing Privacy Laws: GDPR v. LGPD. DataGuidance by OneTrust.
https://www.dataguidance.com/sites/default/files/gdpr_v_lgpd_revised_edition.pdf.
Cosgrove, Cathy. “Top-10 Operational Impacts of the CPRA: Part 2—Defining ‘business’
under the law.” Privacy Advisor, IAPP, December 22, 2020.
https://iapp.org/news/a/cpras-top-operational-impacts-part-2-defining-business/.
EDBP. Recommendations 01/2020 on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data. June 18, 2021.
https://edpb.europa.eu/our-work-tools/our-
documents/recommendations/recommendations-012020-measures-supplement-
transfer_en.
European Commission. “Standard contractual clauses for international transfers.” June 4,
2021. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-
data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-
international-transfers_en.

“Global Comprehensive Privacy Law Mapping Chart.” IAPP.

https://iapp.org/resources/article/global-comprehensive-privacy-law-mapping-chart/.

IAPP. California Consumer Privacy Act. https://iapp.org/resources/topics/california-

consumer-privacy-act/.

IAPP. California Privacy Rights Act infographic.

https://iapp.org/media/pdf/resource_center/iapp_top_10_impactful_provsions_cpra_ball
ot_initiative.pdf

IAPP. CCPA Online Training. “Module 6: GDPR Compliance and the CCPA.”

IAPP. “Data Protection Authorities.” Accessed July 12, 2021.

https://iapp.org/resources/dpa.

IAPP. GDPR Awareness Guide. September 27, 2017.

https://iapp.org/resources/article/gdpr-awareness-guide.

Office of the Privacy Commissioner of Canada. “Guidelines for Processing Personal Data
Across Borders.” January 2009. https://www.priv.gc.ca/en/privacy-topics/personal-
information-transferred-across-borders/gl_dab_090127.

Renato Leite Monteiro. “GDPR Matchup: Brazil’s General Data Protection Law.” Privacy
Tracker, IAPP, October 4, 2018. https://iapp.org/news/a/gdpr-matchup-brazils-general-
data-protection-law/.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
Rodriguez, Deidre. “10 Steps to a Quality Privacy Program: Part One.” 10 vols. The Privacy
Advisor (IAPP), June 24, 2013. https://iapp.org/news/a/10-steps-to-a-quality-privacy-
program-part-one/.

Siegel, Bob. “For a Successful Privacy Program, Use These Three A’s.” The Privacy Advisor
(IAPP), February 22, 2016. https://iapp.org/news/a/for-a-successful-privacy-program-
use-these-three-as.

MODULE 4

“8 Criteria to Ensure You Select the Right Cloud Service Provider.” Cloud Industry Forum.
Accessed April 2021. https://cloudindustryforum.org/8-criteria-to-ensure-you-select-
the-right-cloud-service-provider/.

Article 29 Working Party. Guidelines on Data Protection Impact Assessment (DPIA). Revised
October 4, 2017. http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=611236.

Campello, Tatiana, Eduardo Magrani, and Kelvin Williamson. “Brazilian SGD publishes
guidelines for compliance with LGPD.” IAPP. February 19, 2021.
https://iapp.org/news/a/brazilian-sgd-publishes-guidelines-for-compliance-with-the-
lgpd/.

Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” IAPP.
Reprise Web Conference. Recorded June 22, 2015 at the IAPP Canada Privacy
Symposium, Toronto, ON. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

European Commission. “Data Protection Impact Assessment Template for Smart Grid and
Smart Metering systems.” March 18, 2014.
https://ec.europa.eu/energy/sites/ener/files/documents/2014_dpia_smart_grids_forces.
pdf.

“How to Conduct a Legitimate Interests Assessment (LIA)?” Data Privacy Manager.

https://dataprivacymanager.net/what-is-lia-legitimate-interests-assessment-and-how-
to-conduct-it/.

IAPP. 2020 Privacy Tech Vendor Report.

https://iapp.org/media/pdf/resource_center/2020TechVendorReport.pdf.

IAPP and OneTrust. “PIAs and Data Mapping – Operationalizing GDPR and Privacy by
Design.” Recorded August 24, 2016. Web Conference.
https://iapp.org/resources/article/pias-and-data-mapping-operationalizing-gdpr-and-
privacy-by-design.

IAPP and TRUSTe. “Preparing for the GDPR: DPOs, PIAs, and Data Mapping.” 2016.
https://iapp.org/resources/article/preparing-for-the-gdpr-dpos-pias-and-data-mapping/.

“Legitimate interests.” ICO. https://ico.org.uk/for-organisations/guide-to-data-

protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-
processing/legitimate-interests/.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
“Sample LIA Template.” ICO. https://ico.org.uk/media/for-
organisations/forms/2258435/gdpr-guidance-legitimate-interests-sample-lia-
template.docx
Siegel, Bob. “Accountability and Adaptability: Two of the Three ‘A’s of a Successful Privacy
Program.” The Privacy Advisor (IAPP), May 23, 2016.
https://iapp.org/news/a/accountability-and-adaptability-two-of-the-three-as-of-a-
successful-privacy-program/.

Swire, Peter P., and Kenesa Ahmad. Foundations of Information Privacy and Data
Protection. Edited by Terry McQuay. Portsmouth: IAPP, 2012.

“Transfer Impact Assessment Templates.” IAPP. https://iapp.org/resources/article/transfer-

impact-assessment-templates/.

MODULE 5

Bracy, Jedidiah. “World’s first global privacy management standard hits the mainstream.”
IAPP. August 20, 2019. https://iapp.org/news/a/worlds-first-global-privacy-
management-standard-hits-the-mainstream/.

Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” IAPP.
Reprise Web Conference. Recorded June 22, 2015 at the IAPP Canada Privacy
Symposium, Toronto, ON. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

European Union. General Data Protection Regulation. Adopted 2016. http://eur-

lex.europa.eu/eli/reg/2016/679/oj.

Fennessy, Caitlin. “Microsoft launches open-source privacy mapping tool.” IAPP. February
21, 2020. https://iapp.org/news/a/microsoft-launches-open-source-privacy-mapping-
tool/.

“Guest Wireless Access Acceptable Use Policy Template.” IAPP Resource Center. Accessed
February 8, 2023. https://iapp.org/resources/article/guest-wireless-access-acceptable-
use-policy-template/.
Hill, Kashmir. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.”
Forbes. February 16, 2012. https://www.forbes.com/sites/kashmirhill/2012/02/16/how-
target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#564b2a7f6668

IAPP. https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles/

IAPP and OneTrust Research. “Bridging ISO 27001 to GDPR.” March 2018.
https://iapp.org/resources/article/iapp-onetrust-research-bridging-iso-27001-to-gdpr/

IAPP and TRUSTe. “How IT and Infosec Value Privacy.” March 2016.
https://iapp.org/resources/article/how-it-and-infosec-value-privacy/.

“ISO/IEC 27701:2019; Security techniques—Extension to ISO/IEC 27001 and ISO/IEC

27002 for privacy information management—Requirements and guidelines.” ISO.
Accessed January 11, 2023. https://www.iso.org/standard/71670.html.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
King, Hope. “Airbnb Sued for Discrimination.” CNN Business. May 18, 2016.
https://money.cnn.com/2016/05/18/technology/airbnb-lawsuit-
discrimination/index.html

Oltermann, Philip. “German Parents Told to Destroy Doll That Can Spy on Children.”
Guardian. February 17, 2017.
https://www.theguardian.com/world/2017/feb/17/german-parents-told-to-destroy-my-
friend-cayla-doll-spy-on-children

Sweeney, Grace. “Privacy-invading Software Scans Your Babysitter’s Social History.”

Softonic. January 22, 2019. https://en.softonic.com/articles/predictim-babysitter-
scanning

Tang, Andrea. “Privacy Risk Management.” ISACA Journal 4 (June 30, 2020).
https://www.isaca.org/resources/isaca-journal/issues/2020/volume-4/privacy-risk-
management#f14.

Thierer, Adam. “CES 2015 Dispatch: Challenges Multiply for Privacy Professionals, Part
One.” Privacy Perspectives (IAPP). January 13, 2015. https://iapp.org/news/a/ces-2015-
dispatch-challenges-multiply-for-privacy-professionals-part-one/.

MODULE 6

Association of Washington Public Hospital Districts. Information Systems Access Policy.

https://iapp.org/resources/article/information-systems-access-policy/.

Bustin, Kim. “Practical Strategies for Creating a Privacy Culture in Your Organization.” The
Privacy Advisor (IAPP), September 1, 2010. Accessed May 22, 2017.
https://iapp.org/news/a/2010-08-24-strategies-for-creating-a-privacy-culture-in-your-
organization/.

Dietrich, Eric and Ana Rodgers. “Building a Privacy Program from Ground Zero.” IAPP.
Reprise Web Conference. Recorded June 22, 2015 at the IAPP Canada Privacy
Symposium, Toronto, ON. https://iapp.org/resources/article/building-a-privacy-
program-from-ground-zero.

IAPP. “Organizational Privacy Policies.” https://iapp.org/resources/topics/organizational-

privacy-policies/.

Michigan House of Representatives. “Guest Wireless Access Acceptable Use Policy.”

Accessed May 19, 2017. http://house.michigan.gov/wifi_policy.asp.

Northwestern University. “Data Access Policy.”

http://www.it.northwestern.edu/policies/dataaccess.html.

Pahl, Chris. “Building a Program that Provides Value: Making Your Communication Matter.”
4 vols. The Privacy Advisor (IAPP), November 29, 2016.
https://iapp.org/news/a/building-a-program-that-provides-value-making-your-
communication-matter/.

Royal, K, and Pedro Pavon. “Third-Party Vendor Management Means Managing Your Own
Risk.” 9 vols. The Privacy Advisor (IAPP), 2015. https://iapp.org/resources/article/third-
party-vendor-management-means-managing-your-own-risk-3/.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
Tech Donut. Sample Data Protection Policy Template. Accessed May 3, 2017.
https://iapp.org/resources/article/sample-data-protection-policy-template-2/.

MODULE 7

AICPA/CICA. Privacy Maturity Model. March 2011.

https://iapp.org/media/pdf/resource_center/aicpa_cica_privacy_maturity_model_final-
2011.pdf.

Carson, Angelique. “How to Measure Your Privacy Program, Step-by-Step.” The Privacy
Advisor (IAPP), May 16, 2014. https://iapp.org/news/a/how-to-measure-your-privacy-
program-step-by-step/.

IAPP. Template: DPO Report to Management. https://iapp.org/resources/article/dpo-report-

template/.

IBM. “Business Resilience: The Best Defense Is a Good Offense.” January 2009.
https://docplayer.net/18554573-Business-resilience-the-best-defense-is-a-good-
offense.html.

OPC and OIPCs of Alberta and British Columbia. Getting Accountability Right with a Privacy
Management Program. Accessed April 25, 2017.
https://iapp.org/media/pdf/knowledge_center/Canada-
Getting_Accountability_Right(Apr2012).pdf.

Pahl, Chris. “Building a Program that Provides Value: Using Meaningful Metrics.” 3 vols. The
Privacy Advisor (IAPP), September 26, 2016. https://iapp.org/news/a/building-a-
program-that-provides-value-using-meaningful-metrics/.

MODULE 8

Siegel, Bob. “6 Ways Privacy Awareness Training Will Transform Your Staff.” IAPP. February
2018. https://iapp.org/resources/article/6-ways-privacy-awareness-training-will-
transform-your-staff/.

MODULE 9

Article 29 Working Party. Guidelines on Consent under Regulation 2016/679. Revised April
10, 2018. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.

Article 29 Working Party. Guidelines on Transparency under Regulation 2016/679. Revised

April 11, 2018. http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=622227.

Bowen, Nerushka. “After 7-year wait, South Africa’s Data Protection Act enters into force.”
IAPP. July 1, 2020. https://iapp.org/news/a/after-a-7-year-wait-south-africas-data-
protection-act-enters-into-force/.

Bryant, Jennifer. “China’s PIPL takes effect, compliance ‘a challenge.’” IAPP. November 1,
2021. https://iapp.org/news/a/chinas-pipl-takes-effect-compliance-a-challenge/.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
 European Union. General Data Protection Regulation. Adopted 2016. http://eur-
lex.europa.eu/eli/reg/2016/679/oj.

IAPP. “Crafting a Privacy Notice.” https://iapp.org/resources/topics/crafting-a-privacy-

notice/.

IAPP. “Understanding China’s New Personal Information Protection Law.” September 2,

2021. https://iapp.org/news/a/understanding-chinas-new-personal-information-
protection-law/.

Information Commissioner’s Office (UK). “Individual rights.” https://ico.org.uk/for-

organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/individual-rights/.

Information Commissioner’s Office (UK). “Lawfulness, fairness and transparency.”

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/principles/lawfulness-fairness-and-transparency.
Ke, Xu, Vicky Liu, Yan Luo, and Zhijing Yu. “Analyzing China’s PIPL and how it compares to
the EU’s GDPR.” IAPP. August 24, 2021. https://iapp.org/news/a/analyzing-chinas-pipl-
and-how-it-compares-to-the-eus-gdpr/.

National Cybersecurity Alliance. https://staysafeonline.org/.

Office of the Privacy Commissioner of Canada. “Guidelines for Obtaining Meaningful

Consent.” May 2018. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-
information/consent/gl_omc_201805/.

“POPIA: Protection of Personal Information Act.” https://popia.co.za/section-5-rights-of-

data-subjects/.

MODULE 10

Hayward, Rachel. “From Devastation to Salvation: How to Benefit from a Breach.” The
Privacy Advisor (IAPP), June 20, 2016. https://iapp.org/news/a/from-devastation-to-
salvation-how-to-benefit-from-a-breach/.

IAPP. Breach Incident Reporting Form. https://iapp.org/resources/article/breach-incident-

reporting-form/.

IBM/Ponemon Institute LLC. Cost of Data Breach Report 2020.

https://www.ibm.com/security/data-breach.

IBM/Ponemon Institute LLC. Cost of a Data Breach Report 2022.

https://www.ibm.com/downloads/cas/3R8N1DZJ.

Verizon. 2020 Data Breach Investigations Report.

https://enterprise.verizon.com/resources/reports/dbir/.

BODY OF KNOWLEDGE TOPIC MODULE

#

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
I. Developing a Privacy Program

A. Create an organizational vision

a. Evaluate the intended objective 2

b. Gain executive sponsor approval for this vision 2

B. Establish a Data Governance model

a. Centralized 2

b. Distributed 2

c. Hybrid 2

C. Define a privacy program

a. Define program scope and charter 2

b. Identify the source, types, and uses of personal information (PI)

within the organization and the applicable laws 2

c. Develop a privacy strategy 2

i. Business alignment 2

1. Finalize the business case for privacy 2

2. Identify stakeholders 2

3. Leverage key functions 2

4. Create a process for interfacing within organization 2

5. Align organizational culture and privacy/data protection

2
objectives
ii. Obtain funding/budget for privacy and the privacy team 2

iii. Develop a data governance strategy for processing personal

information (e.g., collect, use, access, share, transfer, destroy) 2

iv. Ensure program flexibility in order to incorporate

legislative/regulatory/market/business requirements 2

D. Structure the privacy team

a. Establish the organizational model, responsibilities and reporting

structure appropriate to the size of the organization (e.g., Chief
Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy 2
champions, “First responders”)

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
.
II. Privacy Program Framework

A. Develop the Privacy Program Framework

a. Develop organizational privacy policies, procedures, standards, and/or

6
guidelines
b. Define privacy program activities 6

i. Education and awareness 6

ii. Monitoring and responding to the regulatory environment 7

iii. Monitoring internal privacy policy compliance 6

iv. Data inventories, data flows, and classifications designed to

4
identify what personal data your organization processes
v. Risk assessment (Privacy Impact Assessments [PIAs]) (e.g.,
4
DPIAs etc.)
vi. Incident response and process, including jurisdictional
10
requirements
vii. Remediation oversight 10

viii. Program assurance, including audits 6, 7

ix. Plan inquiry/complaint handling procedures (customers,

9
regulators, etc.)

B. Implement the Privacy Program Framework

a. Communicate the framework to internal and external stakeholders 2, 6

b. Ensure continuous alignment to applicable laws and regulations to

support the development of an organizational privacy program 3, 9
framework

i. Understand territorial regulations and/or laws (e.g., GDPR,

3, 9
CCPA, LGPD)
ii. Understand sectoral and industry regulations and/or laws
3, 9
(e.g., HIPAA, GLBA)
iii. Understand penalties for noncompliance with laws and
3, 9
regulations
iv. Understand the scope and authority of oversight agencies
(e.g., Data Protection Authorities, Privacy Commissioners, 3
Federal Trade Commission, etc.)

v. Understand privacy implications of doing business with or

3
basing operations in countries with inadequate, or without,

Copyright ©2020 by the IAPP. Not for reproduction, distribution or republication.

 privacy laws

vi. Maintain the ability to manage a global privacy function 3

vii. Maintain the ability to track multiple jurisdictions for changes

3
in privacy law
c. Understand data sharing agreements 3

a. International data sharing agreements 3

b. Vendor agreement 3, 4

c. Affiliate and subsidiary agreements 3

C. Develop Appropriate Metrics

a. Identify intended audience for metrics 7

b. Define reporting resources 7

c. Define privacy metrics for oversight and governance per audience 7

i. Compliance metrics (examples, will vary by organization) 7

1. Collection (notice) 7

2. Responses to data subject inquiries 7

3. Retention 7

4. Disclosure to third parties 7

5. Incidents (breaches, complaints, inquiries) 7

6. Employees trained 7

7. PIA/DPIA metrics 7

8. Privacy risk indicators 7

9. Percent of company functions represented by governance

7
mechanisms
ii. Trend analysis 7

iii. Privacy program return on investment (ROI) 7

iv. Business resiliency metrics 7

v. Privacy program maturity level 7

vi. Resource utilization 7

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 d. Identify systems/application collection points 7

III. Privacy Operational Life Cycle: Assess

A. Document current baseline of your privacy program

a. Education and awareness 8

b. Monitoring and responding to the regulatory environment 8

c. Assess policy compliance against internal and external requirements 6

d. Data, systems and process assessment 4

i. Map data inventories, flows, life cycle and system integrations 4

e. Risk assessment methods 4

f. Incident management, response, and remediation 4, 10

g. Determine desired state and perform gap analysis against an accepted

standard or law (including GDPR) 4

h. Program assurance, including audits 4

B. Processors and third-party vendor assessment

a. Evaluate processors and third-party vendors, insourcing and

outsourcing privacy risks, including rules of international data transfer 2, 4

i. Privacy and information security policies 4, 5, 6

ii. Access controls 4, 5, 6

iii. Where personal information is being held 4, 5

iv. Review and set limits on vendor internal use of personal

information 4, 5

b. Understand and leverage the different types of relationships 5

i. Internal audit 5

ii. Information security 5

iii. Physical security 5

iv. Data protection authority 5

c. Risk assessment 4

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 i. Type of data being outsourced 4

ii. Location of data 4

iii. Technologies and processing methods deployed (e.g., cloud

computing) 4

iv. Legal compliance 4

v. Records retention 4

vi. Contractual requirements (incident response, etc.) 4

vii. Determine minimum standards for safeguarding information 4

viii. Cross-border transfers 4

d. Contractual requirements and review process 4

e. Ongoing monitoring and auditing 4

C. Physical assessments

a. Identify operational risk 4

i. Data centers and offices 4

ii. Physical access controls 4, 5

iii. Document retention and destruction 4

iv. Media sanitization and disposal (e.g., hard drives, USB/thumb

drives, etc.) 4

v. Device forensics 4

vi. Device security (e.g., mobile devices, Internet of Things [IoT],

geo-tracking, imaging/copier hard drive security controls) 4

D. Mergers, acquisitions and divestitures

a. Due diligence procedures 4

b. Review contractual and data sharing obligations 4

c. Risk assessment 4

d. Risk and control alignment 4

e. Post integration planning and risk mitigation 4

E. Privacy Assessments and Documentation

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 a. Privacy Threshold Analysis (PTAs) on systems, applications and
processes 4

b. Define a process for conducting privacy assessments (e.g., PIA, DPIA,

TIA, LIA) 4

i. Understand the life cycle of each assessment type 4

ii. Incorporate privacy assessments into system, process, data life

cycles 4

IV. Privacy Operational Life Cycle: Protect

A. Information security practices

a. Access controls for physical and virtual systems 5

i. Least privileged access (e.g., need to know) 5

ii. Account management (e.g., provision process) 5

iii. Privilege management 5

b. Technical security controls (including relevant policies and procedures) 5

c. Incident response plans 5, 10

B. Privacy by Design (PbD)

a. Integrate privacy throughout the system development life cycle

5
(SDLC)
b. Establish privacy gates as part of the system development framework --

c. Integrate privacy through business processes 5

d. Communicate with stakeholders the importance of PIAs and PbD 4

C. Integrate privacy requirements and representation into functional areas across the
organization (e.g., Information Security, Human Resources, Marketing, Legal and
Contracts, Mergers, Acquisitions & Divestitures)
D. Technical and organizational measures

a. Quantify the costs of technical and organizational controls 7

b. Manage data retention with respect to the organization’s policies 6

c. Define the methods for physical and electronic data destruction 6

d. Define roles and responsibilities for managing the sharing and 6

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 15

disclosure of data for internal and external use

e. Determine and implement guidelines for secondary uses (e.g.,

research, etc.) 6, 9

f. Define policies related to the processing (including collection, use,

retention, disclosure and disposal) of organization’s data holdings, 6
taking into account both legal and ethical requirements

g. Implement appropriate administrative safeguards, such as policies,

procedures, and contracts 5

V. Privacy Operational Life Cycle: Sustain

A. Monitor

a. Environment (e.g., systems, applications) monitoring 7

b. Monitor compliance with established privacy policies 7

c. Monitor regulatory and legislative changes 7

d. Compliance monitoring (e.g., collection, use and retention) 7

i. Internal audit 7

ii. Self-regulation 7

iii. Retention strategy 7

iv. Exit strategy 7

B. Audit

a. Align privacy operations to an internal and external compliance audit

7
program
i. Knowledge of audit processes and maintenance of an “audit trail” 7

ii. Assess against industry standards 7

iii. Utilize and report on regulator compliance assessment tools 2, 7

b. Audit compliance with privacy policies and standards 7

c. Audit data integrity and quality and communicate audit findings with
7
stakeholders
d. Audit information access, modification and disclosure accounting 7

e. Targeted employee, management and contractor training 4, 8

i. Privacy policies 8

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 16

ii. Operational privacy practices (e.g., standard operating

8
instructions), such as
1. Data
8
creation/usage/retention/disposal
2. Access control 8

3. Reporting incidents 8

4. Key contacts 8

VI. Privacy Operational Life Cycle: Respond

A. Data-subject information requests and privacy rights

a. Access 9

b. Redress 9

c. Correction 9

d. Managing data integrity 9

e. Right of Erasure 9

f. Right to be informed 9

g. Control over use of data, including objection to processing 9

h. Complaints including file reviews 9

B. Privacy incident response

a. Legal compliance 10

i. Preventing harm 10

ii. Collection limitations 10

iii. Accountability 10

iv. Monitoring and enforcement 10

v. Mandatory reporting 10

b. Incident response planning 10

i. Understand key roles and responsibilities 10

1. Identify key business stakeholders 10

a) Information security 10

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 17

b) Legal 10

c) Head of compliance 10

d) Audit 10

e) Human resources 10

f) Marketing 10

g) Business development 10

h) Communications and public relations 10

i) External parties 10

2. Establish incident oversight teams 10

3. Develop a privacy incident response plan 10

4. Identify elements of the privacy incident response plan 10

5. Integrate privacy incident response into business continuity

10
planning
c. Incident detection 10

i. Define what constitutes a privacy incident 10

ii. Identify reporting process 10

iii. Coordinate detection capabilities 10

1. Organization IT 10

2. Physical security 10

3. Human resources 10

4. Investigation teams 10

5. Vendors 10

d. Incident handling 10

i. Understand key roles and responsibilities 10

ii. Conduct risk assessment 10

iii. Perform containment activities 10

iv. Identify and implement remediation measures 10

v. Develop a communications plan to notify executive 10

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.
 18

management

vi. Notify regulator, impacted individuals and/or the responsible

10
data controller
e. Follow incident response process to ensure meeting jurisdictional,
global and business requirements 10

i. Engage privacy team 10

ii. Review the facts 10

iii. Conduct analysis 10

iv. Determine actions (contain, communicate, etc.) 10

v. Execute 10

vi. Maintain an incident register and associated records of the

10
incident management
vii. Monitor 10

viii. Review and apply lessons learned 10

f. Identify incident reduction techniques 10

g. Incident metrics—quantify the cost of a privacy incident 10

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or
republication.