1
Q
What is data governance?
A
A comprehensive approach to collecting, managing, securing, and storing data.
2
Q
What does the DIKW pyramid represent?
A
- Data
- Information
- Knowledge
- Wisdom
3
Q
How is data a strategic asset?
A
Used for:
- Decision-making
- Performance tracking
- Compliance
- Risk mitigation
4
Q
What is DAMA International?
A
Data Management Association
Created DAMA-DMBOK with 10 data management areas.
5
Q
What are the 3 levels of data governance roles?
A
- Strategic
- Managerial
- Operational
6
Q
Who holds managerial data governance roles and what do they do?
A
- Data owners and business leads
- Fulfill data consumer requirements
7
Q
Who holds operational data governance roles and what do they do?
A
- Data stewards and subject matter experts
- Manage data daily
- Understand and communicate data value and use
8
Q
What is a data inventory?
A
A catalog that identifies data, categories, risks, mitigations, flow, location, sharing, and quality.
9
Q
What are key benefits of a data inventory?
A
- Maps data flow
- Identifies risk
- Assesses data quality
- Shows sharing and storage
10
Q
What is needed to build a data inventory?
A
- Context
- Purpose
- Owner
- Legal oversight
- Controller/processor roles
- Data types
- Volume
11
Q
What details must be included in a RoPA?
A
- Point of Contact
- Processing purpose
- Personal data categories
- Data subjects
- Processing types
12
Q
What recipient details are part of RoPA?
A
- Categories of recipients
- Third-country transfers
- International organizations
13
Q
What safeguards must be noted in RoPA?
A
- Administrative
- Technical
- Physical
14
Q
Who is exempt from maintaining a RoPA?
A
- Orgs with <250 employees
- Occasional processing
- No sensitive data
- Low risk to rights
15
Q
What are the 4 types of privacy risk?
A
- Legal
- Operational
- Reputational
- Strategic
16
Q
What does legal risk include?
A
- Laws (federal, state, local, international)
- Contracts
- Industry standards
17
Q
What does operational risk include?
A
- Administrative efficiency
- Data collection
- Cybersecurity practices
18
Q
What does reputational risk refer to?
A
Impact on public trust and company image after a breach.
19
Q
What does strategic risk focus on?
A
Return on investment and cost-benefit analysis of tools/services.
20
Q
What is the Three Lines Model?
A
Framework defining roles in risk management.
21
Q
Who is in the first line of the Three Lines Model?
A
Operational management and staff
(day-to-day risk management)
22
Q
Who is in the second line of the Three Lines Model?
A
Compliance/privacy function
(support and oversight)
23
Q
Who is in the third line of the Three Lines Model?
A
Internal audit function
(independent review)
24
Q
What is a privacy assessment?
A
An evaluation to:
- Measure compliance
- Monitor systems
- Assess risks
- Support privacy functions
25
**Who** conducts privacy assessments?
* Auditors
* Data Protection Officers (DPOs)
* Business leads
* Regulators
26
**When** should privacy assessments be conducted?
* During system development
* Pre-deployment
* On a schedule
* After security events/incidents
27
What is the **difference** between a privacy assessment, PIA, and DPIA?
* Privacy assessment is broad
* PIA focuses on compliance and impacts
* DPIA is GDPR-required for high-risk processing
28
What **standard** provides guidance on PIAs?
ISO 29134
29
Why conduct privacy assessments for **AI systems**?
To ensure **ethical data use** and **mitigate privacy risks** specific to automated processing.
30
What is a **Privacy Impact Assessment** (PIA)?
A **tool** to **identify, assess, and mitigate privacy risk** associated with a project, product, or service.
31
**Why** conduct a PIA?
* Identify risks
* Comply with laws/standards
* Implement Privacy by Design
* Take a proactive approach
32
**When** should a PIA be conducted?
* During planning
* When laws change
* When new privacy risks are created
33
What are **example triggers** for conducting a PIA?
* Personal data collection
* Digitizing records
* Data aggregation
* Authentication tech
* Third-party tools
34
What factors influence **PIA specifics**?
* Jurisdiction
* Industry
* Type of data
35
What is a **Transfer Impact Assessment**?
A GDPR-recommended **evaluation of cross-border data transfer risk** post-Schrems II.
36
What is **Brazil's version of a PIA** called?
**Relatorio de Impacto** under LGPD
37
What is **China's equivalent to a PIA**?
Personal Information Security Impact Assessment System
38
What does **Virginia's CDPA** call its PIA equivalent?
Data Protection Assessment
39
What are other **PIA-related tools**?
* Express PIA
* Privacy Threshold Analysis
40
What **law** requires PIAs for **U.S. federal agencies**?
E-Government Act of 2002
41
**When** must U.S. federal agencies conduct PIAs?
When **developing/procuring** IT systems with PII or collecting PII electronically.
42
What is a **Privacy Threshold Analysis**?
| (PTA)
**Preliminary assessment** to determine if a full PIA is needed.
43
What does a **PTA assess**?
* Data subject
* PII types
* Data sharing
* Aggregation
* Safeguards
44
What **U.S. law** governs access to and amendment of personal records in **U.S. Federal Government** systems of records?
The Privacy Act of 1974
45
What is a **System of Records Notice**?
| (SORN)
**Notice** required under the **Privacy Act** detailing purpose, uses, storage, controls, and policies.
46
What does **OMB M-03-22** provide?
**Guidance** for when and how to conduct PIAs.
47
**When** should PIAs be conducted according to **OMB M-03-22**?
* New collection
* Digitization
* When data becomes reidentified
* System changes
* Data is aggregated
* Third-party use
48
What is **ISO**?
* International Organization for Standardization
* Non-governmental body setting international standards
49
What is **ISO 29134**?
Guidelines on the structure and process of **Privacy Impact Assessments**.
| (PIAs)
50
**When** should a PIA be initiated **per ISO 29134**?
At the **earliest** design stage.
51
Which **ISO standards** support privacy risk treatment in ISO 29134?
* ISO/IEC 27002
* ISO/IEC 29151
52
What does **ISO/IEC 27002** cover?
* Information security
* Cybersecurity
* Privacy protection controls
53
What does **ISO/IEC 29151** cover?
Code of practice for protection of PII.
54
What are **follow-up steps** after a PIA per ISO 29134?
* Prepare and publish PIA
* Implement treatment plan
* Review and revise
55
What are **components of a PIA report** under ISO 29134?
* Assessment scope
* Risks
* Threats
* Probability
* Impact
* Requirements
* Evaluations
* Conclusions
* Decisions
56
What are **consequences** of not conducting a required DPIA?
Fines **up to 10 million Euro or 2% of global annual turnover**, whichever is higher.
57
List **examples of high-risk processing** under the GDPR.
* Systematic evaluation
* Large-scale processing of special data
* Monitoring public areas
58
What was the **Article 29 Working Party**?
* EU advisory body under 95/46/EC
* Provided DPIA guidelines
* GDPR replaced with EDPB
59
What are WP29's **high-risk processing indicators**?
* Use of automated decision-making
* Sensitive data
* Large-scale
* Vulnerable subjects
* Innovative tech
* Rights interference
60
What are the **minimum features** of a DPIA according to WP29 Annex 2?
* Description of processing
* Purpose
* Legitimate interest
* Necessity
* Proportionality
* Data subject risks
* Mitigations
61
What does **proportionality** mean in a DPIA context?
Processing must be **appropriate** and **not excessive** for its purpose.
## Footnote
Proportionate: opt-out for direct marketing.
Disproportionate: retaining air passenger data for 5 years.
62
What is the role of **supervisory authorities**?
* Monitor GDPR
* Investigate
* Advise
* Enforce
## Footnote
Examples: CNIL, Garante
63
**When** is supervisory consultation required?
* If risks remain high
* Life, rights, freedoms, security at stake
* Unpatched vulnerability
* Loss of control
64
What is **artificial intelligence**?
Algorithm-based tech that **acts autonomously** to perform tasks **typically requiring** human intelligence.
65
What are key **AI privacy challenges**?
* Lawfulness
* Fairness
* Bias
* Discrimination
* Transparency
* Black-box models
* Proprietary issues
66
Why is **data minimization** a challenge in AI?
* AI needs massive datasets
* Defining purpose is hard
* May violate purpose limitation
67
What are AI-related **security risks**?
* Weak data pipeline
* Model inversion
* Membership inference attacks
68
What should AI systems satisfy regarding personal data **processing purpose**?
* Specific
* Legitimate purpose
* Assess and mitigate risk
69
What are key **privacy-enhancing technologies** for AI?
* Differential privacy
* Synthetic data
* Federated learning
70
What **human-centered** considerations are vital in AI?
* Alternative options
* Fallback plans
* DEIA-focused project teams
71
Name **4** major **AI governance frameworks**.
* EIOPA Digital Ethics Group
* NIST AI RMF
* ISO/IEC 42001
* ISO/IEC 23894
72
What is **attestation** in a privacy context?
Assures **stakeholder accountability** for privacy-related responsibilities.
73
Give examples of **attestation evidence** for Human Resources.
* Data protection policies
* Access authorization
* Consent forms
* PIAs
* Training records
74
What is **information security**?
Protection of information’s:
* Confidentiality
* Integrity
* Availability
75
How does information security **differ** from cybersecurity?
* Infosec protects all formats
* Cybersecurity focuses on digital systems and networks
76
What does the **CIA triad** stand for?
* Confidentiality
* Integrity
* Availability
77
What is **confidentiality** in the CIA triad?
Ensuring data is accessed **only by authorized** personnel.
78
What is **integrity** in the CIA triad?
Ensuring data is **accurate**, **complete**, and **tamperproof**.
79
What is **availability** in the CIA triad?
Ensuring data is **accessible** when needed.
80
What does the **DAD triad** represent?
* Disclosure (unauthorized access)
* Alteration (tampering)
* Destruction (loss)
81
What is the **goal** of **physical and environmental** security?
To **protect physical assets** from natural or manmade threats.
## Footnote
E.g., personnel, equipment, data assets
82
What are common **physical security controls**?
* Doors
* Locks
* Fences
* Alarms
* Lighting
* CCTV
83
What are critical **business continuity concerns**?
* Natural disasters
* Power/internet outages
* Backup redundancy
* Time to repair
84
What are the **3 methods** of **data disposition** under NIST SP 800-88?
* Clear
* Purge
* Destroy
85
What is '**clear**' in media sanitization?
* Overwrites data or replaces with random data
* Offers intermediate protection
86
What is '**purge**' in media sanitization?
* Advanced protection like block/cryptographic erasure
* Prevents recovery
87
What is '**destroy**' in media sanitization?
* Melt, burn, shred media
* Renders it unusable
88
Why are **vendor assessments** important in privacy programs?
* Organizations are responsible for vendor data handling
* Must ensure compliance and risk mitigation
89
What should general **vendor assessment considerations** include?
* Stakeholder input
* Ensuring vendors are reliable in data handling practices
90
What are **key components** of **vendor due diligence**?
* Financials
* Cyber insurance
* Incident response plan
* Reputation
* Controls
* Data transfer
* Disposition
91
Which **standard** relates to **post-contract data disposition**?
FACTA (2003), Disposal Rule
92
What is a **Service-Level Agreement**?
| (SLA)
A **contract** outlining service expectations, responsibilities, and metrics **between vendor and customer**.
93
What should **SLAs** include?
* Privacy
* Cybersecurity
* Regulatory requirements
## Footnote
Example regulatory requirements: breach protocols and liability
94
What is **cloud computing**?
Using **on-demand computing resources** hosted on another computer
## Footnote
E.g., AWS, Azure
95
What are the **key advantages** of cloud computing?
* Cost savings
* Scalability
* Easier management
96
What are the **3 models** of **cloud computing**?
* Infrastructure as a Service (IaaS)
* Platform as a Service (PaaS)
* Software as a Service (SaaS)
97
What is **Infrastructure as a Service**?
| (IaaS)
* Third-party provides infrastructure
* Company controls OS, apps, security
98
What is **Platform as a Service**?
| (PaaS)
* Developers use tools/platforms to build applications
* Less control over environment
99
What is **Software as a Service**?
| (SaaS)
* Apps accessed via web
* Fully managed by third-party
* No downloads needed
100
What are the **3 types** of **cloud environments**?
* Public
* Private
* Hybrid
101
What is a **public cloud**?
* Third-party owned
* Shared infrastructure
102
What is a **private cloud**?
* Dedicated to one organization
* Single-tenant
* On-prem or hosted
103
What is a **hybrid cloud**?
* Mix of public and private
* Supports workload movement
* Needs integration
104
What is the **Cloud Industry Forum**?
| (CIF)
A non-profit promoting cloud adoption through transparency, certification, education, and market analysis.
105
What is the **CIF Code of Practice**?
A certification promoting transparency and best practices in cloud services.
106
What are CIF **vendor considerations**?
* Certifications/standards
* Interoperability
* Data management
* Cybersecurity
* Subcontractors
107
What **certifications** might CIF vendors hold?
* ISO 27001
* UK Cyber Essentials Scheme
108
Why are **subcontractors** and **service dependencies** critical in cloud vendor assessments?
They **impact** reliability, accountability, and risk in service delivery.
109
What must **controllers ensure** when selecting **processors** under GDPR?
Processors must provide '**sufficient guarantees**' for appropriate technical and organizational safeguards.
110
What constitutes '**sufficient guarantees**' under GDPR?
* Contracts
* Evidence of competence
* Assurance mechanisms
* Third-party assessments
* Certifications
111
What is the **CCPA**?
* California Consumer Privacy Act (2018)
* Amended by CPRA (2020)
* Enforced by CA attorney general and CPPA
112
What qualifies as a '**sale**' under the **CCPA**?
Selling, sharing, transferring PII for **monetary or other valuable consideration**.
113
What **rights** do consumers have under the **CCPA**?
* Right to know
* Right to opt-out
* Right to delete
114
What **business obligations** are required by the CCPA?
* Notice/disclosure
* Opt-out mechanisms
* Contract requirements
115
What are CCPA requirements for **service provider contracts**?
**Limit** processing to the business purpose.
116
What is **aggregate consumer information**?
* Group data with identities removed
* Not linked to individuals/households
117
What is **de-identified data** under CCPA?
* Data that cannot reasonably identify or relate to a consumer
* Reidentification must be prevented
118
What is a **merger**?
Two or more organizations become one.
119
What is an **acquisition**?
One organization acquires another.
120
What is a **divestiture**?
An organization sells one or more divisions.
121
Why is **gap analysis** important during M&A?
To i**dentify risks** in adapting to new processes, data, and compliance requirements.
122
What **factors** should **gap analysis** evaluate?
* Compliance requirements
* Contracts
* Client obligations
* Networks
* Data assets
123
What should be considered in **data transfers** during M&A?
* Due diligence
* Data origin/purpose
* Processing principles
* Transparency
* Rights
* Safeguards
