SCENARIO
Please use the following to answer the next QUESTION:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space’s practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.
Penny’s colleague in Marketing is excited by the new sales and the company’s plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her “I heard someone in the breakroom talking about some new privacy laws but I really don’t think it affects us. We’re just a small company. I mean we just sell accessories online, so what’s the real risk?” He has also told her that he works with a number of small companies that help him get projects completed in a hurry. “We’ve got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don’t have.”
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Penny’s colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team “didn’t know what to do or who should do what. We hadn’t been trained on it but we’re a small team though, so it worked out OK in the end.” Penny is concerned that these issues will compromise Ace Space’s privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data “shake up”. Her mission is to cultivate a strong privacy culture within the company.
Penny has a meeting with Ace Space’s CEO today and has been asked to give her first impressions and an overview of her next steps.
What information will be LEAST crucial from a privacy perspective in Penny’s review of vendor contracts?
(From a privacy perspective, what is the first concern organizations must tackle when considering using a third-party AI tool to screen job applications?)
How do privacy audits differ from privacy assessments?
(The best way for an organization to stay aware of changes made by vendors that may then impact the organization’s privacy practices is to?)
“Respond” in the privacy operational lifecycle includes which of the following?
Which of the following helps build trust with customers and stakeholders?
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the
other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What element of the Privacy by Design (PbD) framework might the Handy Helper violate?
(All of the following are components of a data collection notice EXCEPT?)
In a mobile app for purchasing and selling concert tickets, users are prompted to create a personalized profile prior to engaging in transactions. Once registered, users can securely access their profiles within the app, empowering them to manage and modify personal data as needed.
Which foundational Privacy by Design (PbD) principle does this feature follow?
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging
Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer – a former CEO and currently a senior advisor – said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company – not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
What is the most realistic step the organization can take to help diminish liability in the event of another incident?
