Domain 1 - Information Privacy Governance
Establish and/or maintain an information privacy strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information privacy programme
Establish and/or maintain an information privacy compliance framework to guide activities that support the information privacy strategy.
Integrate information privacy governance into corporate governance to ensure that organizational goals and objectives are supported by the information privacy programme
Establish and maintain information privacy policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives
Develop business cases to support investments in information privacy
Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information privacy strategy.
Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information privacy strategy
Define, communicate, and monitor information privacy responsibilities throughout the organization (e.g., data owners, data custodians, end users, privileged or high-risk users) and lines of authority
Establish, monitor, evaluate and report key information privacy metrics to provide management with accurate and meaningful information regarding the effectiveness of the information privacy strategy
Domain 2 - Information Risk Management
Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
Ensure that Privacy Impact Analyses, Information risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.
Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
Determine whether information privacy controls are appropriate and effectively manage risk to an acceptable level.
Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management programme across the organization.
Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.
Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
Ensure that information privacy risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.
Domain 3 - Information Privacy Programme Development and Management
Establish and/or maintain the information privacy programme in alignment with the information privacy strategy.
Align the information privacy programme with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information privacy programme adds value to and protects the business.
Identify, acquire and manage requirements for internal and external resources to execute the information privacy programme.
Establish and maintain information privacy processes and resources (including people and technologies) to execute the information privacy programme in alignment with the organization’s business goals.
Establish, communicate and maintain organizational information privacy standards, guidelines, procedures and other documentation to guide and enforce compliance with information privacy policies.
Establish, promote and maintain a programme for information privacy awareness and training to foster an effective privacy culture.
Integrate information privacy requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s privacy strategy.
Integrate information privacy requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s privacy strategy.
Establish, monitor and analyse programme management and operational metrics to evaluate the effectiveness and efficiency of the information privacy programme.
Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the Privacy programme and the underlying business processes in order to communicate privacy performance.
Domain 4—Information Privacy Incident Management
Establish and maintain an organizational definition of, and severity hierarchy for, information privacy incidents to allow accurate classification and categorization of and response to incidents.
Establish and maintain an incident response plan to ensure an effective and timely response to information privacy incidents.
Develop and implement processes to ensure the timely identification of information privacy incidents that could impact the business.
Establish and maintain processes to investigate and document information privacy incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.
Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.
Organize, train and equip incident response teams to respond to information privacy incidents in an effective and timely manner.
Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information privacy incidents and to improve response capabilities.
Establish and maintain communication plans and processes to manage communication with internal and external entities.
Conduct post-incident reviews to determine the root cause of information privacy incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.
Exams & Certification
All delegates attending an official training course will be offered the opportunity to sit the associated examination. To pass the examination, a passing score of 70% must be obtained by answering 125 multiple choice questions covering the scope of the exam. Questions cover the 4 key areas of the training course, namely People, Process, Technology and Environment. Successful examination candidates will be issued with a Certificate confirming a passing grade along with the relevant CPD certificate. For a more detailed description of the exam see CIPI Certification Job Practice at www.privacy-pro.co.uk
- Additional Information
START DATE Apr 9, 2018 END DATE Jun 20, 2019 City Manchester