Identify how PII is Used and Applicable Laws
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
3 hours 39 minutes
Module 26 identify how P. I. Is used and applicable loss
in this module.
Well, understand how key is used in an organization
and we'll understand applicable laws.
So let's talk about how to identify P. I. Is used in the organization
And we've noted
in previous modules that consumer and employee pia is something we must include within our privacy program.
All individuals should be considered
that we work with
preliminary workflows or workflows of how information is
captured, processed and transferred internally or externally
throughout our organization. Should be understood.
We can find a lot of this information by surveyor interviewing stakeholders we identified in our charter document and potentially in more depth within our scope document.
Last data maps.
Data maps may consist of logical diagrams of systems applications and repositories of where P. I. May live
Now, data maps
are easier said than done. They're challenging. There's a software tool that's out there or I should say many software tools that are out there that can help you with that. But it's also important to work with your colleagues in the information technology or information security departments to understand what types of systems they have in place. To help you map out
the organization's applications and repositories, help you understand how data flows throughout the organization.
It doesn't make sense to recreate the wheel. But there could be an opportunity to work with your partners within the organization
light work of this type of task.
Essentially this type of identification of how P I is used is essentially an inventory or a collection of data for you to help understand how P I is used throughout your organization and what potential opportunities or threats that could exist,
uh, for your program that you need to have understood to prioritize what you do first and what could potentially wait for down the road.
Let's talk about applicable laws
now. There are plenty of laws out there, and many of you
may have internal counsel or outside counsel to help you with this. And I strongly encourage you to work with a legal professional and understanding the applicable laws that are out there.
Uh, they have a really good understanding of not only the, the risk of the association is typically looking to take on, but they also have, uh, the breath of knowledge to understand whether these laws are really going to apply for you and ultimately help you prioritize
which types of laws and regulations
you may want to tackle or consider aligning with first. So, there, of course, are general privacy laws at G. D. P. R. Uh, there's Australian Argentinian, there's other privacy laws that are out there that may be what your goal is to include on the onset of your program.
There are also some federal privacy laws by sector, especially here in the US, whether health, financial or consumer laws that may exist here in the United States, we have HipAA H I P A. We also have the new California privacy law
that went into effect. So there could be some state, provincial, local or territory laws
that need to be considered.
There could be some online privacy laws as it relates to how we conduct business online or on a website. Uh, there's certainly some workplace privacy requirements and laws that should be considered. So it's important to make sure that your human resource team or your human resources liaisons are,
are part of helping you understand what laws are required to help protect employees.
Uh, and and also potentially not employees understand penalties for non compliance. Uh, this is important from a risk standpoint to understand if for some reason there is an incident or or something that does occur, What are those penalties?
Uh, how are they going to impact your organization? And
and if they do impact your organization, what's that financial impact going to be? Uh, So they're not. All privacy regulations have the same type of
penalties, whether their monetary or if there are other types of penalties, but those need to be understood. And that's where your legal counsel can help you with prioritization. And if you have a risk organization throughout your organization or risk department, they can also help you
with that as well.
And as I've stated already, inside our outside counsel should be consulted. Uh, this this, this
courses to help you understand how to build and develop a privacy program and maybe some of you are licensed attorneys or have law experience, uh, and that's going to give you certainly a leg up. But there's an operational element here that is different
than how your corporate counsel may function
day to day. So it's important to make sure that they are at the table when it comes to understanding applicable laws that could influence your organization specifically, as it pertains to your privacy program
data maps may consist of the following
logical diagrams of systems applications and repositories,
scope, charter and executive approval
workflows, pIA. Repositories and training documentation.
logical diagrams of systems applications and repositories. And don't forget to ask your colleagues in the information technology or technology departments on whether or not they have those types of
diagrams available potentially that you can collaborate on
in this module. We discussed how to determine how pIA is used throughout the organization
and we discussed various types of laws and regulations that may be included in a privacy program