Identify how PII is Used and Applicable Laws

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
Module 26 identify how P. I. Is used and applicable loss
00:09
in this module.
00:11
Well, understand how key is used in an organization
00:14
and we'll understand applicable laws.
00:18
So let's talk about how to identify P. I. Is used in the organization
00:24
first.
00:25
And we've noted
00:26
in previous modules that consumer and employee pia is something we must include within our privacy program.
00:35
All individuals should be considered
00:37
that we work with
00:40
second
00:41
preliminary workflows or workflows of how information is
00:45
captured, processed and transferred internally or externally
00:49
throughout our organization. Should be understood.
00:52
We can find a lot of this information by surveyor interviewing stakeholders we identified in our charter document and potentially in more depth within our scope document.
01:03
Last data maps.
01:04
Data maps may consist of logical diagrams of systems applications and repositories of where P. I. May live
01:11
Now, data maps
01:14
are easier said than done. They're challenging. There's a software tool that's out there or I should say many software tools that are out there that can help you with that. But it's also important to work with your colleagues in the information technology or information security departments to understand what types of systems they have in place. To help you map out
01:33
the organization's applications and repositories, help you understand how data flows throughout the organization.
01:41
It doesn't make sense to recreate the wheel. But there could be an opportunity to work with your partners within the organization
01:48
to make
01:49
light work of this type of task.
01:52
Essentially this type of identification of how P I is used is essentially an inventory or a collection of data for you to help understand how P I is used throughout your organization and what potential opportunities or threats that could exist,
02:09
uh, for your program that you need to have understood to prioritize what you do first and what could potentially wait for down the road.
02:23
Let's talk about applicable laws
02:24
now. There are plenty of laws out there, and many of you
02:30
may have internal counsel or outside counsel to help you with this. And I strongly encourage you to work with a legal professional and understanding the applicable laws that are out there.
02:43
Uh, they have a really good understanding of not only the, the risk of the association is typically looking to take on, but they also have, uh, the breath of knowledge to understand whether these laws are really going to apply for you and ultimately help you prioritize
03:01
which types of laws and regulations
03:04
you may want to tackle or consider aligning with first. So, there, of course, are general privacy laws at G. D. P. R. Uh, there's Australian Argentinian, there's other privacy laws that are out there that may be what your goal is to include on the onset of your program.
03:22
There are also some federal privacy laws by sector, especially here in the US, whether health, financial or consumer laws that may exist here in the United States, we have HipAA H I P A. We also have the new California privacy law
03:40
that went into effect. So there could be some state, provincial, local or territory laws
03:45
that need to be considered.
03:46
There could be some online privacy laws as it relates to how we conduct business online or on a website. Uh, there's certainly some workplace privacy requirements and laws that should be considered. So it's important to make sure that your human resource team or your human resources liaisons are,
04:05
are part of helping you understand what laws are required to help protect employees.
04:12
Uh, and and also potentially not employees understand penalties for non compliance. Uh, this is important from a risk standpoint to understand if for some reason there is an incident or or something that does occur, What are those penalties?
04:28
Uh, how are they going to impact your organization? And
04:31
and if they do impact your organization, what's that financial impact going to be? Uh, So they're not. All privacy regulations have the same type of
04:42
penalties, whether their monetary or if there are other types of penalties, but those need to be understood. And that's where your legal counsel can help you with prioritization. And if you have a risk organization throughout your organization or risk department, they can also help you
04:59
with that as well.
05:00
And as I've stated already, inside our outside counsel should be consulted. Uh, this this, this
05:08
courses to help you understand how to build and develop a privacy program and maybe some of you are licensed attorneys or have law experience, uh, and that's going to give you certainly a leg up. But there's an operational element here that is different
05:26
than how your corporate counsel may function
05:29
day to day. So it's important to make sure that they are at the table when it comes to understanding applicable laws that could influence your organization specifically, as it pertains to your privacy program
05:43
quiz question
05:44
data maps may consist of the following
05:46
logical diagrams of systems applications and repositories,
05:49
scope, charter and executive approval
05:53
workflows, pIA. Repositories and training documentation.
05:57
Best answer
05:58
is one
05:59
logical diagrams of systems applications and repositories. And don't forget to ask your colleagues in the information technology or technology departments on whether or not they have those types of
06:10
uh
06:11
diagrams available potentially that you can collaborate on
06:16
in this module. We discussed how to determine how pIA is used throughout the organization
06:20
and we discussed various types of laws and regulations that may be included in a privacy program
Up Next