Identify how PII is Used and Applicable Laws

00:00

Module 26 identify how P. I. Is used and applicable loss

00:09

in this module.

00:11

Well, understand how key is used in an organization

00:14

and we'll understand applicable laws.

00:18

So let's talk about how to identify P. I. Is used in the organization

00:24

first.

00:25

And we've noted

00:26

in previous modules that consumer and employee pia is something we must include within our privacy program.

00:35

All individuals should be considered

00:37

that we work with

00:40

second

00:41

preliminary workflows or workflows of how information is

00:45

captured, processed and transferred internally or externally

00:49

throughout our organization. Should be understood.

00:52

We can find a lot of this information by surveyor interviewing stakeholders we identified in our charter document and potentially in more depth within our scope document.

01:03

Last data maps.

01:04

Data maps may consist of logical diagrams of systems applications and repositories of where P. I. May live

01:11

Now, data maps

01:14

are easier said than done. They're challenging. There's a software tool that's out there or I should say many software tools that are out there that can help you with that. But it's also important to work with your colleagues in the information technology or information security departments to understand what types of systems they have in place. To help you map out

01:33

the organization's applications and repositories, help you understand how data flows throughout the organization.

01:41

It doesn't make sense to recreate the wheel. But there could be an opportunity to work with your partners within the organization

01:48

to make

01:49

light work of this type of task.

01:52

Essentially this type of identification of how P I is used is essentially an inventory or a collection of data for you to help understand how P I is used throughout your organization and what potential opportunities or threats that could exist,

02:09

uh, for your program that you need to have understood to prioritize what you do first and what could potentially wait for down the road.

02:23

Let's talk about applicable laws

02:24

now. There are plenty of laws out there, and many of you

02:30

may have internal counsel or outside counsel to help you with this. And I strongly encourage you to work with a legal professional and understanding the applicable laws that are out there.

02:43

Uh, they have a really good understanding of not only the, the risk of the association is typically looking to take on, but they also have, uh, the breath of knowledge to understand whether these laws are really going to apply for you and ultimately help you prioritize

03:01

which types of laws and regulations

03:04

you may want to tackle or consider aligning with first. So, there, of course, are general privacy laws at G. D. P. R. Uh, there's Australian Argentinian, there's other privacy laws that are out there that may be what your goal is to include on the onset of your program.

03:22

There are also some federal privacy laws by sector, especially here in the US, whether health, financial or consumer laws that may exist here in the United States, we have HipAA H I P A. We also have the new California privacy law

03:40

that went into effect. So there could be some state, provincial, local or territory laws

03:45

that need to be considered.

03:46

There could be some online privacy laws as it relates to how we conduct business online or on a website. Uh, there's certainly some workplace privacy requirements and laws that should be considered. So it's important to make sure that your human resource team or your human resources liaisons are,

04:05

are part of helping you understand what laws are required to help protect employees.

04:12

Uh, and and also potentially not employees understand penalties for non compliance. Uh, this is important from a risk standpoint to understand if for some reason there is an incident or or something that does occur, What are those penalties?

04:28

Uh, how are they going to impact your organization? And

04:31

and if they do impact your organization, what's that financial impact going to be? Uh, So they're not. All privacy regulations have the same type of

04:42

penalties, whether their monetary or if there are other types of penalties, but those need to be understood. And that's where your legal counsel can help you with prioritization. And if you have a risk organization throughout your organization or risk department, they can also help you

04:59

with that as well.

05:00

And as I've stated already, inside our outside counsel should be consulted. Uh, this this, this

05:08

courses to help you understand how to build and develop a privacy program and maybe some of you are licensed attorneys or have law experience, uh, and that's going to give you certainly a leg up. But there's an operational element here that is different

05:26

than how your corporate counsel may function

05:29

day to day. So it's important to make sure that they are at the table when it comes to understanding applicable laws that could influence your organization specifically, as it pertains to your privacy program

05:43

quiz question

05:44

data maps may consist of the following

05:46

logical diagrams of systems applications and repositories,

05:49

scope, charter and executive approval

05:53

workflows, pIA. Repositories and training documentation.

05:57

Best answer

05:58

is one

05:59

logical diagrams of systems applications and repositories. And don't forget to ask your colleagues in the information technology or technology departments on whether or not they have those types of

06:10

uh

06:11

diagrams available potentially that you can collaborate on

06:16

in this module. We discussed how to determine how pIA is used throughout the organization