IAPP CIPM - Certified Information Privacy Manager (CIPM)

An organization’s business continuity plan or disaster recovery plan does not typically include a retention schedule for storage and destruction of information. A retention schedule is a document that specifies how long different types of information should be kept by an organization before they are disposed of or destroyed. A retention schedule is usually based on legal, regulatory, operational, historical, or archival requirements. A retention schedule is part of an organization’s information governance or records management policy, not its business continuity or disaster recovery plan.

A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions and operations in the event of a disruption or disaster. A BCP usually includes:

Contact information and service level agreements (SLAs) for key personnel, stakeholders, providers, backup site operators, etc.

Business impact analysis (BIA) that identifies the potential impacts of disruption on all aspects of the business, such as financial, legal, reputational, etc.

Risk assessment that identifies and evaluates the likelihood and severity of various threats and vulnerabilities that could cause disruption or disaster.

Identification of critical functions that are essential for the survival and recovery of the business.

Communications plan that specifies how to communicate with internal and external parties during and after a disruption or disaster.

Testing plan that specifies how to test and update the BCP regularly to ensure its effectiveness and validity.

A disaster recovery plan (DRP) is a document that outlines how an organization will restore its IT systems, data, applications, and infrastructure in the event of a disruption or disaster. A DRP usually includes:

Recovery time objectives (RTOs) that specify how quickly each IT system or service needs to be restored after a disruption or disaster.

Recovery point objectives (RPOs) that specify how much data loss is acceptable for each IT system or service after a disruption or disaster.

Emergency response guidelines that specify how to respond to and contain a disruption or disaster, such as activating the DRP, declaring a disaster, notifying the stakeholders, etc.

Statement of organizational responsibilities that specifies who is responsible for what tasks and roles during and after a disruption or disaster, such as initiating the DRP, executing the recovery procedures, restoring the IT systems or services, etc.

Recovery procedures that specify how to recover each IT system or service from backup sources, such as backup tapes, disks, cloud services, etc.

Testing plan that specifies how to test and update the DRP regularly to ensure its effectiveness and validity. References: [Business Continuity Plan (BCP) Definition]; [Disaster Recovery Plan (DRP) Definition]

 If your organization provides a SaaS tool for B2B services and does not interact with individual consumers, and a client’s current employee reaches out with a right to delete request, the most appropriate response is to redirect the individual back to their employer to understand their rights and how this might impact access to company tools. This is because your organization is acting as a processor for the client, who is the controller of the employee’s personal data. The controller is responsible for determining the purposes and means of processing personal data, as well as responding to data subject requests. The processor should only process personal data on behalf of and in accordance with the instructions of the controller. Therefore, you should not forward the request to the client, process the request without consulting the client, or deny the request based on business contact information being exempt from privacy rights laws1, 2. References: CIPM - International Association of Privacy Professionals, Free CIPM Study Guide - International Association of Privacy Professionals

CIPM emphasizesaccountability and evidencewhen personal data is destroyed by third parties. A certificate of destruction provides documented proof that data was securely and irreversibly destroyed in accordance with contractual and legal requirements.

While audits, on-site destruction, and asset inventories can support assurance, they are not always practical or required. The certificate serves as the formal record demonstrating compliance with retention and disposal obligations. Without such documentation, the organization remains exposed to regulatory and legal risk if destruction is later questioned.

This answer is the most realistic step the organization can take to help diminish liability in the event of another incident, as it can ensure that the vendor complies with the same standards and obligations as the organization regarding data protection. Vendor contracts should include clauses that specify the scope, purpose, duration and type of data processing, as well as the rights and responsibilities of both parties. The contracts should also require the vendor to implement appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration or destruction, and to notify the organization of any security incidents or breaches. The contracts should also allow the organization to monitor, audit or inspect the vendor’s performance and compliance with the contract terms and applicable laws and regulations. References: IAPP CIPM Study Guide, page 82; ISO/IEC 27002:2013, section 15.1.2

This answer is the best way to address the objection to Spencer’s training suggestion, as it can provide flexibility and convenience for employees who work in different locations or have different schedules. Alternative delivery methods for trainings can include online courses, webinars, podcasts, videos or self-paced modules that can be accessed anytime and anywhere by employees. Alternative delivery methods can also reduce the cost and time required for in-person trainings, while still ensuring that employees receive consistent and relevant information on the company’s privacy program. References: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2

The United States federal law that requires financial institutions to declare their personal data collection practices is the Gramm-Leach-Bliley Act (GLBA) of 1999. The GLBA is also known as the Financial Services Modernization Act or the Financial Modernization Act10 The GLBA regulates how financial institutions collect, use, disclose, and protect the nonpublic personal information of their customers11 The GLBA requires financial institutions to provide a privacy notice to their customers that explains what kinds of information they collect, how they use and share that information, and how they safeguard that information12 The GLBA also gives customers the right to opt out of certain information sharing practices with third parties13

The other options are not US federal laws that require financial institutions to declare their personal data collection practices. The Kennedy-Hatch Disclosure Act of 1997 is a proposed but not enacted legislation that would have required health insurers to disclose their policies and practices regarding the use and disclosure of genetic information14 SUPCLA, or the federal Superprivacy Act of 2001, is a fictional law that does not exist in reality. The Financial Portability and Accountability Act of 2006 is also a fictional law that does not exist in reality, although it may be confused with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which regulates the privacy and security of health information15 References: 10: Gramm-Leach-Bliley Act | Federal Trade Commission; 11: Financial Privacy | Federal Trade Commission; 12: Financial Privacy | Federal Trade Commission; 13: Financial Privacy | Federal Trade Commission; 14: S. 422 (105th): Genetic Information Nondiscrimination in Health Insurance Act of 1997; 15: Health Information Privacy | HHS.gov

Rationalizing requirements is an organizational approach that involves identifying and harmonizing the common elements of different privacy regulations and standards. This can make compliance easier and more efficient, as well as reduce the risk of conflicts or gaps in privacy protection. Rationalizing requirements can also help to create a consistent privacy policy and culture across different jurisdictions and business units. References: CIPM Study Guide, page 23.

Comprehensive and Detailed Explanation:

A data inventory or data map helps an organization identify where data is stored, how it flows, and how it is processed—which is crucial for compliance and risk management.

An online retailer detects an incident involving customer shopping history but no keys have been compromised. The Privacy Office is most concerned when it also involves plain text personal identifiers. Plain text personal identifiers are data elements that can directly identify an individual, such as name, email address, phone number, or social security number. Plain text means that the data is not encrypted or otherwise protected from unauthorized access or disclosure. If an incident involves plain text personal identifiers, it poses a high risk to the privacy and security of the customers, as their personal data could be exposed, stolen, misused, or manipulated by malicious actors. The Privacy Office should take immediate steps to contain, assess, notify, evaluate, and prevent such incidents, . References: [CIPM - International Association of Privacy Professionals], [Free CIPM Study Guide - International Association of Privacy Professionals]