All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?

All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?
A . Facilitating participation across departments and levels
B . Developing a process for review and update of privacy policies
C . Deciding how aggressive to be in the use of personal information
D . Understanding the laws that regulate a company’s collection of information

View Answer

Answer: B

Explanation:

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.

Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.

Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant.

The tasks in this phase include:

Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.

Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.

Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency. Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

Reference: IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective,

Section A: Building a Privacy Program

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information

Management from a U.S. Perspective, Section 1.1: Building a Privacy Program Practice Exam – International Association of Privacy Professionals