Prioritizing privacy-related risk scenarios as part of ERM processes is the best way to ensure that the

risk responses meet the organizational objectives, because it helps to align the privacy risk

management with the overall strategic goals, values, and culture of the organization. ERM is a

holistic approach to identify, assess, and manage risks across the organization, taking into account

the interdependencies and trade-offs among different types of risks. By integrating privacy-related

risk scenarios into the ERM processes, the organization can evaluate the potential impact and

likelihood of privacy risks on its mission, vision, and performance, and prioritize the most significant

ones for mitigation or acceptance. This can also help to allocate appropriate resources, assign clear

roles and responsibilities, and monitor and report on the effectiveness of the risk responses.

Reference:

Privacy Risk Management, ISACA Journal

Enterprise Risk Assessment, Deloitte

Collecting only the data necessary to meet objectives is the best approach to minimize privacy risk

when collecting personal data. This is based on the principle of data minimization, which states that

personal data should be adequate, relevant, and limited to what is necessary in relation to the

purposes for which they are processed. Using a third party, collecting data through a secure web

server, or aggregating data immediately may reduce some privacy risks, but they do not eliminate

the possibility of collecting excessive or unnecessary data. Reference: CDPSE Exam Content Outline,

Domain 3, Task 3.2

After a privacy risk has been accepted, the next step is to monitor the risk landscape for material

changes. This means that the organization should keep track of any internal or external factors that

may affect the likelihood or impact of the risk, such as new threats, vulnerabilities, regulations,

technologies, or business processes. Monitoring the risk landscape can help the organization identify

if the risk acceptance decision is still valid, or if it needs to be revisited or revised. Monitoring can

also help the organization prepare for potential incidents or consequences that may arise from the

accepted risk.

Before an organization can respond to data subject access requests (DSARs), it needs to have a clear

understanding of the data in its possession, such as what types of personal data are collected, where

they are stored, how they are processed, who has access to them, and how long they are retained.

This will help the organization to locate and retrieve the relevant data for each DSAR, and to ensure

that the data are accurate, complete and up to date. Understanding the data in its possession will

also help the organization to comply with other data protection principles and obligations, such as

data minimization, purpose limitation, security and accountability.

The other options are less important or irrelevant to do first. Investing in a platform to automate data

review may help to speed up the response process, but it does not guarantee that the organization

has identified all the data sources and categories that are subject to DSARs. Confirming what is

required for disclosure is also important, but it depends on the specific request and the applicable

law or regulation. Creating a policy for handling access requests is a good practice, but it should be

based on a thorough understanding of the data in its possession.

Reference:

Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 2: “It is important to

understand what personal information is collected and processed by an organization.”

Introduction to Data Subject Access Requests - Everlaw, section 3: “The first step in responding to a

DSAR is identifying where the relevant personal data reside within your organization.”

Guidelines 01/2022 on data subject rights - Right of access Version 1, section 2.1: “The controller

should have a clear overview of all processing activities involving personal data.”

Application hardening measures are the most important action to protect a mobile banking app and

its data against manipulation and disclosure because they prevent attackers from reverse

engineering, tampering, or injecting malicious code into the app. Application hardening measures

include techniques such as code obfuscation, encryption, integrity checks, anti-debugging, and anti-

tampering mechanisms. These measures make the app more resilient and secure against various

types of cyberattacks.

Reference:

ISACA Certified Data Privacy Solutions Engineer Study Guide, Domain 3: Privacy Engineering, Task

3.4: Implement privacy engineering techniques to protect data in applications and systems, p. 104-

105.

What is Application Hardening? | Glossary | Digital.ai

Conducting a risk assessment of all candidate vendors is the best way to provide assurance that a

potential vendor is able to comply with privacy regulations and the organization’s data privacy policy,

because it allows the organization to evaluate the vendor’s privacy practices, controls, and

performance against a set of criteria and standards. A risk assessment can also help to identify any

gaps, weaknesses, or threats that may pose a risk to the organization’s data privacy objectives and

obligations. A risk assessment can be based on various sources of information, such as self-

attestations, documentation, audits, or independent verification. A risk assessment can also help to

prioritize the vendors based on their level of risk and impact, and to determine the appropriate

mitigation or monitoring actions.

Reference:

8 Steps to Manage Vendor Data Privacy Compliance, DocuSign

Supplier Security and Privacy Assurance (SSPA) program, Microsoft Learn

A thin client remote desktop protocol (RDP) is the most effective remote access model for reducing

the likelihood of attacks originating from connecting devices, because it minimizes the amount of

data and processing that occurs on the remote device. A thin client RDP only sends keyboard, mouse

and display information between the remote device and the server, while the actual processing and

storage of data happens on the server. This reduces the exposure of sensitive data and applications

to potential attackers who may compromise the remote device.

Reference:

CDPSE Review Manual, Chapter 2 – Privacy Architecture, Section 2.3 – Privacy Architecture

Implementation1.

CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2 – Privacy

Architecture, Section 2.4 – Remote Access2.

The first step toward the effective management of personal data assets is to create a personal data

inventory, which is a comprehensive list of the personal data that an organization collects, processes,

stores, transfers, and disposes of. A personal data inventory helps an organization to understand the

types, sources, locations, owners, purposes, and retention periods of the personal data it holds, as

well as the risks and obligations associated with them. A personal data inventory is essential for

complying with data privacy laws and regulations, such as the GDPR or the PDPA, which require

organizations to implement data protection principles and practices, such as obtaining consent,

providing notice, ensuring data quality and security, respecting data subject rights, and reporting

data breaches. A personal data inventory also helps an organization to identify and mitigate data

privacy risks and gaps, and to implement data minimization and data security controls.

Reference:

ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and

Classification1

ISACA, Simplify and Contextualize Your Data Classification Efforts2

PDPC, Managing Personal Data3

PDPC, PDPA Assessment Tool for Organisations4

In GDPR parlance, organizations that use third-party service providers are often, but not always,

considered data controllers, which are entities that determine the purposes and means of the

processing of personal data, which can include directing third parties to process personal data on

their behalf. The third parties that process data for data controllers are known as data processors.

The best way to protect personal data in the custody of a third party is to include requirements to

comply with the organization’s privacy policies in the contract. This means that the organization

should specify the terms and conditions of data processing, such as the purpose, scope, duration,

and security measures, and ensure that they are consistent with the organization’s privacy policies

and applicable privacy regulations. The contract should also define the roles and responsibilities of

both parties, such as data controller and data processor, and establish mechanisms for monitoring,

reporting, auditing, and resolving any issues or incidents related to data privacy. Reference: : CDPSE

Review Manual (Digital Version), page 41

The first thing that an IT privacy practitioner should do before an organization migrates personal data

from an on-premise solution to a cloud-hosted solution is to perform a privacy impact assessment

(PIA). A PIA is a systematic process of identifying and evaluating the potential privacy risks and

impacts of a data processing activity or system. A PIA helps to ensure that privacy is considered and

integrated into the design and development of data processing activities or systems, and that privacy

risks are mitigated or eliminated. A PIA also helps to determine the appropriate measures to protect

personal data in a cloud-hosted solution, such as encryption, pseudonymization, anonymization,

access control, audit trail, breach notification, etc. A PIA also helps to comply with the applicable

privacy regulations and standards that govern data processing activities in a cloud-hosted

solution. Reference: : CDPSE Review Manual (Digital Version), page 99