CDPSE

• Identify the internal and external privacy requirements specific to the organization’s governance and risk management programs and practices.
• Participate in the evaluation of privacy policies, programs and policies for their alignment with legal requirements, regulatory requirements and/or industry best practices.
• Coordinate and/or perform privacy impact assessments (PIA) and other privacy-focused assessments.
• Participate in the development of procedures that align with privacy policies and business needs.
• Implement procedures that align with privacy policies.
• Participate in the management and evaluation of contracts, service levels and practices of vendors and other external parties.
• Participate in the privacy incident management process.

• Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation.
• Collaborate with other practitioners to ensure that privacy programs and practices are followed during the design, development and implementation of systems, applications and infrastructure.
• Develop and/or implement a prioritization process for privacy practices.
• Develop, monitor and/or report performance metrics and trends related to privacy practices.
• Report on the status and outcomes of privacy programs and practices to relevant stakeholders.
• Participate in privacy training and promote awareness of privacy practices.
• Identify issues requiring remediation and opportunities for process improvement.

A—ORGANIZATIONAL GOVERNANCE

1. Organizational Strategy, Goals, and Objectives
2. Organizational Structure, Roles and Responsibilities
3. Organizational Culture
4. Policies and Standards
5. Business Processes
6. Organizational Assets

B—RISK GOVERNANCE

1. Enterprise Risk Management and Risk Management Framework
2. Three Lines of Defense
3. Risk Profile
4. Risk Appetite and Risk Tolerance
5. Legal, Regulatory and Contractual Requirements
6. Professional Ethics of Risk Management

• Coordinate and/or perform privacy impact assessment (PIA) and other privacy-focused assessments to identify appropriate tracking technologies and technical privacy controls.
• Participate in the development of privacy control procedures that align with privacy policies and business needs.
• Implement procedures related to privacy architecture that align with privacy policies.
• Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation

• Collaborate with other practitioners to ensure that privacy programs and practices are followed during the design, development and implementation of systems, applications and infrastructure.
• Evaluate the enterprise architecture and information architecture to ensure it supports privacy by design principles and considerations.
• Evaluate advancements in privacy-enhancing technologies and changes in the regulatory landscape.
• Identify, validate and/or implement appropriate privacy and security controls according to data classification procedures.

A—IT RISK IDENTIFICATION

1. Risk Events (e.g., contributing conditions, loss result)
2. Threat Modelling and Threat Landscape
3. Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
4. Risk Scenario Development

B—IT RISK ANALYSIS AND EVALUATION

1. Risk Assessment Concepts, Standards and Frameworks
2. Risk Register
3. Risk Analysis Methodologies
4. Business Impact Analysis
5. Inherent and Residual Risk

• Identify the internal and external privacy requirements relating to the organization’s data lifecycle practices.
• Coordinate and/or perform privacy impact assessments (PIA) and other privacy-focused assessments relating to the organization’s data lifecycle practices.
• Participate in the development of data lifecycle procedures that align with privacy policies and business needs.
• Implement procedures related to data lifecycle that align with privacy policies.

• Collaborate with other practitioners to ensure that privacy programs and practices are followed during the design, development and implementation of systems, applications and infrastructure.
• Evaluate the enterprise architecture and information architecture to ensure it supports privacy by design principles and data lifecycle considerations.
• Identify, validate and/or implement appropriate privacy and security controls according to data classification procedures.
• Design, implement and/or monitor processes and procedures to keep the inventory and dataflow records current.

A—RISK RESPONSE

1. Risk Treatment / Risk Response Options
2. Risk and Control Ownership
3. Third-Party Risk Management
4. Issue, Finding and Exception Management
5. Management of Emerging Risk

B—CONTROL DESIGN AND IMPLEMENTATION

1. Control Types, Standards and Frameworks
2. Control Design, Selection and Analysis
3. Control Implementation
4. Control Testing and Effectiveness Evaluation

C—RISK MONITORING AND REPORTING

1. Risk Treatment Plans
2. Data Collection, Aggregation, Analysis and Validation
3. Risk and Control Monitoring Techniques
4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
5. Key Performance Indicators
6. Key Risk Indicators (KRIs)
7. Key Control Indicators (KCIs)

A—INFORMATION TECHNOLOGY PRINCIPLES

Enterprise Architecture

IT Operations Management (e.g., change management, IT assets, problems, incidents)

Project Management

Disaster Recovery Management (DRM)

Data Lifecycle Management

System Development Life Cycle (SDLC)

Emerging Technologies

B—INFORMATION SECURITY PRINCIPLES

Information Security Concepts, Frameworks and Standards

Information Security Awareness Training

Business Continuity Management

Data Privacy and Data Protection Principles