Question 11 - CIPM discussion

Industry frameworks are the most effective resource for an executive who wants to develop her company's privacy program beyond what is specifically required by law. Industry frameworks are collections of best practices, standards, and guidelines that help organizations establish and improve their privacy policies and procedures. Industry frameworks can help organizations demonstrate their commitment to privacy, enhance their reputation and trustworthiness, and comply with multiple privacy regulations.Some examples of industry frameworks are the NIST Privacy Framework2, the ISO 27701 Privacy Information Management System3, and the AICPA/CICA Generally Accepted Privacy Principles (GAPP)4. The other options are not as effective as industry frameworks for developing a privacy program. Internal auditors can help evaluate the effectiveness and compliance of existing privacy controls, but they may not provide guidance on how to improve or expand them. Oversight organizations can enforce privacy laws and regulations, but they may not offer advice on how to go beyond the legal requirements. Breach notifications from competitors can alert organizations to potential threats and vulnerabilities, but they may not suggest how to prevent or mitigate them.Reference:NIST Privacy Framework;ISO 27701 Privacy Information Management System;AICPA/CICA Generally Accepted Privacy Principles (GAPP)