The article covers the changes that have been made to the certification exam which will come into effect from 3rd October. People appearing for the exam before that may follow the earlier pattern but anyone after October 3rd should take a closer look at the syllabus.
The syllabus is divided into 6 parts, we will discuss below the changes to each one.
Earlier candidates were not required to understand how to plan inquiry/complaint handling procedures while developing a privacy program for the company, after 3rd October, this needs to be kept in mind. The structure of the privacy team has been consolidated to include both large and small organizations. Where earlier only identification and cataloging of any documents related to updates in privacy requirements were enough after 3rd October, it needs to be ensured that employees have access to such documents relative to their roles.
Part 2 – Privacy Program Framework
After changes come into effect, candidates will not only have to develop privacy policies and standards but also the procedures to be followed. Planning inquiry/complaint handling procedures is also another addition to the framework. Further, the framework earlier required candidates to understand whether national or local laws would apply in a situation, after 3rd October, candidates need to ensure they understand not only territorial regulations/laws but also industry-specific regulations/laws. Instead of just international data sharing agreements, two new additions i.e. vendor agreements and affiliate and subsidiary agreements need to be thoroughly understood.
Part 3 – Privacy Operational Life Cycle: Assess
While documenting “creation of a record of authority” will not be required post 3rd October. Further in the risk assessment of processors and third-party vendors, implications of all types of technologies used need to be assessed (and not only cloud computing as required earlier) along with cross-border transfers. Lastly, during mergers and acquisitions, earlier only risk assessment and due diligence were required, post 3rd October the following also need to be kept in mind – review of contractual and data sharing obligations, risk and control alignment, and post-integration planning and risk mitigation.
Part 4 – Privacy Operational Life Cycle: Protect
After 3rd October, the scope of Privacy by design has been expanded to include integration of privacy through business processes and communication with stakeholders about the importance of PIAs and PbD. The technical and organizational measures have also been expanded to include guidelines on secondary uses, policies on processing of organizations data holding ( accounting for legal and ethical requirements) as well as the implementation of administrative safeguards through policies, procedures, and contracts.
Part 5 – Privacy Operational Life Cycle: Sustain
After 3rd October, during the audit process an “audit trail” needs to be maintained along with utilization and report on regulator compliance assessment tools.
Part 6 – Privacy Operational Life Cycle: Respond
Data subjects’ information requests and rights will now include complaints including file reviews. The Incident handling requirements have been expanded to include – conducting risk assessment, performing containment activities, identifying and implementing remediation measures, and notifying regulators, impacted individuals, and data controller.
Take Tsaaro’s CIPM mock exams in keeping with the latest rule and regulatory updates. You can stay current with the shifting regime by taking these practice examinations.
Take the mock and be your own judge https://academy.tsaaro.com/mock-exam/ !