CIPP/US Study Guide
Chapter 4: Information Management and Privacy Risk Management

The Privacy Program and Four Business Risks

A privacy program establishes accountability and compliance, and should balance four business risks: legal, reputational, operational, and strategic. The FTC is the chief enforcer of reputational/privacy promises.

A privacy program's minimum goals are to: demonstrate an auditable compliance framework; promote trust; respond effectively to consumer requests; address privacy and security breaches; and continually improve program maturity.

Four business risks to balance
Risk typeWhat it covers
LegalComply with state, federal, and international law and contracts (e.g., PCI DSS) or face litigation/sanctions such as multi-year consent decrees
ReputationalHarm from announcing but not following policies; enforcement, particularly from the FTC
OperationalProgram must be administratively efficient; overly heavy-handed programs inhibit beneficial PI uses like personalization
StrategicMust earn an appropriate return on information and technology investments amid evolving regulation

Key terms - quick answers

What is “Privacy program”?
An organization's framework for establishing accountability and legal compliance in how personal data is handled.
What is “Consent decree”?
A regulatory sanction (e.g., from the FTC) that may impose compliance and reporting obligations for many years.
What is “PCI DSS”?
Payment Card Industry Data Security Standard - an industry standard a company may be contractually committed to follow.