
This lecture outlines the practical reasons for enrolling in the course and introduces Dr. David, the instructor. It highlights benefits such as preparing for CIPM certification, advancing a privacy-related career, and complementing other professional backgrounds like law or cybersecurity. The course is affordable, self-paced, and designed with no prerequisites, making it accessible for diverse learners. Dr. David brings extensive credentials and teaching experience, offering expert instruction tailored for both beginners and professionals.
This lecture introduces the Certified Information Privacy Manager (CIPM) credential, which validates expertise in building and managing privacy programs. It outlines the exam’s six knowledge domains—from program governance to incident response—and explains the certification process, structure, and maintenance requirements. The CIPM is increasingly valued across sectors and can enhance careers in privacy, law, IT, and compliance.
This lecture provides an overview of the IAPP, the world’s largest organization for privacy and AI governance professionals. It highlights the IAPP’s mission, global resources, training programs, and local KnowledgeNet chapters that support networking and continuing education.
This lecture explores the growing demand for privacy professionals as laws expand and data technologies evolve. It discusses global privacy legislation, increasing organizational investment in data ethics, and how privacy roles intersect with AI, IoT, and big data. Surveys show high public concern for data use and a strong market for certified experts.
This lecture outlines the benefits of CIPM certification, including higher salaries, job satisfaction, and career advancement. It presents salary data showing significant increases for certified professionals and highlights how the CIPM demonstrates expertise in privacy laws and operational management, especially in sectors demanding compliance and risk mitigation.
This lecture defines privacy beyond just “being left alone,” emphasizing its social and contextual dimensions. It introduces four categories of privacy—information, bodily, territorial, and communication—and explains types of personally identifiable information (PII), including sensitive, pseudonymized, and anonymized data. Context and data combination are key factors in determining privacy protections.
This lecture examines the interdisciplinary nature of privacy work, covering roles such as legal advisors, analysts, engineers, and compliance officers. Responsibilities include managing risk, ensuring legal compliance, overseeing data governance, and leading privacy training and awareness initiatives. It provides real-world examples to illustrate how privacy professionals mitigate harm and support organizational accountability.
This lecture introduces program management and its application in privacy and data protection. It explains how program managers oversee multiple interrelated projects to achieve strategic goals. Examples include digital transformation, customer experience, and cybersecurity. The lecture also introduces frameworks—sets of guidance and best practices—that help align projects with organizational objectives, particularly in managing risk and improving performance.
This lecture continues the foundational overview by focusing on privacy program management and governance. It defines privacy program goals such as ensuring compliance, promoting trust, and mitigating risk. The lecture explains how to create a tailored privacy framework and introduces governance as a system of rules and processes to manage objectives and balance stakeholder interests. It concludes by identifying the role of the privacy professional as anyone responsible for implementing these frameworks.
This lecture presents Privacy by Design (PbD) and Privacy by Default as core principles in modern data protection. PbD emphasizes embedding privacy into IT systems throughout their lifecycle using seven proactive principles. Privacy by Default ensures the highest privacy settings are applied automatically. Together, these concepts form the foundation for many global privacy laws and best practices, supporting ethical, user-focused data protection strategies.
This lecture outlines the four stages of the privacy governance life cycle: assess, protect, sustain, and respond. These stages provide a structured approach to managing personal data across its lifecycle. It covers how to evaluate program gaps, implement safeguards, monitor and improve performance, and handle privacy incidents or regulatory requests. The life cycle ensures compliance, reduces risk, and supports continuous program improvement.
This lecture explains the importance of establishing a privacy program, driven by accountability, business motivations, and ethical considerations. It emphasizes the need to implement policies that protect individual rights and comply with laws. Business benefits include consumer trust, enhanced reputation, and risk reduction. Other reasons include supporting global operations, enabling ethical data practices, and using privacy as a competitive advantage.
This lecture explains how a strong privacy program can serve as a strategic advantage. It draws on data showing that investments in privacy increase trust, loyalty, and brand value—returning $2.70 for every $1 spent. Examples include Apple’s success with App Tracking Transparency and surveys showing that consumers prefer and reward brands that prioritize data protection. The lecture also highlights compliance and risk mitigation as key reasons organizations build privacy into their business models.
This lecture clarifies the differences between policies, processes, and procedures using the example of a data breach. A policy sets high-level principles and outlines the “why,” a process maps out the “what” by detailing steps to achieve an outcome, and a procedure explains the “how” with specific instructions. Understanding these distinctions is essential for structuring effective and compliant privacy programs and ensuring a clear chain of action during incidents or routine operations.
This lecture introduces a five-step roadmap for building a privacy governance framework. It starts with defining a vision and mission, then moves to scoping the program, creating a strategy, developing a governance framework, and structuring the team. These foundational elements help organizations manage privacy risks, align with stakeholders, and meet strategic objectives through rules, practices, and processes tailored to data protection.
This lecture outlines the U.S. sectoral approach to privacy, where different industries follow their own laws and regulators. Key laws include HIPAA (healthcare), GLBA (finance), COPPA (children’s privacy), and PCI-DSS (payment card processing). It also covers state-level data breach notification laws, which vary in scope and thresholds but require notifying affected parties when certain personal data is compromised.
This lecture expands on industry-specific privacy obligations across ten sectors: healthcare, financial, telecommunications, online, government, education, video, marketing, energy, and human resources. It discusses how privacy laws differ depending on data types (e.g., PHI in healthcare), sector-specific risks (e.g., smart home tech in energy), and the applicable regulatory landscape. Each sector poses unique challenges and requirements for data protection compliance.
This lecture introduces key federal privacy laws in the healthcare and financial sectors. It covers HIPAA and HITECH, which regulate health data and electronic records, and financial laws like FCRA, FACTA, and GLBA, which address credit reporting, identity theft, and the sharing of nonpublic personal information. Each law is tied to specific regulators and outlines unique compliance obligations.
This lecture focuses on privacy regulations in telecommunications, government, and education. It introduces the TCPA and Do Not Call Registry for telemarketing, the Privacy Act of 1974 and ECPA for federal agency records and electronic communications, and FERPA, which protects students’ education records. The laws highlight how privacy rules vary by context and data type.
This lecture highlights privacy laws in marketing, video services, and other sectors. Covered laws include CAN-SPAM for email marketing, VPPA for video rental data, and three broad protections: the FTC Act (unfair/deceptive practices), DPPA (driver data), and COPPA (children’s online data). Together, they illustrate the fragmented nature of U.S. privacy law.
This lecture reviews the CCPA, California’s foundational privacy law, which grants consumers rights to access, delete, and opt out of the sale of their personal data. It explains business obligations such as responding to data requests, posting privacy notices, and honoring opt-out signals. Enforcement is handled by the state attorney general and the CPPA, with fines up to $7,500 per violation.
This lecture outlines how the CPRA amends the CCPA, expanding consumer rights (e.g., to correct data and limit sensitive information use), introducing new definitions and thresholds for businesses, and creating the California Privacy Protection Agency. It adds obligations like contractual controls and privacy-by-design, and requires businesses to adopt data retention policies while increasing penalties, especially for violations involving minors.
This lecture provides a high-level overview of global privacy law frameworks, focusing on the OECD Guidelines and APEC Privacy Framework. It explains their shared principles—such as accountability, data quality, and transparency—and introduces international standards bodies like ISO, IEC, and IEEE. The lecture also covers privacy-related standards including ISO/IEC 27701 and ISO/IEC 29134, and provides a mnemonic device to help learners remember the core principles shared across many jurisdictions.
This lecture introduces the GDPR as the EU’s comprehensive data protection law, outlining its goals, scope, and global impact. It covers Articles 1–3, including the law’s objectives, material scope (e.g., data types covered), and territorial scope (including extraterritorial application). The lecture emphasizes how GDPR grants individuals greater control over personal data and imposes strict obligations on organizations inside and outside the EU.
This lecture outlines GDPR rights such as data access, deletion, portability, and the ability to withdraw consent. It covers key organizational obligations like appointing a Data Protection Officer (DPO), maintaining a Record of Processing Activities (RoPA), and performing Data Protection Impact Assessments (DPIAs). It also highlights regulator powers, including enforcement actions and fines of up to 20 million euros or 4% of annual revenue.
This lecture focuses on GDPR’s rules for transferring personal data to “third countries.” It explains Article 45 adequacy decisions, and alternative mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Data Transfer Impact Assessments (DTIAs). It also examines regulatory concerns around government surveillance, human rights standards, and data security in the recipient country.
This lecture introduces Brazil’s LGPD, which came into effect in 2020 and was inspired by the GDPR. It details consumer rights such as access, correction, anonymization, and consent withdrawal. Organizational requirements include privacy by design, breach notification, and cross-border data compliance. The lecture also discusses regulator authority, including enforcement powers and financial penalties of up to 2% of a company’s revenue in Brazil per infraction.
This lecture introduces China’s Personal Information Protection Law (PIPL), which became effective in November 2021. It outlines GDPR-like requirements for commercial entities but clarifies that it does not restrict the Chinese central government’s access to data. Key topics include obligations for private-sector organizations and penalties for noncompliance, with fines reaching up to RMB 50 million (approximately USD $7 million) or 5% of annual revenue for grave violations.
This lecture explores self-regulation in privacy through standards, industry bodies, trust marks, and codes of conduct. It explains the role of frameworks like PCI-DSS and organizations such as the DMA and NAI. Trust marks (e.g., TrustArc, McAfee) signal compliance with privacy or security standards. The lecture also introduces voluntary codes of conduct, including those aligned with GDPR Article 40, which help organizations demonstrate accountability and good practice.
This lecture covers penalties for privacy violations, including financial and non-financial consequences. It examines penalty structures under HIPAA, GDPR, and CCPA, emphasizing the importance of enforcement for accountability and behavior change. Examples include GDPR’s tiered fines (up to €20 million or 4% of global turnover) and the FTC’s $5 billion penalty against Facebook in 2019. Non-financial penalties include warnings, data processing bans, and recertification requirements, reinforcing that compliance is a baseline, not an endpoint.
Copies of the PowerPoint slides from the lectures in three formats: color, black and white (for printing), and review slides only.
This lecture introduces mission and vision statements as foundational tools for shaping a privacy program. A mission statement defines an organization’s purpose and current focus, while a vision statement describes its future aspirations. The lecture emphasizes aligning both statements with broader organizational goals and securing leadership approval. Examples from companies like Google, Amazon, and Signal illustrate how clear, purposeful messaging can inspire internal alignment and guide strategic decision-making.
This lecture covers how to define the scope of a privacy program by identifying the types of personal data collected, applicable jurisdictions, and regulatory obligations. It explains how to gather this information through manual methods (like interviews) or automated tools. Topics include GDPR’s Article 30 on Records of Processing Activities, data lifecycle mapping, and aligning scope with business models and risk tolerance. The lecture provides key questions to ensure comprehensive scope definition.
This lecture explores four privacy regulatory models—sector-specific, comprehensive, co-regulatory, and self-regulatory—and the challenges of managing overlapping and evolving laws. It highlights the need to understand the data lifecycle, global and cultural nuances, and the absence of requirements in some jurisdictions. Examples include GDPR (comprehensive), HIPAA (sectoral), and frameworks in Australia and Japan. The lecture advises applying the organization’s highest standards when legal clarity is lacking.
This lecture defines a privacy strategy as a high-level, organization-wide plan for managing personal data. Using ISACA’s five components—data, people, processes, technology, and rules—it outlines how to align the strategy with mission and vision statements. The lecture stresses that privacy is a team sport, requiring buy-in from leadership, sales, developers, and more. It closes by emphasizing that every organization’s approach must be unique and risk-aware.
This lecture provides guidance on building support for a privacy strategy. It covers how to identify and engage key internal stakeholders—managers, executives, and cross-functional partners—through interviews and collaboration. It explains how to find a program “champion” to advocate for resources and drive visibility. The lecture also discusses forming a multidisciplinary team and fostering strong relationships to integrate privacy into organizational culture and operations.
This lecture explains the value of conducting workshops to build buy-in, train stakeholders, and establish a baseline understanding of privacy concepts. Workshops provide a space for open Q&A, clarify regulatory obligations, and foster shared ownership of data protection. The lecture emphasizes the importance of documenting workshop agendas, minutes, and action items to demonstrate accountability, support audits, and meet legal requirements.
This lecture defines a framework as the combination of processes, tools, and standards that guide privacy program management. It discusses attributes of successful frameworks, such as supporting compliance, addressing risk, and embedding privacy throughout business functions. Frameworks can be categorized into principles/standards and laws/regulations. They help identify gaps, assign accountability, and provide a common language for managing privacy and cybersecurity risks.
This lecture introduces core privacy principles and standards that shape privacy frameworks globally. It covers Fair Information Practices (FIPs), OECD Guidelines, Generally Accepted Privacy Principles (GAPP), the CSA Privacy Code, APEC’s Privacy Framework, ETSI standards, and the NIST Privacy Framework. A mnemonic—“Fluffy Owls Gather Cookies And Eat Noisily”—helps learners remember them. These principles guide ethical data handling, privacy compliance, and international interoperability.
This lecture offers a deep dive into the NIST Privacy Framework, a voluntary, risk-based model for managing privacy risks. It outlines three components: Core (privacy activities), Profile (organization-specific practices), and Tier (maturity levels). The framework promotes cross-functional collaboration, transparency, and accountability, and is law-agnostic and adaptable to any sector. It uses a maturity model approach inspired by MITRE, progressing from “initial” to “optimized” stages.
This lecture reviews key privacy laws and regulations that can shape a privacy framework. It covers Canada’s PIPEDA, the GDPR, Binding Corporate Rules (BCRs), HIPAA, and cross-border mechanisms like the now-invalidated EU-U.S. Privacy Shield and its successor, the Data Privacy Framework. The lecture also discusses the role of Data Protection Authorities (DPAs), such as France’s CNIL, in offering regulatory guidance and enforcing privacy rights.
This lecture explains how to harmonize privacy and security obligations across laws, regulations, and frameworks. It introduces the concept of “rationalizing” requirements—implementing unified solutions like breach notification policies that satisfy multiple rules at once. It distinguishes between commonalities (e.g., notice, consent, purpose limitation) and outliers, such as stricter local or sector-specific regulations. The lecture emphasizes applying the strictest standard to simplify compliance and minimize risk across jurisdictions.
This lecture introduces the concept of GRC—Governance, Risk, and Compliance. It defines governance as the system that guides programs and balances stakeholder interests, risk as the potential for harm (Risk = Threat × Vulnerability), and compliance as maintaining auditable evidence that policies meet legal requirements. The lecture also explains what it means for a policy to be “auditable” and stresses the importance of controls and documentation in effective program oversight.
This lecture explores how privacy technologies and GRC tools support compliance and risk management. Privacy tech includes data discovery, mapping, redaction, deidentification, and incident response tools. GRC tools help organizations create, manage, and map policies to legal requirements while assessing control effectiveness. Vendors offer solutions like consent management, DSAR support, cookie compliance, and data activity monitoring to streamline privacy operations.
This lecture reviews centralized, decentralized, and hybrid governance models for privacy programs. Centralized models offer consistency but can be rigid, while decentralized models are agile but may duplicate efforts. Hybrid models balance global oversight with local flexibility. The lecture also discusses structuring privacy teams, documenting roles, and aligning governance models with organizational authority and strategic needs.
This lecture emphasizes that privacy is a shared responsibility across departments. It covers the cross-functional nature of privacy programs, the importance of training and awareness, and the role of privacy champions and governance bodies. Effective implementation relies on collaboration between central privacy teams and local representatives who adapt policies to specific functions, jurisdictions, and operational needs.
This lecture outlines the wide range of teams that support privacy efforts across an organization. It highlights the roles of departments such as Learning and Development, IT, Information Security, Legal, Procurement, HR, Internal Audit, Risk, Product R&D, and more. Each function contributes uniquely—whether it’s incorporating privacy into system design, managing employee data, ensuring contract compliance, or embedding privacy in strategic planning. Privacy is positioned as a collaborative, organization-wide responsibility.
This lecture defines key privacy roles and their responsibilities, from executive to technical levels. It covers positions such as Chief Privacy Officer, privacy managers, analysts, legal counsel, and business line leaders. Technical roles like privacy engineers and technologists are also included, as are “first responders” who address privacy incidents. The lecture emphasizes how each role contributes to policy implementation, risk mitigation, and overall program success.
This lecture focuses on the role of the Data Protection Officer (DPO) and when one is required under laws like the GDPR and Brazil’s LGPD. It outlines the DPO’s duties, including monitoring compliance, advising on DPIAs, and reporting to senior leadership. It also identifies jurisdictions with similar roles (e.g., South Korea, Canada) and clarifies criteria for mandatory appointment, such as large-scale monitoring or processing of sensitive data.
This lecture details the responsibilities of privacy program managers, who define objectives, assess risks, and implement privacy policies. Their tasks include overseeing governance, coordinating incident response, conducting privacy impact assessments, tracking legal developments, and promoting training and awareness. Program managers ensure compliance while aligning privacy strategies with business objectives and adapting to changing technological and regulatory environments.
This lecture explores additional structural, educational, and functional considerations for building a privacy team. It discusses team hierarchy, role documentation, evaluation methods, and alignment with customer needs. It also reviews typical privacy leader titles and essential skills—such as risk management, project management, information security, and AI literacy. Certifications and ongoing education are emphasized as tools for professional growth and program effectiveness.
This lecture introduces data governance as a comprehensive approach to collecting, managing, securing, and storing data. It highlights the DIKW pyramid (Data, Information, Knowledge, Wisdom) and positions data as a strategic asset. The DAMA-DMBOK framework is introduced, covering ten knowledge areas from architecture and storage to quality and metadata. A mnemonic—“Amazed Martian Silently Sang In Delight, Riding Wild Magic Quokka”—helps learners remember core framework elements.
This lecture explains the strategic, managerial, and operational roles within a data governance program. Strategic roles (e.g., C-suite) define policies; managerial roles (e.g., data owners) ensure data meets business needs; and operational roles (e.g., data stewards) handle day-to-day management. Each level plays a critical part in maintaining effective data governance and aligning data practices with organizational goals.
This lecture defines data inventories (or data maps) as tools to identify, categorize, and track data across an organization. It outlines responsibilities (typically shared by privacy, governance, and IT teams) and steps to build an inventory, including documenting data types, formats, uses, storage, transfers, and retention. Inventories support legal compliance, risk analysis, and data quality improvement efforts.
This lecture focuses on GDPR’s requirement to maintain Records of Processing Activities (RoPA). It details the mandatory elements—such as processing purposes, data categories, recipients, safeguards, and retention policies—and identifies key stakeholders to interview. Exemptions apply to organizations with fewer than 250 employees under specific conditions. RoPA must be documented and provided to regulators upon request.
This lecture introduces four categories of privacy risk: legal, operational, reputational, and strategic. It explains the risk equation (Risk = Threat × Vulnerability) and illustrates common scenarios using real-world examples. The Three Lines Model is introduced to define roles in risk management: operational staff (first line), compliance functions (second line), and internal audit (third line). The lecture emphasizes proactive controls like training, encryption, and privacy-by-design.
This lecture introduces privacy assessments as tools for measuring compliance, monitoring systems, mitigating risks, and supporting audits or incident responses. It explains when to conduct assessments—during development, pre-deployment, at regular intervals, or after a security incident—and who is responsible (e.g., auditors, DPOs, business leads, or regulators). It also clarifies how privacy assessments differ from PIAs and DPIAs, providing a roadmap for selecting the right approach based on organizational context.
This lecture defines a Privacy Impact Assessment (PIA) as a proactive tool for identifying and mitigating privacy risks in projects, systems, or services. It outlines when PIAs are needed (e.g., new data collection, digitization, or third-party involvement) and why they’re essential for compliance and privacy-by-design. The lecture also introduces variations used globally, such as Transfer Impact Assessments (EU), Relatório de Impacto (Brazil), and Privacy Threshold Analyses (U.S.).
This lecture focuses on how Privacy Impact Assessments (PIAs) are implemented in the U.S., particularly within federal agencies. It discusses requirements under the E-Government Act of 2002, the Privacy Act of 1974, and OMB Memorandum M-03-22. It also introduces Privacy Threshold Analyses (PTAs), which help determine if a full PIA is needed based on data types, sharing practices, and technical safeguards.
This lecture presents ISO 29134, which provides guidelines for conducting PIAs. It outlines a five-step process: identify PII flows, analyze the use case, select controls, assess risk, and treat privacy risks using ISO standards like 27002 and 29151. It also covers follow-up actions, including publishing the PIA report and reviewing the treatment plan. Report components include scope, risks, requirements, and final decisions.
This lecture explains Data Protection Impact Assessments (DPIAs), which are mandatory under GDPR for high-risk processing activities. It reviews triggers for DPIAs, such as automated decision-making or large-scale processing of sensitive data. Article 35 of the GDPR and guidance from the former Article 29 Working Party are discussed. Organizations must document why a DPIA was or wasn’t conducted and maintain detailed processing records if risks are identified.
This lecture continues the discussion of DPIAs, focusing on minimum features outlined by the WP29, including processing purpose, necessity, proportionality, and risk mitigation. It explores the UK ICO’s DPIA process and the concept of proportionality—ensuring data use aligns with objectives without being excessive. The lecture also covers supervisory authorities’ roles and when consultation is required, such as in cases of unresolved high risks or potential threats to individuals’ rights, freedoms, or safety.
This lecture addresses the privacy implications of artificial intelligence. It explores challenges such as bias, discrimination, data minimization, and black-box decision-making. It recommends ensuring lawful, fair, and transparent use of AI and highlights tools like privacy-enhancing technologies (e.g., differential privacy and federated learning). The lecture also introduces governance frameworks including the NIST AI Risk Management Framework and ISO/IEC 42001 for responsible AI development and deployment.
This lecture explains how organizations can use attestations for internal accountability in privacy programs. Attestation involves assigning responsibilities, drafting straightforward questions to assess compliance, and collecting supporting evidence. An example includes HR demonstrating adherence to privacy policies through documentation such as consent forms and training records. The goal is to foster transparency and clarify ownership of privacy-related tasks.
This lecture introduces the CIA Triad—Confidentiality, Integrity, and Availability—as the foundation of information security. It compares this to the DAD triad (Disclosure, Alteration, Destruction) and explains the overlap between information security and cybersecurity. It also outlines three types of risk controls: administrative (e.g., policies), technical (e.g., firewalls), and physical (e.g., locks and guards), all essential for safeguarding digital and non-digital information.
This lecture focuses on physical and environmental security, covering protections for personnel, equipment, and facilities. It details controls like fences, CCTV, access badges, disaster preparedness, and redundancy systems. The lecture also introduces NIST SP 800-88 guidelines for data sanitization, explaining methods to clear, purge, or destroy physical media to prevent unauthorized data recovery and ensure secure disposal.
This lecture explains how to evaluate vendors using due diligence and service-level agreements (SLAs). It covers reviewing vendors’ financial health, incident response plans, security practices, certifications (e.g., ISO 27001), and training programs. SLAs should clearly outline privacy, security, and compliance responsibilities, including breach protocols and data disposition terms. Vendor management is essential for mitigating third-party risk and ensuring accountability.
This lecture introduces cloud computing and its advantages, including cost savings, scalability, and simplified IT management. It explains three service models—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—and the differences among public, private, and hybrid cloud types. Organizations must assess the shared responsibility model and choose the right configuration for performance, security, and compliance needs.
This lecture focuses on evaluating vendors in cloud environments, using the Cloud Industry Forum (CIF) Code of Practice. It emphasizes assessing certifications (e.g., ISO 27001), interoperability, data management policies, cybersecurity measures, and subcontractor relationships. Transparency, assurance, and adherence to standards are key to maintaining trust and control in cloud vendor partnerships.
This lecture explains how the GDPR governs vendor relationships through Article 28, which requires controllers to use only processors offering “sufficient guarantees.” Contracts must include specific clauses related to breach assistance, auditing rights, and controller instructions. Due diligence, certifications, and assurance mechanisms are crucial for compliance across the processor supply chain.
This lecture outlines CCPA requirements for vendor relationships, focusing on disclosures, consumer rights, and business obligations. It explains the broad definition of “selling” data and distinguishes between service providers, persons, and third parties. Contracts must specify processing purposes and prohibit resale or misuse of data. Businesses must track all recipients and ensure compliance through tailored service agreements.
This lecture explores privacy considerations during organizational changes such as mergers, acquisitions, and divestitures. It covers conducting gap analyses to identify compliance risks, evaluating existing contracts and data assets, and assessing changes in legal obligations. The lecture also highlights the importance of documenting data transfers, ensuring technical safeguards, and respecting data processing principles like lawfulness, accuracy, and transparency.
Leave a five-star review to help others find the CIPM Certification Masterclass on Udemy or Google and surface it in the algorithm, supporting more content for you and the community.
This lecture introduces Privacy by Design (PbD), a proactive approach to embedding privacy into IT systems throughout their lifecycle. It covers the seven PbD principles—like default privacy, transparency, and end-to-end security—and GDPR Article 25 and Recital 78. Learners explore key GDPR principles (e.g., lawfulness, purpose limitation) using mnemonics, and practice visualizing data movement using data flow diagrams to identify risks and apply controls.
A Beginner's Guide to Data Flow Diagrams
This lecture provides a foundational overview of information security, focusing on the CIA triad: Confidentiality, Integrity, and Availability. It explains the risk management process—identifying, controlling, and monitoring risks—and offers examples like insider threats, ransomware, and IoT vulnerabilities. Control types (administrative, technical, physical) and categories (preventive, detective, corrective) are introduced alongside the Information Security Management System (ISMS) as a framework for safeguarding sensitive data.
This lecture explores the relationship between information security and privacy through a comparative lens. It explains key divergences (e.g., InfoSec doesn’t cover Fair Information Practice Principles) and overlaps like data integrity and authorized access. Learners review data classification schemes for InfoSec and privacy, explore the identifiability spectrum, and examine scenarios where context alters data sensitivity. The lecture concludes with strategies for alignment between InfoSec and privacy teams.
This lecture explains access controls as tools to regulate user access to systems and data. It introduces the components—authentication, authorization, and auditing—and explores principles like role-based access control (RBAC), segregation of duties, least privilege, and need-to-know. Identity Access Management (IAM) is discussed as a comprehensive framework, including policies like unique IDs, 2FA, password management, and access audits to enforce secure and appropriate system access.
This lecture outlines four types of administrative policy controls: laws and regulations, self-regulation, industry practices, and corporate policies. Examples include GDPR (e.g., deletion rights), PCI-DSS encryption standards, GAPP’s consent mechanisms, and Apple’s App Tracking Transparency. Each control type includes an authority, a requirement, and a mechanism—illustrating how organizations use policy to manage privacy and compliance risks in both mandated and voluntary frameworks.
This lecture covers technical controls that protect personal data, including obfuscation techniques (e.g., pseudonymization), data minimization strategies, encryption, and access controls. It introduces Privacy-Enhancing Technologies (PETs) such as differential privacy, homomorphic encryption, and secure multi-party computation. These tools aim to reduce exposure and misuse of sensitive data while supporting regulatory compliance and ethical data handling.
This lecture defines a privacy policy as an internal, high-level document that outlines an organization’s privacy strategy, goals, and operational approach. It contrasts policies with privacy notices—external documents aimed at public transparency. The lecture covers policy characteristics such as clarity, comprehensiveness, action orientation, and measurability. It also emphasizes the policy’s role in guiding stakeholders and allocating resources
This lecture breaks down the key components of a privacy policy, including its purpose, scope, and applicability. It outlines roles and responsibilities, compliance expectations, penalties for noncompliance, and the rules or standards the policy supports. The lecture emphasizes accountability by clearly defining duties, enforcement authority, and monitoring mechanisms across the organization.
This lecture discusses how to effectively communicate privacy policies and plan for related budgeting needs. It highlights the importance of internal communication plans—including identifying audiences, delivery methods, and maintaining ongoing engagement. Budget considerations include costs for technology, services, and administrative tasks like policy drafting, training, and audits. Clear communication fosters compliance and program adoption.
This lecture reviews policies that support privacy programs, such as Acceptable Use Policies (AUPs) and information security policies. It outlines AUP components like user responsibilities, monitoring disclosures, and legal limitations. InfoSec policies are designed to protect confidentiality, integrity, and availability (CIA), with specific provisions for password management, software usage, data logging, and risk assessments.
This lecture defines acquisition as the full life cycle of obtaining goods or services and procurement as the specific process of sourcing and purchasing. It highlights vendor policy and contract considerations, emphasizing that vendors must meet the same privacy and security standards as internal staff. Topics include risk assessment, legal requirements, certifications, and contract clauses such as incident response, access controls, data disposal, and audit rights.
This lecture introduces vendor risk management (also known as third-party or VMP). It focuses on mitigating legal, regulatory, contractual, and financial risks. VMP objectives include ensuring accountability, describing data handling practices, and preventing misuse. The same frameworks apply to all cloud environments—public, private, or hybrid—ensuring consistency and compliance across external partnerships.
This lecture explores how HR policies can help protect personal data. It defines Human Resources and Human Resources Management (HRM) as encompassing workforce functions from recruitment to compliance. Key policy areas include access authorization, data handling, BYOD, social media use, workplace monitoring, and health programs—all aimed at safeguarding personally identifiable information (PII) and aligning staff behavior with privacy objectives.
This lecture explains why organizations need disposition policies—to support data minimization, reduce liability, and control storage costs. It covers how to develop policies by identifying what data to retain, legal or industry requirements, and business impacts. Implementation involves communication, training, workflow integration, and coordination with IT, while considering jurisdictional and functional differences across the organization.
This lecture introduces performance metrics as quantifiable tools to evaluate a privacy program’s success and efficiency. It explains key terminology—like KPIs, KRIs, and metrics lifecycle—and outlines common metrics such as incident response rates, training completion, and PIA completion. Learners explore how metrics support data-driven decision-making, accountability, resource planning, and strategic growth. A case example includes measuring systems with PII and privacy controls.
This lecture emphasizes aligning the right metric with the right audience, distinguishing internal (e.g., DPOs, leadership, HR) and external (e.g., sponsors, shareholders) stakeholders. It outlines the role of a metrics owner—someone responsible for maintaining data quality, ensuring relevance, and communicating insights through visualizations. The lecture underscores that metrics must reflect audience priorities and compliance responsibilities.
This lecture covers various methods of analyzing privacy metrics, including trend analysis, return on investment (ROI), and statistical trending. It explains how to detect patterns, manage outliers, and assess the financial impact of privacy initiatives. A case study from Cisco shows a $2.70 ROI for every $1 spent on privacy, along with reduced breach costs and competitive advantages for organizations investing in privacy programs.
This lecture continues exploring analysis techniques by introducing business resiliency and program maturity. It presents the Privacy Maturity Model (PMM), developed by AICPA/CICA, which includes five levels: Ad Hoc, Repeatable, Defined, Managed, and Optimized. The model helps organizations measure their privacy capability and drive continuous improvement. The lecture concludes with guidance on assessing baseline maturity across program areas.
This lecture focuses on metrics used in DPO and organizational reporting. It covers core categories such as systems and data (e.g., intrusion attempts), legal compliance (e.g., DSARs, erasure requests), and advisory functions (e.g., training, PIA timelines). Additional reporting metrics may include budget, staffing, and volume of personal data handled. Emphasis is placed on selecting meaningful metrics that demonstrate compliance and program effectiveness.
This lecture explores the tools and types of continuous monitoring in a privacy program. It covers compliance monitoring (e.g., audits, risk management), legal and regulatory changes, and network environments using IDS/IPS tools. It also emphasizes monitoring training and awareness metrics. Tools include GRC systems, data discovery, breach tracking, and third-party assessments. Effective monitoring supports accountability, early issue detection, and regulatory compliance.
This lecture defines audits as structured assessments of a privacy program’s effectiveness, compliance, and implementation. It outlines audit phases: planning, preparation, execution, reporting, and follow-up. Audits help identify gaps, suggest remediation, and provide evidence of compliance. They serve various stakeholders—from regulators and industry bodies to internal leadership—by offering transparency and guiding improvements in privacy governance.
This lecture introduces the three main types of audits: first-party (internal), second-party (conducted by customers or partners), and third-party (independent organizations). Each type serves a different purpose—internal benchmarking, contractual validation, or formal certification. The lecture explains how third-party audits align with standards like ISO or NIST and why first- and second-party audits are essential for readiness and relationship management.
This lecture presents key findings from IBM and Verizon’s 2024 reports. Highlights include a $4.88M average breach cost, 292 days to contain breaches involving compromised credentials, and a $1M cost reduction when law enforcement is involved in ransomware cases. Verizon reports that 68% of breaches involved non-malicious human error. These statistics underscore the need for robust privacy and security practices.
This lecture distinguishes training (skill-building) from awareness (attention-focusing) and outlines how both contribute to privacy and security readiness. Referencing NIST SP 800-50 and SP 800-16, it explains how to design and implement effective programs. Key elements include role-specific content, training attestations, gamification, and integration with cybersecurity and data governance efforts. The lecture emphasizes tailoring content to job roles and maintaining ongoing education.
This lecture explores how privacy professionals can use incidents—especially data breaches—as opportunities for organizational change. It emphasizes the critical “72-hour window” following an incident, during which leadership is highly engaged. The lecture encourages using this period to advocate for resources, launch training, and improve processes. It also recommends sharing lessons learned through post-mortems, developing engaging awareness content, and promoting cultural change using memorable slogans and stories.
This lecture outlines how to build internal and external privacy awareness campaigns. Internally, it stresses cross-functional collaboration, assessing department readiness, and using incidents as learning tools. Externally, it focuses on building trust and demonstrating commitment to privacy. The lecture concludes with guidance on operationalizing awareness through communication strategies and updating organizational policies to reflect campaign goals and feedback.
This lecture reviews a variety of delivery methods for training and awareness efforts, emphasizing repetition to drive behavior change. Recommended mediums include in-person and virtual classes, newsletters, intranet content, handouts, memes, competitions, and “lunch and learn” sessions. The lecture also highlights the importance of timely reminders and leveraging other training platforms (e.g., cybersecurity, data governance) to reinforce key privacy messages.
This lecture explains the importance of using metrics to measure the success of privacy training and awareness programs. It presents ideas for what to track, such as event topics, participation rates, hours taught, training mediums, knowledge check results, and incident trends. These metrics help organizations make data-driven decisions, prioritize resources, improve content, and demonstrate compliance and engagement to stakeholders.
This lecture explains the purpose and structure of privacy notices, which are public-facing disclosures that describe an organization’s data practices. It covers their contractual nature under U.S. law—violating a notice may constitute a breach of contract—and outlines typical contents: contact info, data uses, tracking technologies, and rights. It also introduces the notice lifecycle, including development, approval, publication, and periodic review.
This lecture introduces layered, just-in-time, and dashboard-based privacy notices. Layered notices provide a concise summary followed by detailed legal terms. Just-in-time notices appear when data is collected, often on mobile devices. Icon-based notices use visual cues for data practices, while dashboards give users control over settings. The lecture also references CCPA requirements, including notices at data collection and opt-out options for data sales.
This lecture explores whether notice alone is a sufficient proxy for consent, concluding it often falls short. It reviews GDPR’s six lawful bases for processing and critiques the “notice and consent” model for problems like information overload and dark patterns. The lecture defines opt-in and opt-out consent models and emphasizes the need for express, meaningful user choices under privacy frameworks like GDPR.
This lecture reviews how various laws regulate children’s data and consent. It covers GDPR, COPPA, CCPA, and Canada’s OPC, each setting different age thresholds and requirements. For example, COPPA requires parental consent for children under 13, while GDPR allows member states to set thresholds between 13–16. The lecture emphasizes designing notices with age-appropriate language and limiting data collection for minors.
This lecture surveys individual rights under key U.S. federal laws. It covers the FCRA (access to credit reports), HIPAA (access to and amendment of health records), the Do Not Call Registry, CAN-SPAM (email opt-outs), the Privacy Act of 1974 (federal agency data access), and FOIA (right to access government records with some exemptions). Each law grants specific rights tailored to the data and context.
This lecture introduces early U.S. state privacy laws that provide data subject rights. It covers CalOPPA and DOPPA, which require privacy notices and restrict harmful marketing to minors. Nevada’s law mandates disclosure of third-party tracking. California’s Shine the Light Law enables residents to request data-sharing disclosures for marketing, while the Online Eraser Law allows minors to request content removal from websites and apps—even though data posted by third parties may be exempt.
This lecture explores more recent state laws including the CCPA and CPRA, which grant California residents rights to access, delete, or restrict use of personal and sensitive data. It also covers Virginia’s CDPA, Colorado’s Privacy Act, and Nevada’s updated NPICICA. The lecture ends with biometric privacy laws from Illinois (BIPA), Texas (CUBI), and Washington, all of which mandate written notice, consent, and purpose-specific use of biometric data.
This lecture outlines GDPR Articles 7 and 12–18, which establish key rights like transparent communication, access (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction of processing (Art. 18). It emphasizes that consent must be freely given, and data subjects must be informed clearly and in plain language. The right to be forgotten includes a duty to notify third parties and exceptions for freedom of expression and legal claims.
This lecture continues with GDPR Articles 19–23. It covers rights such as data portability (Art. 20), objection to processing (Art. 21), and limits on automated decision-making (Art. 22). Article 23 allows member states to impose restrictions for reasons like national security. The lecture emphasizes the burden of proof placed on controllers and highlights balancing individual rights with legitimate business or governmental interests.
This lecture surveys data subject rights across six Asian jurisdictions. China’s PI Security Specification introduces seven privacy principles. Japan’s APPI aligns closely with GDPR. Malaysia and Singapore’s PDPA laws mandate access within 21–30 days. South Korea has one of the strictest frameworks, requiring detailed notices and explicit consent. Thailand’s PDPA permits anonymization in place of deletion and limits the right to amend data.
This lecture reviews data subject rights in Australia, Canada, Latin America, and New Zealand. Australia allows access and amendment requests within 30 days, often for a fee. Canada’s PIPEDA and proposed CPPA provide access, amendment, and anti-spam rights. Latin American countries grant rights like access, amendment, and objection via comprehensive legislation. New Zealand’s Privacy Act 2020 guarantees access and correction rights within 20 days, with exceptions for third-party data exposure.
This lecture outlines the responsibilities of data controllers when responding to Data Subject Access Requests (DSARs). Controllers must verify identity, acknowledge the request, and respond within 1–3 months. Required processes include handling proxy requests, children’s data, and redacting third-party information. Controllers may charge fees for excessive requests and must document denied rights. Employees must also recognize and escalate objections appropriately.
This lecture introduces key incident response terms: an event is any observable network occurrence; an incident suggests a threat to confidentiality, integrity, or availability; a data breach involves unauthorized data modification, access, deletion, or exfiltration (MADE); an attack is a deliberate security breach attempt; and a vulnerability is a system weakness. It concludes by emphasizing incident response as a structured approach to managing security events.
This lecture provides data to support investment in incident response. The 2024 IBM report cites a global average breach cost of $4.88M, or $169 per lost record, with U.S. breaches averaging $9.36M. Breaches are mostly caused by malicious actors (55%), followed by IT failures (23%) and human error (22%). Use of AI can reduce breach costs by up to $2.2M. Legal risks include fines, lawsuits, and regulatory scrutiny.
This lecture emphasizes the difference between prevention (stopping a breach) and preparedness (responding effectively when it happens). It outlines the steps of preparedness: building a plan, training, insurance, and vendor management. Plan creation begins with understanding organizational data and compliance requirements. Considerations include stakeholder roles, PII inventory, third-party involvement, and past breach lessons. Suggested stakeholders range from IT and compliance to the board of directors.
This lecture focuses on three core elements of preparedness: training, cyber-liability insurance, and vendor management. It explains who should be trained, what mediums to use (e.g., video, tabletop exercises), and why preparation builds organizational resilience. It also outlines key insurance components like forensic services and credit monitoring, and emphasizes including incident response clauses in vendor contracts to ensure readiness across the supply chain.
This lecture details the roles of leadership and front-line teams in responding to incidents. It covers responsibilities of the board, business development, C-suite, compliance, customer service, and cybersecurity/IT. From maintaining system inventories to managing communications with regulators and clients, each group plays a vital role in ensuring a swift, coordinated response.
This lecture expands on organizational roles in incident response, focusing on finance, HR, legal, marketing/PR, union leadership, and external vendors. It explores functions such as managing breach costs, handling employee investigations, ensuring legal compliance, managing reputational damage, and supporting affected individuals with services like credit monitoring. Each role contributes to limiting harm and restoring business continuity.
This lecture explains the role of a Business Continuity Plan (BCP) in maintaining operations during disruptions. It introduces the tabletop exercise (TTX) as a method to test readiness, and covers the strategic benefits of BCPs, such as reducing liability, improving security, and protecting brand reputation. Training ROI data reinforces the value of preparedness, with up to 562% return on investment reported.
This lecture outlines the steps involved in managing a privacy or security incident. It divides the process into three phases: detection, notification, and remediation. It describes methods of detection (e.g., IDS, employee reports), the structure of an incident report form, and the importance of cross-functional collaboration. HR, IT, and security must work together to contain incidents and document responses thoroughly.
This lecture outlines how to investigate a data incident, including collecting forensic evidence, containing threats, and coordinating with legal teams. Key steps involve capturing a system image, segmenting networks, patching vulnerabilities, and documenting actions. Legal teams help define the event (incident or breach), preserve evidence under attorney-client privilege, and manage risk. Stakeholder notifications, including coordination with insurers and forensic vendors, are also addressed.
This lecture explores the principles and logistics of notifying affected individuals after a breach. It explains how to assess whether a breach is reportable, based on factors like encryption and misuse. Notification components include verifying impacted individuals, sending letters, and offering support services like credit monitoring. Timelines vary by jurisdiction, so legal teams must guide compliance with global requirements.
This lecture explains how to communicate about a breach internally, externally, and with regulators. Internally, messaging should follow a need-to-know approach. External efforts include press releases and call center coordination, often with crisis communications support. Regulator communication must follow jurisdictional rules. The lecture also offers best practices for crafting notification letters and managing call centers for post-breach support.
This lecture focuses on the roles and responsibilities involved in breach remediation. Key parties include remediation vendors, letter distributors, and call centers. Tasks include generating activation codes, designing secure websites, training staff, and distributing letters. Effective remediation requires detailed tracking of metrics (e.g., deadlines, enrollments, calls) and regular reporting to leadership and compliance teams.
This lecture emphasizes the importance of post-incident reflection and cost analysis. Organizations should conduct after-action reviews to assess what went well, what didn’t, and what needs improvement. Common cost categories include legal, public relations, forensic services, call centers, equipment replacement, insurance, training, and remediation. These insights help organizations improve resilience and prepare for future incidents.
* Fully updated and comprehensive coverage of version 4.2 of the CIPM Body of Knowledge (July 2026). *
Welcome to the CIPM Certification Masterclass. My name is Dr. Kyle David. I'm here to help you pass your CIPM certification exam.
Getting your CIPM certification is an excellent career move.
The CIPM certification is the gold standard for data privacy program management.
Demand for qualified privacy professional's worldwide is BOOMING.
The average salary for privacy professionals is USD $146,000.
This CIPM course covers all 6 domains in comprehensive detail. The 6 domains are:
Privacy Program: Developing a Framework
Privacy Program: Establishing Program Governance
Privacy Program Operational Life Cycle: Assessing Data
Privacy Program Operational Life Cycle: Protecting Personal Data
Privacy Program Operational Life Cycle: Sustaining Program Performance
Privacy Program Operational Life Cycle: Responding to Requests and Incidents
This course includes:
14+ hours of CIPM video lectures: Comprehensive coverage of all 6 domains.
400 scenario-based practice questions. Test your comprehension as you progress through the course.
Free downloadable CIPM study guides: Made from my lecture slides.
Access to Dr. David's Discord channel: To get live support from me and others as you prepare for the CIPM exam.
CIPM Mnemonics: To help you remember key details for the exam.
An automatic certificate of completion: To flex on your friends, family, and colleagues.
30-day no questions asked, money-back guarantee.
Offline video viewing on the Udemy mobile app.
Start your CIPM certification journey today and let me help YOU get certified!