Hello and welcome to the INFOSEC Skills CIPM. That's the IPP's Certified Information Privacy Manager course. My name is Ralph O'brien and it'll be my pleasure to spend a little bit of time with you over the next few modules making sure that you learn everything you need to know to pass the CIPM. So welcome. [LAUGH] A few things about me before we get started, I've been in privacy for 22 years now. A consultant and trainer to lots of global organizations in fact started here in the UK and the public sector. But mainly started looking at information sharing agreements in the public sector helping organizations to write audit manuals such as the police, the ICO. To write their audit manual, and I kind of spend my time now helping global companies to comply with security and privacy standards. And I'm extremely privileged to have contributed to some of those security standards such as ISO 27001, ISO 27771. And indeed what I really enjoy doing at the moment is speaking and training to multiple organizations. In my private life, you'll also find that I make sure that I spend a lot of time traveling and sort of a citizen in the world, let alone a citizen in Europe. And I enjoy all things geeky. So you probably find me you're looking at star wars, rolling some dice painting models discussing the latest marvel or DC, watching Doctor Who. But my real passion is for privacy, is what I do, is what I love, it's my reason debtor. It's my reason to be and actually it's a real privilege to work in a job that I love every day. So let's talk about the CIPM, and let's talk about the CIPM exam. So the CIPM exam, what I always advise people to do is to actually start by going to the common body of knowledge. So the common body of knowledge, you'll find on the iapp website, you'll see the link there on the screen. And what that common body of knowledge does is it tells you the course agenda if you like, the course outline, it tells you exactly what you need to know in order to pass. And I've kind of based these training videos on that common body of knowledge. To pass, you'll have to pass an exam. The exam will last 2.5 hours and it will be 90 questions. And in these days when recording this during the COVID 2019 early in 2021. And what that meant is the iapp as well as doing things at their conferences and exam centers, you can now take the exam remotely, it can be remotely clockted. So that's sort of a big advance and one of the things that COVID has done. So rather than going to a training center you can actually take it remotely. What tends to happen is they'll take control of your computer and look at you through the webcam as you're trying to just sit the exam and how you'll get a sort of a browser based interface. Now, there is sort of 500 points available over those 90 questions and to pass you need about 300 out of 500. But when you look at the common body of knowledge, you'll actually see that there are a number of modules in there. And you have to kind of get that sort of proportion that three out of five proportion within each of the modules. You can be really good at one but not so good at the other. It's not the total score 300 out of 500. But in each module you you've got to get the required pass the question types. There are two separate types of question types. One is sort of a multiple choice, your A, B, C, D. You might get a question that says which of these is the main European law for data protection, you'll get A, eprivacy, B, Data Protection Act, C, Patriot Act, ,D GDPR. Hopefully you identified between eprivacy and GPR probably the two best dancers but the main European law and privacy with circle or tick D for the GDPR. That's sort of one type of question. The other type of question that you find is what I'd call a scenario based type of question. And what you do in this scenario is you get given a small case study. A small case study that says something, so and so is a flower shop, so and so sell flowers, so and so pi is a marketing database from so and so. Then a data breach happens then you might get four or five questions upon that scenario. So the questions you might get might be, who is the controller? Who's the processor? [COUGH] Who might be responsible for the data breach? What you have to worry about with international transfers etc. So the idea is about half scenario based, half multiple choice. And the idea is that you get the correct answer from the common body of knowledge. So how are we going to break down this course? We're going to break down this course into a number of different sections from the organizational context. So, the CIPM is really about managing a global privacy program, that's the kind of the content here. So we're going to be looking at the context of that global organization and how to sort of break that down, how to set up a governance regime within the organization. What standards or frameworks you could apply to build your privacy program, what the global laws might be that might affect or surround your compliance. How to assess where you are, how to document what it is you're doing, policies, procedures, that sort of thing. How to respond to individual rights requests, how to make do training and awareness for your staff, how to protect the data in terms of security and how to manage security breaches. And then finally a section on continual improvement. So monitoring, measuring, auditing, improving. So that's going to be the course breakdown. And when you look at that common body of knowledge, you'll see we've tried to mirror that common body of knowledge, but also mirror the way you actually might take on doing a privacy program. If I was a new privacy professional, I'd come in and I'd established what the organization is and set up my governance program and work out what framework I needed to use. What laws apply, carry out some assessments and then build my privacy program and then monitor and measure how well it goes. So I tried to mirror that sort of approach to building a practical privacy program. So on that voice, we're going to be using a case study. Loosely, we're not going to put too much on the case study. But just as a useful example, we've created an organization and they're called MEDFORCE 1. So MEDFORCE 1 is this pan European EU based private medical support service providers. They provide nurses and nurses go into individuals homes to assist them with whatever medical treatment they want. So this is the kind of this private nursing in home care and support. So obviously you're going to have lots of customer data, their contact details, medical details, financial details on your main customers. So this is MEDFORCE 1. MEDFORCE 1 however, have had a recent fright. They've had a data breach. It's been discovered there's been a negative audit finding from a public body inspection that's really had to cause the management to take privacy seriously and they've decided to invest in privacy. What's been their main investment so far? Well, their main investment so far are you. You have been appointed to be the chief privacy officer or head of privacy for MEDFORCE 1's global operations. And so it's then your task to develop that privacy management program, that data protection compliance program. The way that MEDFORCE 1 is going to be dealing with privacy from this point onwards. So without further ado, I think we'll jump into it. And the next session we're going to do is going to be on that first element which is that stakeholders vision our alignment. How we go into MEDFORCE 1 and begin to break down who it is and what it is. You imagine your day one that privacy officer who's turned up in MEDFORCE 1. And then what we're going to do is we're going to begin the course by breaking down who they are and therefore what the requirements might be. I look forward to seeing you.
