For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy
compliance strategy for your chosen company. The deliverable for this project will be a Privacy
Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The
scope for this project will be laws and regulations from the United States (federal and state) and the
European Union.
Project 4 – Privacy Compliance Strategy
Description
For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy
compliance strategy for your chosen company. The deliverable for this project will be a Privacy
Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The
scope for this project will be laws and regulations from the United States (federal and state) and the
European Union.
Research
1. Review your selected company’s Form 10-K to identify privacy related risks which the company
disclosed to investors and shareholders. You will use these and additional privacy-related risks,
identified through your readings and research, to construct a privacy compliance profile.
2. Read Chapters 1 and 2 of the NIST Privacy Framework: A tool for improving privacy through
enterprise risk management. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
3. Review the Audit and Compliance control family in NIST SP 800-53 (section 3.3).
4. Review one or more reports written by privacy analysts about privacy issues affecting global
businesses:
a. 2010 Ponemon Report: How Global Organizations Approach the Challenge of Protecting
Personal Data
https://www.ponemon.org/local/upload/file/ATC_DPP%20report_FINAL.pdf
b. 2019 Thomson Reuters GDPR Report Business’ struggle with data privacy: Regulatory
environment continues to evolve rapidly
https://legalsolutions.thomsonreuters.co.uk/blog/wpcontent/uploads/sites/14/2019/12/Thomson-Reuters-GDPR-Report.pdf
c. 2021 blog from PrivacyPolicies.com Global Privacy Laws Explained
https://www.privacypolicies.com/blog/global-privacy-laws-explained/
5. Review existing and proposed privacy legislation for U.S. jurisdictions (states): Association of
Privacy Professionals (IAPP) https://iapp.org/resources/article/us-state-privacy-legislationtracker/
6. Review the privacy guidance for the European Union’s General Data Protection Regulation
https://gdpr.eu/
7. Review the Fact Sheet for the Trans-Atlantic Data Privacy Framework
https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheetunited-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/
8. Find and review additional authoritative sources which discuss (a) specific privacy-related legal
or regulatory non-compliance events (lawsuits, fines, etc.) impacting large, global companies
and (b) the business and financial impacts arising from compliance failures (violations) for
privacy laws and regulations.
Analyze Privacy Compliance Issues, Risks, and Mitigations
1. Identify the five most important privacy issues which your chosen company must address as
part of its enterprise risk management program. You should focus on strategic issues, e.g. lack of
management support, lack of resources, rapidly changing external politico-legal privacy
environment, lawsuits and fines arising from non-compliance, etc. For each issue, identify the
legal and regulatory drivers from both the U.S. (federal and state) and the European Union.
2. Identify 10 or more privacy-related legal or regulatory compliance risks arising from your
identified privacy issues. For each risk, identify the specific law or regulation that imposes
privacy requirements upon your selected company. You may reuse privacy-related risks from
your previous projects. Present your risks using the Table 1 template found at the end of this
file.
3. For each identified compliance risk, identify one or more security controls (from NIST SP 800-53)
which could be implemented to reduce or mitigate the compliance risk. Audit and Compliance
Controls should be included in your mitigation profile. Remember that you need one or more
controls that will be the audit targets. You may reuse work from your previous projects but you
should make sure that the selected controls actually address mitigations for PRIVACY
COMPLIANCE risks. If they do not, you must select controls which do address compliance. Enter
this information into Table 2 found at the end of this file.
Write
1. An introduction section which identifies the company being discussed and provides a brief
introduction to the company (you may reuse some of your narrative from Project #1 and/or
Project #2). Your introduction should include a brief overview of the company’s business
operations and include a description of the purpose and contents of this Privacy Compliance
Strategy deliverable.
2. A separate analysis section (Privacy Issues Impacting [company]) in which you present 10 or
more Privacy Issues which you identified from your reading and research. For each issue, you
should present your analysis of why this issue is important for your selected company. You
should also discuss the legal and regulatory drivers which make this issue important for your
company. What are the non-compliance risks associated with these issues? (Discuss at least 3.)
3. A separate analysis section (Privacy Compliance Risk Profile) in which you present your privacyrelated compliance risks. Provide an introductory paragraph that explains the relationship
between the previously identified privacy issues and your privacy compliance risk profile. You
should discuss the type of information presented in Table #1 Privacy Compliance Risk Profile
(use the template at the end of this file – this is a different table than used in previous projects)
and what sources were used to obtain this information. Your completed table should have 10 or
more entries. Describe the process and documents used to construct Privacy Compliance Risk
Profile. Place Table #1 at the end of this section (remember to delete the sample text).
4. A separate analysis section (Privacy Compliance Controls Profile) in which you present your
Privacy Compliance Controls Profile. Provide an introductory paragraph that explains the privacy
compliance controls profile, e.g., what information is contained in the table and what sources
were used to obtain this information. Describe the process and documents used to construct
the Privacy Compliance Controls Profile. Your profile should have 10 or more rows entered into
Table #2. Place Table #2 at the end of this section (remember to delete the sample text).
5. A separate section (Privacy Compliance Risk Mitigation Strategy) in which you present a highlevel strategy for implementing the risk mitigations (security controls) presented earlier in this
deliverable. This section should include a summary of the business problem (reduce privacyrelated risks arising from legal and regulatory requirements for privacy protections), the general
types of privacy-related risks to be mitigated (focus on the CIA triad and summarize the risks you
previously identified), the timeframe for implementing each element of your strategy, and the
benefits of implementing an enterprise strategy for reducing privacy-related compliance risks.
6. A separate Recommendations and Conclusions section which provides a summary of the
information contained in this deliverable and presents your concluding statements regarding the
business need and business benefits which support implementing your Privacy Compliance Risk
Mitigation Strategy and the allocation of resources by the company.
Additional Information
1. Your 8 to 10 page deliverable should be professional in appearance with consistent use of fonts,
font sizes, colors, margins, etc. You should use headings and sub-headings to organize your
paper. Use headings which correspond to the content rows in the rubric – this will make it easier
for your instructor to find required content elements and will help you ensure that you have
covered all required sections and content in your paper.
2. The INFA program requires that graduate students follow standard APA style guidance for both
formatting and citing/reference sources. Your file submission must be in MS Word format
(.docx). PDF, ODF, and other types of files are not acceptable.
3. You must include a cover page with the course, the assignment title, your name, your
instructor’s name, and the due date. Your reference list must be on a separate page at the end
of your file. These pages do not count towards the assignment’s minimum page count.
4. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
5. You are expected to credit your sources using in-text citations and reference list entries. Both
your citations and your reference list entries must follow APA Style guidance. Use of required
readings from the course as sources is expected and encouraged. Where used, you must cite
and provide references for these readings.
6. When using Security and Privacy controls from NIST SP 800-53, you must use the exact
numbering and names (titles) when referring to those controls. This information does not need
to be treated as quotations. You may paraphrase or quote from the descriptions of the controls
provided that you appropriately mark copied text (if any) and attach a citation for both quoted
and paraphrased information.
7. Table 1. Privacy Compliance Risk Profile for [company]
Risk ID
Privacy Risk Title
Description
001
Unauthorized
disclosure of privacyrelated customer
information.
Unauthorized disclosure or access to
privacy-related customer data could
result in non-compliance with [law],
[law], [regulation: section].
Risk
Category
People
Impact
Level
Medium
002
003
004
005
006
007
008
009
010
Table 2. Privacy Compliance Controls Profile
Risk
ID
001
002
003
004
005
006
007
Risk Title
Compliance Risk Mitigation Strategy
Security Controls
Unauthorized
disclosure of
privacy-related
customer
information.
Implementation of role-based access
controls will reduce the compliance
related risk arising from failure to
control access to privacy-related
customer information. Compliance will
be improved by (a) auditing access and
access permissions to ensure that least
privilege is implemented and enforced
and (b) review of audit records and
external sources to detect unauthorized
disclosures of privacy-related
information.
AC-3 (7) Access Enforcement
| Role Based Access Control;
AC-3 (11) Access Enforcement
| Restrict Access to Specific
Information Types; AU-2
Event Logging; AU-6 Audit
Record Review, Analysis, and
Reporting; AU-13 Monitoring
for information Disclosure
008
009
010
