Explore

EY Job Study

1. Data‑Privacy Regulations & Core Concepts

This area covers the foundational knowledge of global privacy laws and their principles. Here's what it entails:

✅ What to Learn

GDPR (General Data Protection Regulation – EU):

Key Articles:

Art. 5 – Principles of processing

Art. 6 – Lawful bases for processing

Art. 12–23 – Data Subject Rights (DSRs)

Art. 30 – Records of Processing Activities (RoPA)

Art. 33–34 – Breach Notification

Art. 35 – DPIA

Art. 44–50 – International Transfers

Roles: Data Controller vs Data Processor

Consent, Legitimate Interest, Contractual Necessity

Fines (up to €20M or 4% of annual turnover)

CCPA/CPRA (California):

Consumer Rights: Access, Deletion, Correction, Opt-Out

"Sale" vs "Share" of personal data

Sensitive Personal Information (SPI) classification

Concepts like “Do Not Sell or Share My Info”

Service Provider vs. Third Party

Enforcement by California Privacy Protection Agency (CPPA)

Other Global Regulations (High-level):

Brazil LGPD, Saudi PDPL, South Africa POPIA, India DPDP, etc.

Compare their scope, definitions, consent requirements, penalties

⁠

💡 Key Pointers for Interview

Be ready to explain data subject rights and how you’d operationalize them.

Discuss how GDPR applies extra-territorially (even if the company isn't in the EU).

Highlight how you interpret the legal basis for processing in practical scenarios.

Mention differences between GDPR and CCPA—especially in terminology and obligations.

⁠

📚 Recommended Study Resources

IAPP CIPP/E Textbook & Exam Blueprint

EU GDPR: A Practical Guide to Implementing – by IT Governance

CCPA Compliance Guide – TrustArc

GDPR Summary by ICO (UK)

IAPP Daily Dashboard – Stay current on regulatory trends

⁠

2. PIA, DPIA & Data Mapping

✅ What to Learn

PIA (Privacy Impact Assessment): General term used for assessing privacy risks in any data-processing initiative.

DPIA (Data Protection Impact Assessment): Specific GDPR-mandated assessment required when processing is likely to result in high risk to individuals' rights.

When DPIAs are required: Large-scale profiling, tracking, processing sensitive data, surveillance.

Steps:

Describe processing & purpose

Assess necessity & proportionality

Identify risks to individuals

Suggest mitigation strategies

Data Mapping:

Identify data categories (PII, SPI, etc.)

Understand data flows (source, destination, systems, third parties)

Record of Processing Activities (RoPA)

💡 Key Pointers

Be able to walk through a DPIA you’ve conducted or a mock scenario.

Mention tools used (e.g., OneTrust, Excel-based templates).

Stress collaboration with Legal, IT, Security teams.

📚 Resources

ICO DPIA Guide + Template

OneTrust Academy – DPIA module

IAPP articles on effective data mapping

Nymity DPIA Best Practices

⁠

3. Privacy-Strategy & Roadmaps

✅ What to Learn

Building a Privacy Program from scratch:

Governance model

Roles (DPO, privacy leads)

Budgeting and timelines

Communication plan

Using maturity models (e.g., initial → repeatable → defined → managed → optimized)

Key elements: assessments, gap analysis, policies, training, audits, automation

💡 Key Pointers

Have a sample 12-month roadmap ready: Gap Assessment → Policy Dev → DPIA → Training → Monitoring.

Show understanding of business alignment: link privacy to risk, reputation, customer trust.

📚 Resources

IAPP whitepaper: "How to Build a Privacy Program"

NIST Privacy Framework

ISO/IEC 27701 (privacy extension to ISO 27001)

Gartner or Forrester Maturity Models

⁠

4. DPP Policies & Procedures

✅ What to Learn

Key policies:

Data Protection Policy

Retention Policy

DSAR Handling Policy

Breach Notification Policy

Third-party Management

Structure of a good policy: scope, responsibilities, definitions, procedures, enforcement

💡 Key Pointers

Highlight policy version control, stakeholder approvals, and review cycles.

Explain how you operationalize policies (e.g., integrate DSAR procedure into ticketing system).

📚 Resources

ISO 27701 Annex A

IT Governance GDPR policy toolkit

NIST 800-53 Controls for procedural references

⁠

5. Implementation of Controls

✅ What to Learn

Technical Controls: Encryption, pseudonymization, access controls, logging, MFA.

Organizational Controls: Vendor due diligence, data handling procedures, staff training.

Risk treatment strategies: Avoid, Accept, Mitigate, Transfer

💡 Key Pointers

Connect controls back to specific privacy risks and GDPR Articles.

Be ready to describe a control failure and how you addressed it.

📚 Resources

NIST 800-53 (Security & Privacy Controls)

CIS Controls v8

ISO/IEC 27001 Annex A + 27701

⁠

6. Training Content & Cross-Functional Enablement

✅ What to Learn

Types of training: onboarding, role-based, annual refreshers

Content development: plain language, real-life case studies, simulations

Assessment & feedback loops

💡 Key Pointers

Walk through a sample training deck outline.

Highlight how you tailor training by role (e.g., HR vs. Dev teams).

📚 Resources

IAPP Training Framework

OneTrust & TrustArc course templates

LinkedIn Learning – Corporate Training Design

⁠

7. Privacy RFPs & Effort Estimation

✅ What to Learn

Components of an RFP response:

Executive Summary

Methodology

Deliverables

Pricing & Effort Estimation

Estimation techniques:

Work Breakdown Structure (WBS)

Past project analogies

Timeboxing

💡 Key Pointers

Show how you handle assumptions and risk buffers in estimation.

Understand typical scope: DPIA, data mapping, policy development, tool implementation.

📚 Resources

Sample Privacy RFPs (on Upwork, RFPIO)

PMI PMBOK Guide (for effort estimation models)

⁠

8. Industry Trends & Standards

✅ What to Learn

Emerging regulations: India DPDP, UAE DPL, China PIPL

Trends:

AI and Privacy

PETs (Privacy Enhancing Technologies)

Decentralized Identity

Cross-border transfer mechanisms (e.g., SCCs, DPF)

💡 Key Pointers

Mention tools you use to stay current (e.g., IAPP Dashboard, newsletters).

Share a recent regulatory update you followed and how it could affect companies.

📚 Resources

IAPP Daily Dashboard

Future of Privacy Forum (whitepapers)

TechCrunch, Wired (for applied privacy trends)

⁠

9. Risk-Assessment Frameworks

✅ What to Learn

Frameworks:

ISO 31000

NIST Risk Management Framework (RMF)

FAIR Model (quantitative risk)

Mapping privacy risks: likelihood × impact matrix, risk scoring, mitigation planning

💡 Key Pointers

Talk through a sample privacy risk register.

Describe how you presented risk to execs using visual dashboards.

📚 Resources

FAIR Institute: Risk Taxonomy

NIST SP 800-37

ISO 31000:2018 Summary Guide

⁠

10. Privacy Engineering & “Privacy by Design”

✅ What to Learn

Privacy by Design (PbD): Embedding privacy from system design to disposal.

Hoepman’s 8 Strategies: Minimize, Hide, Separate, Aggregate, Inform, Control, Enforce, Demonstrate.

Secure SDLC + privacy threat modeling

💡 Key Pointers

Give examples of privacy built into tech (e.g., masked logs, data minimization in forms).

Discuss DevSecOps or CI/CD integration with privacy.

📚 Resources

Privacy Engineering by Ian Oliver or Mink

CIPT (IAPP) official curriculum

OWASP Privacy Threat Modeling cheat sheets

⁠

11. Privacy-Tech Enablement & GRC Tools

✅ What to Learn

Tools: OneTrust, Archer, TrustArc, BigID,

Securiti.ai⁠

⁠

Core modules: Data mapping, DPIAs, RoPA, Vendor Management, DSAR automation

Integration with ticketing (e.g., ServiceNow), SIEM, or IAM systems

💡 Key Pointers

Talk about tool adoption lifecycle: POC → configuration → rollout → reporting.

Mention strengths & weaknesses of the tools you've used.

📚 Resources

OneTrust Academy

RSA Archer University

YouTube: BigID/TrustArc demos

⁠

12. Documentation & Communication Skills

✅ What to Learn

Writing clear, structured documents: policies, reports, DPIAs

Reporting to stakeholders: privacy KPIs, dashboards, audit summaries

Adapting language for legal, tech, and business teams

💡 Key Pointers

Share a writing sample (even a redacted one).

Use frameworks like Pyramid Principle to structure briefings.

📚 Resources

The Pyramid Principle by Barbara Minto

Harvard Business Review: “How to Write Executive Summaries”

Grammarly + Hemingway tools for clarity

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.