- Expert Verified, Online, Free.

 Custom View Settings

Question #201 Topic 1

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that

mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the

“reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data

mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams

involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's

little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and

your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email,

sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security

teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to

existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials

to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development

environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle

Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what

project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to

measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and

measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place

addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the

resources for such monitoring.

In order to mitigate the risk of new data flows, products, or updates that cause InStyle Data Corp. to be noncompliant with the new law you should

establish?

A. A process whereby privacy and security would be consulted right before the do-live date for the new data flows, products, or updates.

B. Best practices that require employees to sign an attestation that they understand the sensitivity of new data flows, products, or updates.

C. Access controls based on need-to-know basis for InStyle Data Corp. employees so that not everyone has access to personal data in data

flows, products, or updates.

D. Requirements for a Privacy Impact Assessment (PIA) / Data Privacy Impact Assessment (DPIA) as part of the business’ standard process

in developing new data flows, products, or updates. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #202 Topic 1

The least useful metric for optimizing the design of your data subject request workflow is tracking the number of data subjects who?

A. Made requests by geographic origin. Most Voted

B. Used an automated service for the request.

C. Made requests to know vs. requests to be deleted.

D. Authorized another person to make the request on their behalf.

Correct Answer: A

Community vote distribution

A (80%) B (20%)

Question #203 Topic 1

During a merger and acquisition, the most comprehensive review of privacy risks and gaps occurs when conducting what activity?

A. Transfer Impact Assessment (TIA).

B. Risk identification review.

C. Due diligence. Most Voted

D. Integration.

Correct Answer: C

Community vote distribution

C (100%)

Question #204 Topic 1

When vetting third-party processors of data protected by the General Data Protection Regulation (GDPR), why is it important to know the physical

location of stored personal data from clients?

A. To determine their incidence response time.

B. To determine the country laws that would govern the contract.

C. To determine the likelihood of a security breach in the location.

D. To ensure the country has adequate protection or if safeguards are required. Most Voted

Correct Answer: D

Community vote distribution

D (88%) 13%
Question #205 Topic 1

Which of the following conditions will definitely trigger a Data Protection Impact Assessment (DPIA)?

A. When a company acquires a new business entity.

B. When Human Resources engages a new employee benefit provider.

C. When a new system is deployed to track an individual’s location or behavior. Most Voted

D. When a new application is developed to track data subject access requests.

Correct Answer: C

Community vote distribution

C (100%)

Question #206 Topic 1

Which of the following information must be provided by the data controller when complying with the General Data Protection Regulation (GDPR)

“right to access” requirements?

A. The purpose of personal data processing. Most Voted

B. The data subject’s right to withdraw consent.

C. The contact details of the Data Protection Officer (DPO).

D. The type of organizations with whom personal data was shared.

Correct Answer: A

Community vote distribution

A (75%) 13% 13%

Question #207 Topic 1

Post-liquidation, a company that has acquired assets would require separate consent from a data subject if personally identifiable data were being

retained for which purpose?

A. For tax purposes.

B. For analytical purposes.

C. To be able to ensure payment of pension funds.

D. To secure employment benefits for former employees.

Correct Answer: B
Question #208 Topic 1

Training and awareness metrics in a privacy program are necessary to?

A. Identify data breaches.

B. Implement privacy policies.

C. Demonstrate compliance with regulations. Most Voted

D. Educate customers on the organization’s data practices.

Correct Answer: C

Community vote distribution

C (78%) B (22%)

Question #209 Topic 1

A “right to erasure” request could be rejected if the processing of personal data is for?

A. An outdated original purpose.

B. Compliance with legal obligation. Most Voted

C. The offer of information society services.

D. The establishment of personal legal claims.

Correct Answer: B

Community vote distribution

B (100%)

Question #210 Topic 1

A marketing team regularly exports spreadsheets to use for analysis including customer name, birthdate and home address. These spreadsheets

are routinely shared between members of various teams via email even with employees that do not need such granular data.

What is the best way to lower overall risk?

A. Set up security measures in the company’s email client to prevent spreadsheets with customer information to accidentally being sent to

external recipients.

B. Anonymize exportable data by creating categories of information, like age range and geographic region. Most Voted

C. Allow the free exchange of information to continue but require spreadsheets be password protected.

D. Allow only certain users to export customer data from the database.

Correct Answer: B

Community vote distribution

B (100%)
Question #211 Topic 1

The best way to help ensure that reasonable and appropriate security measures are in place to protect personal data is to establish?

A. A stricter credentialling process so that only employees, and not contractors, have access to sensitive personal data.

B. A privilege management process so that only certain employees or contractors have the ability to alter or delete personal data. Most Voted

C. A physical security policy that prohibits contractors from bringing personal devices into any environment, but permits employees to do so.

D. A quarterly audit of both the test and development environments to validate alterations or deletions of any data by employees and

contractors.

Correct Answer: B

Community vote distribution

B (100%)

Question #212 Topic 1

As the Data Protection Officer (DPO) for the growing company, Vision 3468, what would be the most cost effective way to monitor changes in laws

and regulations?

A. Engage an external lawyer.

B. Regularly engage regulators.

C. Attend workshops and interact with other professionals. Most Voted

D. Subscribe to mailing lists that report on regulatory changes.

Correct Answer: D

Community vote distribution

D (50%) C (50%)

Question #213 Topic 1

Which of the following is TRUE of a privacy program with decentralized governance?

A. A mid-level manager within the business is responsible for accepting privacy risks.

B. Privacy governance across the organization is mostly managed by one team or person.

C. Decision-making is delegated by senior management to lower levels in the organization.

D. A Chief Privacy Officer (CPO) sets privacy program priorities with input from privacy champions from relevant areas of the business.

Most Voted

Correct Answer: C

Community vote distribution

C (67%) D (33%)
Question #214 Topic 1

SCENARIO -

Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his

second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's

privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company.

Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small

consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the

consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card

Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls

into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with

the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could

not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with

purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to

enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it

became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also

wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he

knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager.

Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management

(CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk

had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that

none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened

the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant

to develop a remediation plan.

What maturity level should the internal audit assign to Mesa’s privacy policies and procedures if they use the Privacy Maturity Model (PMM)?

A. Ad-hoc. Most Voted

B. Defined.

C. Managed.

D. Repeatable.

Correct Answer: A

Community vote distribution

A (100%)
Question #215 Topic 1

SCENARIO -

Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his

second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's

privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company.

Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small

consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the

consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card

Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls

into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with

the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could

not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with

purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to

enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it

became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also

wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he

knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager.

Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management

(CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk

had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that

none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened

the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant

to develop a remediation plan.

What key error related to program governance did Liam make prior to the audit kick-off meeting?

A. He asked stakeholders to delete customer data out of the CRM tool.

B. He met with stakeholders in marketing and E-commerce without the auditors.

C. He did not obtain approval of the newly written policies from senior management.

D. He did not properly escalate his concerns around the scope of the previous privacy review and develop a remediation plan with leadership

support. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #216 Topic 1

SCENARIO -

Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his

second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's

privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company.

Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small

consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the

consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card

Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls

into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with

the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could

not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with

purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to

enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it

became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also

wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he

knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager.

Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management

(CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk

had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that

none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened

the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant

to develop a remediation plan.

Why do Mesa's E-commerce and marketing efforts need to be compliant with the General Data Protection Regulation (GDPR)?

A. Mesa has a global E-commerce presence and may have customers in Europe. Most Voted

B. Mesa uses automated systems and tools to process personal data.

C. Mesa uses mailing lists and engages in direct marketing.

D. Mesa is US-based.

Correct Answer: A

Community vote distribution

A (100%)
Question #217 Topic 1

SCENARIO -

Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his

second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's

privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company.

Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small

consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the

consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card

Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls

into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with

the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could

not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with

purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to

enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it

became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also

wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he

knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager.

Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management

(CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk

had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that

none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened

the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant

to develop a remediation plan.

The phases of an audit described in this narrative are Plan and ?

A. Prepare.

B. Audit.

C. Report. Most Voted

D. Follow-up.

Correct Answer: C

Community vote distribution

C (83%) A (17%)
Question #218 Topic 1

Under the General Data Protection Regulation (GDPR), international data transfer is allowed using the mechanisms in all of the following scenarios

EXCEPT between companies who?

A. Are part of the same group of enterprise using approved Binding Corporate Rules (BCRs).

B. Have signed up to the EU Standard Contractual Clauses.

C. Have put in place a binding confidentiality agreement. Most Voted

D. Have put in place an approved code of conduct.

Correct Answer: C

Community vote distribution

C (100%)

Question #219 Topic 1

Which of the following is NOT an important factor to consider when developing a data retention policy?

A. Technology resource.

B. Business requirement.

C. Organizational culture. Most Voted

D. Data destruction method.

Correct Answer: C

Community vote distribution

D (50%) C (50%)

Question #220 Topic 1

Which of the following is legally binding and enforceable?

A. Organization for Economic Co-Operation and Development (OECD) Guidelines.

B. Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

C. Binding Corporate Rules (BCRs).

D. ISO 27701.

Correct Answer: C
Question #221 Topic 1

Formosa International operates in 20 different countries including the United States and France.

What organizational approach would make complying with a number of different regulations easier?

A. Data mapping.

B. Fair Information Practices.

C. Rationalizing requirements.

D. Establish a privacy champion network

Correct Answer: C

Question #222 Topic 1

The most direct way to ensure you are effectively communicating your privacy mission throughout your organization is to?

A. Ensure marketing activity is adequately resourced.

B. Evaluate the content in your privacy awareness program. Most Voted

C. Survey buy-in from your team and stakeholders on a privacy strategy.

D. Review the quantity of Data Protection Impact Assessments (DPIAs) to ensure completeness for every project.

Correct Answer: B

Community vote distribution

B (67%) C (33%)

Question #223 Topic 1

If done correctly, how can a Data Protection Impact Assessment (DPIA) create a win/win scenario for organizations and individuals?

A. By quickly identifying potentially problematic data attributes and reducing the risk exposure.

B. By allowing Data Controllers to solicit feedback from individuals about how they feel about the potential data processing.

C. By enabling Data Controllers to be proactive in their analysis of processing activities and ensuring compliance with the law.

D. By better informing about the risks associated with the processing activity and improving the organization’s transparency with individuals.

Most Voted

Correct Answer: D

Community vote distribution

D (80%) A (20%)
Question #224 Topic 1

Which of the following is NOT recommended for effective Identity Access Management?

A. Demographics. Most Voted

B. Unique user IDs.

C. User responsibility.

D. Credentials (e.g., password).

Correct Answer: A

Community vote distribution

A (100%)

Question #225 Topic 1

You would like to better understand how your organization can demonstrate compliance with international privacy standards and identify gaps for

remediation. What steps could you take to achieve this objective?

A. Carry out a second-party audit.

B. Consult your local privacy regulator.

C. Conduct an annual self assessment.

D. Engage a third-party to conduct an audit.

Correct Answer: D

Question #226 Topic 1

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?

A. Review reporting activity on breaches to understand when incidents are being reported and when they are not to improve communication

and training.

B. Improve communication to reinforce to everyone that breaches must be reported and how they should be reported.

C. Provide role-specific training to areas where breaches are happening so they are more aware.

D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.

Correct Answer: D
Question #227 Topic 1

SCENARIO -

Please use the following to answer the next question:

Today is your first day at a fast growing international real estate firm headquartered in New York, with offices in Canada and Germany. You are the

firm's first ever privacy officer.

While touring the office to meet your new colleagues and learn the layout of the office, you notice piles of printing jobs left on the printer in the

copy room. You also note a recycle bin and garbage can near the printers. With a quick glance, you see a completed loan application form print

out with applicant name, social security number and home address lying in the recycle bin. You make a note to follow up immediately.

You are then introduced to the head of IT who gives you a warm welcome and explains his star project this year - enterprise CRM (Customer

Relationship Management) mobility. He is very proud that he is leading this innovation that allows firm-wide employees to access the existing

CRM database remotely from anywhere on the Internet. The business value of this mobility initiative is significant. Since he doesn't have internal

web development expertise, he outsourced the development work to a small IT firm in New York that has just successfully delivered another IT

initiative for the company.

After the tour you start working on a plan based on your observations. One immediate action is to schedule a meeting with the head of IT to

discuss the CRM mobility project.

Which of the following actions should you take to measure the firm's privacy compliance status?

A. Prepare a data inventory.

B. Perform a vulnerability assessment.

C. Assess the current privacy program. Most Voted

D. Conduct a Privacy Impact Assessment (PIA).

Correct Answer: C

Community vote distribution

C (100%)
Question #228 Topic 1

SCENARIO -

Please use the following to answer the next question:

Today is your first day at a fast growing international real estate firm headquartered in New York, with offices in Canada and Germany. You are the

firm's first ever privacy officer.

While touring the office to meet your new colleagues and learn the layout of the office, you notice piles of printing jobs left on the printer in the

copy room. You also note a recycle bin and garbage can near the printers. With a quick glance, you see a completed loan application form print

out with applicant name, social security number and home address lying in the recycle bin. You make a note to follow up immediately.

You are then introduced to the head of IT who gives you a warm welcome and explains his star project this year - enterprise CRM (Customer

Relationship Management) mobility. He is very proud that he is leading this innovation that allows firm-wide employees to access the existing

CRM database remotely from anywhere on the Internet. The business value of this mobility initiative is significant. Since he doesn't have internal

web development expertise, he outsourced the development work to a small IT firm in New York that has just successfully delivered another IT

initiative for the company.

After the tour you start working on a plan based on your observations. One immediate action is to schedule a meeting with the head of IT to

discuss the CRM mobility project.

All of the following would address your concern of the printer room EXCEPT?

A. Placing a paper shredder in the printer room.

B. Initiating a Privacy Impact Assessment (PIA).

C. Hanging a poster reminding users to shred paper. Most Voted

D. Implementing a new paper record destruction policy.

Correct Answer: C

Community vote distribution

C (56%) B (44%)
Question #229 Topic 1

SCENARIO -

Please use the following to answer the next question:

Today is your first day at a fast growing international real estate firm headquartered in New York, with offices in Canada and Germany. You are the

firm's first ever privacy officer.

While touring the office to meet your new colleagues and learn the layout of the office, you notice piles of printing jobs left on the printer in the

copy room. You also note a recycle bin and garbage can near the printers. With a quick glance, you see a completed loan application form print

out with applicant name, social security number and home address lying in the recycle bin. You make a note to follow up immediately.

You are then introduced to the head of IT who gives you a warm welcome and explains his star project this year - enterprise CRM (Customer

Relationship Management) mobility. He is very proud that he is leading this innovation that allows firm-wide employees to access the existing

CRM database remotely from anywhere on the Internet. The business value of this mobility initiative is significant. Since he doesn't have internal

web development expertise, he outsourced the development work to a small IT firm in New York that has just successfully delivered another IT

initiative for the company.

After the tour you start working on a plan based on your observations. One immediate action is to schedule a meeting with the head of IT to

discuss the CRM mobility project.

While reviewing the contract with the firm the CRM mobility project was outsourced to, all of the following should be mandatory EXCEPT?

A. Right to audit.

B. Breach notification.

C. Security Commitment.

D. Service level agreements. Most Voted

Correct Answer: D

Community vote distribution

D (67%) C (17%) A (17%)

Question #230 Topic 1

Which of the following forms of monitoring is best described as ‘auditing’ when aligning with privacy program goals?

A. Evaluating operations, systems, and processes.

B. Tracking, reporting and documenting complaints from all sources.

C. Ensuring third parties have appropriate security and privacy requirements in place.

D. Evaluating the privacy risks associated with processing personal information in relation to a project, product, or service.

Correct Answer: A
Question #231 Topic 1

A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all

employees to view. What is the first step to mitigate further risks?

A. Notify all employees whose information was contained in the file.

B. Check access logs to see who accessed the folder.

C. Notify legal counsel of a privacy incident.

D. Restrict access to the folder.

Correct Answer: D

Question #232 Topic 1

While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee

with the same name at a different company.

Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?

A. Notification to data subjects.

B. Containment of impact of breach.

C. Remediation offers to data subjects.

D. Notification to the Information Commissioner’s Office (ICO).

Correct Answer: B
Question #233 Topic 1

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for

over 25 years and you soon team that so far, the company has done little to control the use of customer information.

During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in

various systems, including their customer records management system, their invoicing system, their call recording system, their marketing

database and within two different email clients.

There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the

company's reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to

the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.

You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the

company has told the customers that they have done what was asked, you team that all the company did was remove these customers from their

marketing lists - in other words, all their data is still in the various digital systems for marketing, invoicing and records management.

On top of all this, you learn that if a customer service agent based in the energy corporation's US call center cannot find the details of the specific

customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can

find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on

independent review sites and the energy regulator in the UK is thinking of suspending the company's license.

As artificial intelligence is seen as the new energy future linking to the Internet of Things (IoT), the company has partnered with another company

specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an idea of

which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices

on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which

electrical devices their customers use in their homes and when they use them the most.

The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to

get things right with their privacy program.

On whom or what might the company carry out a third-party audit?

A. The call center in the US.

B. The new business partner. Most Voted

C. The customers who are agreeing to new devices being installed in their homes.

D. The various data storage systems (e.g., records management, invoicing, marketing).

Correct Answer: B

Community vote distribution

B (67%) D (33%)
Question #234 Topic 1

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for

over 25 years and you soon team that so far, the company has done little to control the use of customer information.

During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in

various systems, including their customer records management system, their invoicing system, their call recording system, their marketing

database and within two different email clients.

There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the

company's reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to

the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.

You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the

company has told the customers that they have done what was asked, you team that all the company did was remove these customers from their

marketing lists - in other words, all their data is still in the various digital systems for marketing, invoicing and records management.

On top of all this, you learn that if a customer service agent based in the energy corporation's US call center cannot find the details of the specific

customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can

find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on

independent review sites and the energy regulator in the UK is thinking of suspending the company's license.

As artificial intelligence is seen as the new energy future linking to the Internet of Things (IoT), the company has partnered with another company

specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an idea of

which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices

on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which

electrical devices their customers use in their homes and when they use them the most.

The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to

get things right with their privacy program.

Which of the following should be your top priority for getting data use under control?

A. Making sure the data warehouse is secure with strong firewalls and antivirus software.

B. Ensuring the business is transparent with customers over how their data is to be used.

C. Ensuring the company's records management and privacy policies are effective. Most Voted

D. Conducting a data transfer assessment on the corporation's US call center.

Correct Answer: C

Community vote distribution

C (100%)
Question #235 Topic 1

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for

over 25 years and you soon team that so far, the company has done little to control the use of customer information.

During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in

various systems, including their customer records management system, their invoicing system, their call recording system, their marketing

database and within two different email clients.

There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the

company's reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to

the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.

You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the

company has told the customers that they have done what was asked, you team that all the company did was remove these customers from their

marketing lists - in other words, all their data is still in the various digital systems for marketing, invoicing and records management.

On top of all this, you learn that if a customer service agent based in the energy corporation's US call center cannot find the details of the specific

customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can

find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on

independent review sites and the energy regulator in the UK is thinking of suspending the company's license.

As artificial intelligence is seen as the new energy future linking to the Internet of Things (IoT), the company has partnered with another company

specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an idea of

which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices

on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which

electrical devices their customers use in their homes and when they use them the most.

The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to

get things right with their privacy program.

Following the marketing campaigns, which of the following should have been prioritized by the company?

A. Anonymizing the customer's data within all the systems.

B. Putting in place new processes for valid deletion requests. Most Voted

C. Stopping the sending of marketing emails to these customers.

D. Verifying the identity of the customers who made the requests.

Correct Answer: B

Community vote distribution

B (100%)
Question #236 Topic 1

When developing a privacy program and selecting a program sponsor or "champion" the most important consideration should be that they?

A. Are an expert in privacy rules and regulations.

B. Are a part of the company's IT management team.

C. Have the authority to approve policy and provide funding. Most Voted

D. Will be an effective advocate and understand the importance of privacy.

Correct Answer: D

Community vote distribution

D (50%) C (50%)

Question #237 Topic 1

Implementation of a Privacy Program Framework (PPF) requires that you do all of the following EXCEPT?

A. Measure the success of your security program.

B. Analyze your data classification and broad privacy checklists.

C. Determine privacy-relevant decisions that impact your organization.

D. Review documented privacy management procedures and processes.

Correct Answer: A

Question #238 Topic 1

Which of the following is least relevant to establishing a culture of data privacy at a company?

A. Securing funding for a privacy program.

B. Deploying training and awareness.

C. Adopting Privacy by Design (PbD).

D. Monitoring compliance.

Correct Answer: A
Question #239 Topic 1

The following are examples of Privacy by Design (PbD) EXCEPT?

A. Incorporating privacy consultations into technology procurement requests

B. Assessing privacy risks in the architecture of a proposed customer-facing tool

C. Integrating predefined privacy controls into standard product launch procedures

D. Conducting a root cause analysis on privacy incidents to recommend response improvements Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #240 Topic 1

Which of the following helps build trust with customers and stakeholders?

A. Only publish what is necessary to be compliant with applicable laws.

B. Enable customers to view and change their own personal information.

C. Publish your privacy notice using broad language to ensure all of your organization's activities are captured.

D. Provide a dedicated privacy space with the privacy notice, explanatory documents and operation frameworks.

Correct Answer: D

Question #241 Topic 1

Which of the following is the most likely way an independent privacy organization might work to promote sound privacy practices?

A. By developing principles for self-regulation. Most Voted

B. By enacting new legislation.

C. By completing on-site audits.

D. By issuing penalties for violations of rules.

Correct Answer: A

Community vote distribution

A (100%)
Question #242 Topic 1

Which is the best first step in establishing a baseline regarding privacy in an organization?

A. Interviewing the organization's top decision-makers.

B. Surveying shareholders on their knowledge of privacy.

C. Collecting information on the organization's compliance with privacy regulations and standards.

D. Designating a person responsible for the development and implementation of the organization's privacy program.

Correct Answer: C

Question #243 Topic 1

What are the advantages for a company that chooses a hybrid of centralized and decentralized management practices?

A. Clearly defined company goals that employees can pursue according to their specific roles. Most Voted

B. Decisions made by experienced executives and delegated to lower-tier company officers.

C. Flexible departments with great diversity and little need for structure.

D. Controlled spending and a reduced need for employee training.

Correct Answer: A

Community vote distribution

A (100%)

Question #244 Topic 1

Which of the following is least likely to address individual program needs and specific organizational goals identified in privacy framework

development?

A. Through creation of the business case.

B. Through conversations with the privacy team.

C. By employing an industry-standard needs analysis.

D. By employing metrics to align privacy protection with objectives.

Correct Answer: C
Question #245 Topic 1

Creating a privacy governance model for an organization that is required to appoint data protection officers under the GDPR poses what additional

challenge?

A. They must respond immediately to employees.

B. They must report directly to top management.

C. They must reply personally to data subjects.

D. They must react without delay to suppliers.

Correct Answer: B

Question #246 Topic 1

When developing a privacy program and selecting a program sponsor or "champion" the least important consideration should be that they?

A. Are a part of the organization's top management.

B. Have the authority to approve policy and provide funding.

C. Will be an effective advocate and understand the importance of privacy.

D. Have accountability for the organization's privacy and/or information security, risk, compliance, or legal decisions.

Correct Answer: A

Question #247 Topic 1

In the European Union, the GDPR gives Supervisory Authorities the right to which of the following actions?

A. Suspend data transfers undertaken by a controller to a third country. Most Voted

B. Prevent a national data protection bill from becoming law.

C. Prosecute a controller in a criminal investigation.

D. Award punitive damages to a data subject.

Correct Answer: A

Community vote distribution

A (100%)
Question #248 Topic 1

Understanding the sensitivity of personal data that an organization holds is a crucial step for a privacy professional attempting to do what?

A. Convince stakeholders to increase the funding for the privacy program.

B. Determine the maturity of the privacy program in relation to current laws.

C. Form a starting point for assessing the adequacy of the privacy program. Most Voted

D. Decide how comprehensive oversight of its privacy program needs to be.

Correct Answer: C

Community vote distribution

C (100%)

Question #249 Topic 1

All of the following are components of a data collection notice EXCEPT identification of?

A. The potential uses of personal information in the future. Most Voted

B. The length of time the personal information will be stored.

C. The meta-data which could be generated from collection of the information.

D. The lawful interests pursued by the responsible party collecting the information.

Correct Answer: C

Community vote distribution

A (100%)

Question #250 Topic 1

When implementing an organization's privacy program, what right should be granted to the data subject?

A. To have their data amended or erased if errors are found.

B. To limit or refuse the disclosure of their data for any reason.

C. To provide feedback regarding an organization's privacy policy.

D. To verify that an organization uses the highest level of privacy protection available.

Correct Answer: A

 Previous Questions Next Questions 

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple

registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

Start Learning for free