What is the best way to understand the location, use and importance of personal data within an organization?
- A . By analyzing the data inventory.
- B . By testing the security of data systems.
- C . By evaluating methods for collecting data.
- D . By interviewing employees tasked with data entry.
C
Explanation:
The best way to understand the location, use and importance of personal data within an organization is by evaluating methods for collecting data. This will help to identify the sources, purposes, and categories of data that the organization processes, as well as the data flows and transfers within and outside the organization. By doing so, the organization can assess the risks and opportunities associated with data processing and design appropriate privacy policies and controls.
Reference: [IAPP CIPM Study Guide], page 29-30; [Data Inventory]
What are you doing if you succumb to "overgeneralization" when analyzing data from metrics?
- A . Using data that is too broad to capture specific meanings.
- B . Possessing too many types of data to perform a valid analysis.
- C . Using limited data in an attempt to support broad conclusions.
- D . Trying to use several measurements to gauge one aspect of a program.
A
Explanation:
If you succumb to “overgeneralization” when analyzing data from metrics, you are using data that is too broad to capture specific meanings. For example, if you use a single metric such as “number of complaints” to measure customer satisfaction, you are ignoring other factors that may affect customer satisfaction such as quality of service, responsiveness, or loyalty. You are also assuming that all complaints are equally valid and important, which may not be the case. To avoid overgeneralization, you should use multiple metrics that are relevant, specific, and measurable for your objectives.
Reference: [IAPP CIPM Study Guide], page 59-60; [Avoiding Overgeneralization in Data Analysis]
In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?
- A . Monetary exchange.
- B . Geographic features.
- C . Political history.
- D . Cultural norms.
D
Explanation:
In addition to regulatory requirements and business practices, an important factor that a global privacy strategy must consider is cultural norms. Different cultures may have different expectations and preferences regarding privacy, such as what constitutes personal information, how consent is obtained and expressed, how data is used and shared, and how privacy rights are enforced. A global privacy strategy should respect and accommodate these cultural differences and ensure that the organization’s privacy practices are transparent, fair, and consistent across different regions.
Reference: [IAPP CIPM Study Guide], page 81-82; [Cultural Differences in Privacy Expectations]
What have experts identified as an important trend in privacy program development?
- A . The narrowing of regulatory definitions of personal information.
- B . The rollback of ambitious programs due to budgetary restraints.
- C . The movement beyond crisis management to proactive prevention.
- D . The stabilization of programs as the pace of new legal mandates slows.
C
Explanation:
An important trend in privacy program development is the movement beyond crisis management to proactive prevention. This means that instead of reacting to privacy breaches or incidents after they occur, organizations are taking steps to prevent them from happening in the first place. This involves implementing privacy by design principles, conducting privacy impact assessments, adopting privacy-enhancing technologies, training staff on privacy awareness and best practices, and monitoring compliance and performance. By doing so, organizations can reduce risks, costs, and reputational damage associated with privacy violations.
Reference: [IAPP CIPM Study Guide], page 93-94; [Moving from Crisis Management to Proactive Prevention]
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company’s flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What step in the system development process did Manasa skip?
- A . Obtain express written consent from users of the Handy Helper regarding marketing.
- B . Work with Sanjay to review any necessary privacy requirements to be built into the product.
- C . Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework.
- D . Build the artificial intelligence feature so that users would not have to input sensitive information
into the Handy Helper.
B
Explanation:
Manasa skipped the step of working with Sanjay to review any necessary privacy requirements to be built into the product. This step is part of the system analysis phase, which is less theoretical and focuses more on practical application1 By working with Sanjay, Manasa could have identified the legal and ethical obligations that Omnipresent Omnimedia has to protect the privacy of its users, especially in different jurisdictions. She could have also incorporated privacy by design principles, such as data minimization, purpose limitation, and user consent, into the product development process2 This would have helped to avoid potential privacy risks and violations that could harm the reputation and trust of the company and its customers.
Reference: 1: 7 Phases of the System Development Life Cycle (With Tips); 2: [Privacy by Design: The 7 Foundational Principles]
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company’s flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?
- A . Document the data flows for the collected data.
- B . Conduct a Privacy Impact Assessment (PIA) to evaluate the risks involved.
- C . Implement a policy restricting data access on a "need to know" basis.
- D . Limit data transfers to the US by keeping data collected in Europe within a local data center.
C
Explanation:
An administrative safeguard that should be implemented to protect the collected data while in use by Manasa and her product management team is a policy restricting data access on a “need to know” basis. This means that only authorized personnel who have a legitimate business purpose for accessing the data should be able to do so3 This would help to prevent unauthorized or unnecessary access, use, or disclosure of sensitive or personal data by internal or external parties. It would also reduce the risk of data breaches, theft, or loss that could compromise the confidentiality, integrity, and availability of the data4
Reference: 3: HIPAA Security Series #2 – Administrative Safeguards – HHS.gov; 4: Administrative Safeguards of the Security Rule: What Are They?
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company’s flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the
Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What element of the Privacy by Design (PbD) framework might the Handy Helper violate?
- A . Failure to obtain opt-in consent to marketing.
- B . Failure to observe data localization requirements.
- C . Failure to implement the least privilege access standard.
- D . Failure to integrate privacy throughout the system development life cycle.
D
Explanation:
The Handy Helper might violate the element of the Privacy by Design (PbD) framework that requires integrating privacy throughout the system development life cycle. According to the PbD framework, privacy should be embedded into the design and architecture of IT systems and business practices, not added as an afterthought1 This means that privacy should be considered at every stage of the system development life cycle, from planning to analysis to design to development to implementation to maintenance2 However, the Handy Helper seems to have been developed without involving Sanjay, the head of privacy, or conducting a privacy impact assessment (PIA) to identify and mitigate potential privacy risks3 The product also lacks a clear and transparent privacy notice that informs users about what data is collected, how it is used, where it is stored, who has access to it, and what choices they have4 These issues could expose the product to legal and reputational challenges, especially in regions with strict data protection regulations, such as Europe.
Reference: 1: Privacy by Design – The LIFE Institute; 2: System Development Life Cycle – GeeksforGeeks; 3: [Privacy Impact Assessment (PIA) | NZ Digital government]; 4: [Privacy Notices under EU Data Protection Law | Privacy International]
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company’s flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What can Sanjay do to minimize the risks of offering the product in Europe?
- A . Sanjay should advise the distributor that Omnipresent Omnimedia has certified to the Privacy Shield Framework and there should be no issues.
- B . Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released.
- C . Sanjay should document the data life cycle of the data collected by the Handy Helper.
- D . Sanjay should write a privacy policy to include with the Handy Helper user guide.
B
Explanation:
Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released. This means that Sanjay should collaborate with Manasa and her product team to evaluate the privacy implications of the product and address any gaps or issues before launching it in Europe. This could involve conducting a PIA, applying the PbD principles, revising the consent mechanism, updating the privacy notice, ensuring compliance with data localization requirements, implementing data security measures, and limiting data access based on the least privilege principle.
By doing so, Sanjay could help minimize the risks of offering the product in Europe and avoid potential violations of the General Data Protection Regulation (GDPR) or other local laws that could result in fines, lawsuits, or loss of trust.
Which statement is FALSE regarding the use of technical security controls?
- A . Technical security controls are part of a data governance strategy.
- B . Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.
- C . Most privacy legislation lists the types of technical security controls that must be implemented.
- D . A person with security knowledge should be involved with the deployment of technical security controls.
C
Explanation:
The statement that is false regarding the use of technical security controls is that most privacy legislation lists the types of technical security controls that must be implemented. Technical security controls are the hardware and software components that protect a system against cyberattacks, such as encryption, firewalls, antivirus software, and access control mechanisms1 However, most privacy legislation does not prescribe specific types of technical security controls that must be implemented by organizations. Instead, they usually require organizations to implement reasonable or appropriate technical security measures to protect personal data from unauthorized or unlawful access, use, disclosure, alteration, or destruction23 The exact level and type of technical security controls may depend on various factors, such as the nature and sensitivity of the data, the risks and threats involved, the state of the art technology available, and the cost and feasibility of implementation4 Therefore, organizations have some flexibility and discretion in choosing the most suitable technical security controls for their data processing activities.
Reference:
1: Technical Controls ― Cybersecurity Resilience – Resilient Energy Platform;
2: [General Data Protection Regulation (GDPR) C Official Legal Text], Article 32;
3: [Privacy Act 1988], Schedule 1 C Australian Privacy Principles (APPs), APP 11;
4: Technical Security Controls: Encryption, Firewalls & More
An organization’s privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor.
Which of the following actions should the privacy officer take first?
- A . Perform a risk of harm analysis.
- B . Report the incident to law enforcement.
- C . Contact the recipient to delete the email.
- D . Send firm-wide email notification to employees.
A
Explanation:
The first action that the privacy officer should take after being notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor is to perform a risk of harm analysis. A risk of harm analysis is a process of assessing the potential adverse consequences for the individuals whose personal data has been compromised by a data breach or incident5 The purpose of this analysis is to determine whether the breach or incident poses a significant risk of harm to the affected individuals, such as identity theft, fraud, discrimination, physical harm, emotional distress, or reputational damage6 The risk of harm analysis should consider various factors, such as the type and amount of data involved, the sensitivity and context of the data, the likelihood and severity of harm, the characteristics of the recipients or unauthorized parties who accessed the data, and the mitigating measures taken or available to reduce the harm7 Based on this analysis, the privacy officer can then decide whether to notify the affected individuals, the relevant authorities, or other stakeholders about the breach or incident. Notification is usually required by law or best practice when there is a high risk of harm to the individuals as a result of the breach or incident8 Notification can also help to mitigate the harm by allowing the individuals to take protective actions or seek remedies. Therefore, performing a risk of harm analysis is a crucial first step for responding to a data breach or incident.
Reference: 5: Can a risk of harm itself be a harm? | Analysis | Oxford Academic; 6: No Harm Done? Assessing Risk of Harm under the Federal Breach Notification Rule; 7: CCOHS: Hazard and Risk – Risk Assessment; 8: Breach Notification Requirements in Canada | PrivacySense.net
SCENARIO
Please use the following to answer the next QUESTION:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton’s possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.
To improve the facility’s system of data security, Anton should consider following through with the plan for which of the following?
- A . Customer communication.
- B . Employee access to electronic storage.
- C . Employee advisement regarding legal matters.
- D . Controlled access at the company headquarters.
D
Explanation:
To improve the facility’s system of data security, Anton should consider following through with the plan for controlled access at the company headquarters. This plan would help to prevent unauthorized physical access to the paper files, disks, and old computers that contain personal data of employees and customers. Physical security is an important aspect of data security that involves protecting hardware and storage devices from theft, damage, or tampering1 By placing restrictions on who can enter the premises or access certain areas or rooms, Anton can reduce the risk of data breaches or incidents caused by intruders or insiders2 He can also implement locks, alarms, cameras, or guards to enhance the physical security of the facility3
Reference: 1: Physical Security: What Is It?; 2: [Physical Security: Why It’s Important & How To Implement It]; 3: [Physical Security Best Practices: 10 Tips to Secure Your Workplace]
SCENARIO
Please use the following to answer the next QUESTION:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton’s possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.
Which of Anton’s plans for improving the data management of the company is most unachievable?
- A . His initiative to achieve regulatory compliance.
- B . His intention to transition to electronic storage.
- C . His objective for zero loss of personal information.
- D . His intention to send notice letters to customers and employees.
C
Explanation:
Anton’s objective for zero loss of personal information is the most unachievable among his plans for improving the data management of the company. While this objective is admirable and desirable, it is unrealistic and impractical to guarantee that no personal information will ever be lost due to a data breach or incident. Data breaches are inevitable and unpredictable events that can affect any organization regardless of its size or industry4 Even with the best data security practices and tools in place, there is always a possibility of human error, system failure, malicious attack, or natural disaster that could compromise personal information5 Therefore, Anton should focus on minimizing the likelihood and impact of data breaches rather than aiming for zero loss of personal information. He should also prepare a data breach response plan that outlines how to detect, contain, assess, report, and recover from a data breach in a timely and effective manner6
Reference: 4: [Data Breaches Are Inevitable: Here’s How to Protect Your Business]; 5: The Top 5 Causes Of Data Breaches; 6: Data Breach Response: A Guide for Business – Federal Trade Commission
SCENARIO
Please use the following to answer the next QUESTION:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s
relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton’s possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.
Which important principle of Data Lifecycle Management (DLM) will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?
- A . Practicing data minimalism.
- B . Ensuring data retrievability.
- C . Implementing clear policies.
- D . Ensuring adequacy of infrastructure.
A
Explanation:
The important principle of Data Lifecycle Management (DLM) that will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth is ensuring data retrievability. Data retrievability refers to the ability to access and use data when needed for business purposes or legal obligations1 It involves maintaining the availability, integrity, and usability of data throughout its lifecycle2 However, if Anton restricts data access to only himself and Kenneth, he will create a single point of failure and a bottleneck for data retrieval.
This could pose several risks and challenges for the company, such as:
Losing data if Anton or Kenneth forgets the password or leaves the company without sharing it with others.
Delaying data retrieval if Anton or Kenneth is unavailable or unresponsive when someone else needs the data urgently.
Violating data protection laws or regulations that require data access by certain parties or authorities under certain circumstances.
Reducing data quality or accuracy if Anton or Kenneth fails to update or maintain the data properly. Missing business opportunities or insights if Anton or Kenneth does not share the data with other relevant stakeholders or departments.
Therefore, Anton should reconsider his plan and adopt a more balanced and secure approach to data access management that follows the principle of least privilege. This means granting data access only to those who need it for their specific roles and responsibilities and revoking it when no longer needed3 He should also implement proper authentication, authorization, encryption, backup, and audit mechanisms to protect the data from unauthorized or unlawful access, use, disclosure, alteration, or destruction4
Reference: 1: Data Retrievability: What Is It?; 2: Data Lifecycle Management | IBM; 3: What is Least Privilege? Definition & Examples; 4: Technical Security Controls: Encryption, Firewalls & More
SCENARIO
Please use the following to answer the next QUESTION:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth
believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton’s possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.
In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding?
- A . The timeline for monitoring.
- B . The method of recordkeeping.
- C . The use of internal employees.
- D . The type of required qualifications.
A
Explanation:
In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding the timeline for monitoring. He believes that the company should be safe for another five years after conducting a compliance assessment and documenting the analysis. However, this is a risky and unrealistic assumption that could expose the company to legal liabilities and penalties. Regulatory and legislative changes are dynamic and frequent in today’s business environment. They can affect various aspects of the company’s operations, such as data protection, online marketing, consumer rights, labor laws, tax laws, environmental laws, etc5 Therefore, the company needs to monitor these changes continuously and proactively to ensure compliance at all times. Waiting for five years to check for compliance again could result in missing important updates or requirements that could impact the company’s business practices or obligations. Moreover, compliance monitoring is not only a one-time activity but an ongoing process that involves evaluating the effectiveness of the company’s policies and procedures in meeting the regulatory standards and expectations6 Compliance monitoring also helps to identify any gaps or weaknesses in the company’s compliance program and take corrective actions to improve it. Therefore, Anton should revise his timeline for monitoring regulatory and legislative changes and adopt a more regular and systematic approach that aligns with the company’s risk profile and regulatory environment.
Reference: 5: Regulatory Change Management: How To Keep Up With Regulatory
Changes; 6: Compliance Monitoring – What Is It?
SCENARIO
Please use the following to answer the next QUESTION:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production C not data processing C and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company’s relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth C his uncle’s vice president and longtime confidante C wants to hold off on Anton’s idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded
subsidiary data still in Anton’s possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company’s online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle’s legacy to continue for many years to come.
What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?
- A . To send consistent communication.
- B . To shift to electronic communication.
- C . To delay communications until local authorities are informed.
- D . To consider under what circumstances communication is necessary.
D
Explanation:
The company’s legal team would most likely recommend Anton to consider under what circumstances communication with customers is necessary after learning of a recent security incident. Communication with customers is an important aspect of data breach response as it can help to mitigate the harm caused by the breach, restore trust and confidence in the company, and comply with legal obligations or best practices. However, communication with customers is not always mandatory or advisable depending on the nature and severity of the breach and the potential impact on the customers7 Therefore, Anton should consult with his legal team and evaluate the following factors before deciding whether to communicate with customers or not:
The type and amount of data involved in the breach and whether it includes personal or sensitive information that could expose the customers to identity theft, fraud, or other harms.
The likelihood and extent of harm that the customers could suffer as a result of the breach and whether they could take any actions to prevent or reduce it.
The legal or contractual obligations that the company has to notify the customers or the relevant authorities about the breach and the applicable laws or regulations that govern the notification process, such as the timing, content, and method of notification.
The potential benefits and risks of communicating with customers, such as enhancing transparency and accountability, providing assistance and remedies, or triggering negative reactions, reputational damage, or legal claims.
Based on these factors, Anton should determine whether communication with customers is necessary and appropriate in his case.
If he decides to communicate with customers, he should follow some best practices, such as:
Communicating as soon as possible after discovering and containing the breach and having sufficient information to share.
Communicating clearly, honestly, and empathetically about what happened, what data was affected, what actions the company has taken or will take, and what steps the customers can or should take. Communicating through multiple channels, such as email, phone, letter, website, or social media, depending on the preferences and expectations of the customers.
Communicating consistently and regularly with updates or follow-ups until the breach is resolved and the customers are satisfied8
Reference: 7: How to Communicate a Data Breach to Customers – U.S. Chamber of Commerce; 8: The do’s and don’ts of communicating a data breach
Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), established?
- A . To promote consumer confidence in the Internet industry.
- B . To improve the user experience during online shopping.
- C . To protect civil liberties and raise consumer awareness.
- D . To promote security on the Internet through strong encryption.
C
Explanation:
The nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), were established to protect civil liberties and raise consumer awareness in the digital age. Both organizations are public interest research centers that focus on emerging privacy and civil liberties issues and advocate for the protection of privacy, freedom of expression, and democratic values in the information age12 They conduct policy research, public education, litigation, publications, and advocacy to promote privacy rights and challenge threats to privacy from governments, corporations, or other actors12 They also monitor and participate in the development of laws, regulations, standards, and technologies that affect privacy and civil liberties12
Reference: 1: About EPIC; 2: About EFF
Reference: https://en.wikipedia.org/wiki/Electronic_Privacy_Information_Center
What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?
- A . Enabling regional data transfers.
- B . Protecting data from parties outside the region.
- C . Establishing legal requirements for privacy protection in the region.
- D . Marketing privacy protection technologies developed in the region.
A
Explanation:
The main function of the Asia-Pacific Economic Cooperation Privacy Framework is enabling regional data transfers while protecting information privacy across APEC member economies. The Framework promotes a flexible approach to information privacy protection that avoids the creation of unnecessary barriers to information flows3 It is based on a set of common privacy principles that are consistent with the core values of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data3 The Framework also provides guidance for domestic implementation and international implementation of the privacy principles through various mechanisms, such as cross-border privacy rules (CBPRs), accountability agents, regulators, enforcement cooperation, and capacity building3 The Framework aims to facilitate the safe transfer of information between economies, enhance consumer trust and confidence in online transactions and information networks, encourage the use of electronic data to enhance and expand business opportunities, and provide technical assistance to economies that have yet to address privacy from a regulatory or policy perspective4
Reference: 3: APEC PRIVACY PRINCIPLES; 4: APEC Data Privacy Pathfinder
Reference: https://iapp.org/resources/article/apec-privacy-framework/
Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?
- A . The DPIA result must be reported to the corresponding supervisory authority.
- B . The DPIA report must be published to demonstrate the transparency of the data processing.
- C . The DPIA must include a description of the proposed processing operation and its purpose.
- D . The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.
C
Explanation:
The statement that is true about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR) is that the DPIA must include a description of the proposed processing operation and its purpose.
According to Article 35(7) of the GDPR, a DPIA shall contain at least:
“a systematic description of the envisaged processing operations and the purposes of the processing”;
“an assessment of the necessity and proportionality of the processing operations in relation to the purposes”;
“an assessment of the risks to the rights and freedoms of data subjects”; “the measures envisaged to address the risks”; “safeguards”, “security measures”;
“mechanisms to ensure the protection of personal data”;
“to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”5
Therefore, a DPIA must include a description of what data processing activities are planned and why they are needed as part of its content. This helps to provide a clear overview of the processing operation and its objectives as well as to assess its necessity and proportionality in relation to its purposes6
Reference: 5: [General Data Protection Regulation (GDPR) C Official Legal Text], Article 35(7); 6: Data protection impact assessments | ICO
As a Data Protection Officer, one of your roles entails monitoring changes in laws and regulations and updating policies accordingly.
How would you most effectively execute this responsibility?
- A . Consult an external lawyer.
- B . Regularly engage regulators.
- C . Attend workshops and interact with other professionals.
- D . Subscribe to email list-serves that report on regulatory changes.
D
Explanation:
As a Data Protection Officer (DPO), one of the most effective ways to execute your responsibility of monitoring changes in laws and regulations and updating policies accordingly is to subscribe to email list-serves that report on regulatory changes. Email list-serves are online mailing lists that allow subscribers to receive regular updates on topics or issues of interest via email7 By subscribing to email list-serves that report on regulatory changes, you can stay informed of the latest developments and trends in the regulatory environment that affect your organization and its data protection practices. You can also access relevant information and resources from reliable sources, such as regulatory agencies, law firms, industry associations, or experts8 This can help you to identify and analyze the impact of regulatory changes on your organization and its data processing activities, and to update your policies and procedures accordingly to ensure compliance8 Some examples of email list-serves that report on regulatory changes are:
The ICO Newsletter: This is a monthly newsletter from the UK Information Commissioner’s Office (ICO) that provides updates on data protection news, guidance, events, consultations, and enforcement actions9
The Privacy Advisor: This is a monthly newsletter from the International Association of Privacy Professionals (IAPP) that covers global privacy news, analysis, and insights10
The Privacy & Data Security Law Journal: This is a monthly journal from LexisNexis that provides articles and case notes on privacy and data security law issues from around the world11
The Data Protection Report: This is a blog from Norton Rose Fulbright that provides updates and commentary on data protection and cybersecurity developments across various jurisdictions12
Reference: 7: What is a listserv?; 8: 5 Practical Ways to Keep Up with Regulatory Changes; 9: ICO Newsletter; 10: The Privacy Advisor; 11: Privacy & Data Security Law Journal; 12: Data Protection Report
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm C A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm’s email continuity service to their existing email security vendor C MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe’s previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm’s lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn’t have the time or resource to look for another solution. Furthermore, the off-premises email continuity service will only be turned on when the email service at A&M LLP’s primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is the most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?
- A . MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
- B . MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
- C . MessageSafe must apply appropriate security controls on the cloud infrastructure.
- D . MessageSafe must notify A&M LLP of a data breach.
C
Explanation:
The most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP is to require MessageSafe to apply appropriate security controls on the cloud infrastructure. This control ensures that MessageSafe takes responsibility for securing the personal data that it processes on behalf of A&M LLP on the cloud platform provided by Cloud Inc. According to the GDPR, data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data1 These measures may include encryption, pseudonymisation, access control, backup and recovery, logging and monitoring, vulnerability management, incident response, etc2 Furthermore, data processors must ensure that any sub-processors they engage to process personal data on behalf of the data controller also comply with the same obligations3 Therefore, MessageSafe must ensure that Cloud Inc. provides adequate security guarantees for the cloud infrastructure and services that it uses to host the email continuity service for A&M LLP. MessageSafe must also monitor and audit the security performance of Cloud Inc. and report any issues or breaches to A&M LLP.
Reference: 1: Article 32 GDPR | General Data Protection Regulation (GDPR); 2: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default | European Data Protection Board; 3: Article 28 GDPR | General Data Protection Regulation (GDPR)
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm C A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm’s email continuity service to their existing email security vendor C MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe’s previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm’s lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn’t have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP’s primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?
- A . Cloud Inc. must notify A&M LLP of a data breach immediately.
- B . MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.
- C . Cloud Inc. should enter into a data processor agreement with A&M LLP.
- D . A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor.
B
Explanation:
A true statement about the relationship among the organizations is that MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP. This statement reflects the principle of accountability under the GDPR, which requires data controllers and processors to be responsible for complying with the GDPR and demonstrating their compliance4 As a data processor for A&M LLP, MessageSafe is liable for any damage caused by processing that infringes the GDPR or by processing that does not comply with A&M LLP’s lawful instructions5 This liability extends to any sub-processors that MessageSafe engages to carry out specific processing activities on behalf of A&M LLP5 Therefore, if Cloud Inc., as a sub-processor for MessageSafe, fails to protect data from A&M LLP and causes harm to the data subjects or breaches the GDPR or A&M LLP’s instructions, MessageSafe will be held liable for such failure and may have to pay compensation or face administrative fines or other sanctions6
Reference: 4: Article 5 GDPR | General Data Protection Regulation (GDPR); 5: Article 82 GDPR | General Data Protection Regulation (GDPR); 6: Article 83 GDPR | General Data Protection Regulation (GDPR)
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm C A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm’s email continuity service to their existing email security vendor C MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe’s previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm’s lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn’t have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP’s primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?
- A . Privacy compliance.
- B . Security commitment.
- C . Certifications to relevant frameworks.
- D . Data breach notification to A&M LLP.
C
Explanation:
An obligation that is not applicable to MessageSafe as the email continuity service provider for A&M LLP is obtaining certifications to relevant frameworks. Certifications are voluntary mechanisms that enable data controllers or processors to demonstrate their compliance with the GDPR or other standards by obtaining a certification issued by an accredited certification body7 Certifications can provide benefits such as enhancing transparency, accountability, trust, and competitive advantage for data controllers or processors. However, they are not mandatory under the GDPR or other laws and do not reduce or eliminate the legal obligations or liabilities of data controllers or processors8 Therefore, MessageSafe is not obliged to obtain certifications to relevant frameworks as the email continuity service provider for A&M LLP. However, it may choose to do so if it wishes to showcase its compliance efforts or gain a competitive edge in the market.
Reference: 7: Article 42 GDPR | General Data Protection Regulation (GDPR); 8: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 | European Data Protection Board
In privacy protection, what is a "covered entity"?
- A . Personal data collected by a privacy organization.
- B . An organization subject to the privacy provisions of HIPAA.
- C . A privacy office or team fully responsible for protecting personal information.
- D . Hidden gaps in privacy protection that may go unnoticed without expert analysis.
B
Explanation:
A covered entity is an organization that is subject to the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA regulates how covered entities use and disclose protected health information (PHI) of individuals. Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically.
Reference: [HIPAA for Professionals], [What is a Covered Entity?]
Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
- A . Employees must sign an ad hoc contractual agreement each time personal data is exported.
- B . All employees are subject to the rules in their entirety, regardless of where the work is taking place.
- C . All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
- D . Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
C
Explanation:
Binding Corporate Rules (BCRs) are a mechanism for international organizations to transfer personal data within their group of companies across different jurisdictions, in compliance with the EU General Data Protection Regulation (GDPR) and other privacy laws. BCRs are legally binding and enforceable by data protection authorities and data subjects. BCRs must ensure that all employees who process personal data follow the privacy regulations of the jurisdictions where the data originates from, regardless of where they are located or where the data is transferred to.
Reference: [Binding Corporate Rules], [BCRs for controllers], [BCRs for processors]
Reference: https://www.lexology.com/library/detail.aspx?g=80239951-01b8-409f-9019-953f5233852e
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather’s law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office’s strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients’ personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year’s end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
Richard believes that a transition from the use of fax machine to Internet faxing provides all of the following security benefits EXCEPT?
- A . Greater accessibility to the faxes at an off-site location.
- B . The ability to encrypt the transmitted faxes through a secure server.
- C . Reduction of the risk of data being seen or copied by unauthorized personnel.
- D . The ability to store faxes electronically, either on the user’s PC or a password-protected network server.
A
Explanation:
A transition from the use of fax machine to Internet faxing does not provide the security benefit of greater accessibility to the faxes at an off-site location. This is because Internet faxing requires a secure internet connection and a compatible device to access the faxes online. If the user is at an off-site location that does not have these requirements, they may not be able to access their faxes. Furthermore, greater accessibility may not necessarily be a security benefit, as it may also increase the risk of unauthorized access or interception by third parties. Therefore, this option is not a security benefit of Internet faxing.
The other options are security benefits of Internet faxing. The ability to encrypt the transmitted faxes through a secure server ensures that the faxes are protected from eavesdropping or tampering during transmission. The reduction of the risk of data being seen or copied by unauthorized personnel eliminates the need for physical security measures such as locks or shredders for fax machines and paper documents. The ability to store faxes electronically, either on the user’s PC or a password-protected network server, allows for better control and management of the faxes and reduces the storage space and costs associated with paper documents.
Reference: 1: Is Online Fax Secure in 2023? All You Need to Know!; 2: Is faxing secure: How to fax from a computer safely – PandaDoc
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather’s law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office’s strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients’ personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year’s end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
As Richard begins to research more about Data Lifecycle Management (DLM), he discovers that the law office can lower the risk of a data breach by doing what?
- A . Prioritizing the data by order of importance.
- B . Minimizing the time it takes to retrieve the sensitive data.
- C . Reducing the volume and the type of data that is stored in its system.
- D . Increasing the number of experienced staff to code and categorize the incoming data.
C
Explanation:
As Richard begins to research more about Data Lifecycle Management (DLM), he discovers that the law office can lower the risk of a data breach by reducing the volume and the type of data that is stored in its system. This is because storing less data means having less data to protect and less data to lose in case of a breach. By reducing the volume and the type of data that is stored in its system, the law office can also comply with the data minimization principle under the GDPR and other data protection regulations, which requires that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed3 Therefore, this option is a way to lower the risk of a data breach.
The other options are not ways to lower the risk of a data breach by applying DLM principles.
Prioritizing the data by order of importance may help to allocate resources and optimize performance, but it does not necessarily reduce the risk of a data breach. Minimizing the time it takes to retrieve the sensitive data may improve efficiency and responsiveness, but it does not necessarily reduce the risk of a data breach. Increasing the number of experienced staff to code and categorize the incoming data may enhance data quality and accuracy, but it does not necessarily reduce the risk of a data breach.
Reference: 3: Article 5 GDPR | General Data Protection Regulation (GDPR); 4: Data Lifecycle Management: A Complete Guide | Splunk
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather’s law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office’s strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients’ personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year’s end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
Which of the following policy statements needs additional instructions in order to further protect the personal data of their clients?
- A . All faxes sent from the office must be documented and the phone number used must be double checked to ensure a safe arrival.
- B . All unused copies, prints, and faxes must be discarded in a designated recycling bin located near the work station and emptied daily.
- C . Before any copiers, printers, or fax machines are replaced or resold, the hard drives of these devices must be deleted before leaving the office.
- D . When sending a print job containing personal data, the user must not leave the information visible on the computer screen following the print command and must retrieve the printed document immediately.
B
Explanation:
The policy statement that needs additional instructions in order to further protect the personal data of their clients is: All unused copies, prints, and faxes must be discarded in a designated recycling bin located near the work station and emptied daily. This policy statement is insufficient because it does not specify how the unused copies, prints, and faxes should be discarded. Simply throwing them into a recycling bin may expose them to unauthorized access or theft by anyone who has access to the bin or its contents. Furthermore, emptying the bin daily may not be frequent enough to prevent accumulation or overflow of sensitive documents.
To further protect the personal data of their clients, this policy statement should include additional instructions such as:
All unused copies, prints, and faxes must be shredded before being discarded in a designated recycling bin located near the work station.
The recycling bin must be locked or secured at all times when not in use.
The recycling bin must be emptied at least twice a day or whenever it is full.
These additional instructions would ensure that the unused copies, prints, and faxes are destroyed in a secure manner and that the recycling bin is not accessible to unauthorized persons or prone to overflow.
The other policy statements do not need additional instructions, as they already provide adequate measures to protect the personal data of their clients. Documenting and double-checking the phone number for faxes ensures that the faxes are sent to the correct and intended recipient. Deleting the hard drives of copiers, printers, or fax machines before replacing or reselling them prevents data leakage or recovery by third parties. Not leaving the information visible on the computer screen and retrieving the printed document immediately prevents data exposure or theft by anyone who can see the screen or access the printer.
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather’s law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office’s strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients’ personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year’s end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
Richard needs to closely monitor the vendor in charge of creating the firm’s database mainly because of what?
- A . The vendor will be required to report any privacy violations to the appropriate authorities.
- B . The vendor may not be aware of the privacy implications involved in the project.
- C . The vendor may not be forthcoming about the vulnerabilities of the database.
- D . The vendor will be in direct contact with all of the law firm’s personal data.
D
Explanation:
The main reason why Richard needs to closely monitor the vendor in charge of creating the firm’s database is that the vendor will be in direct contact with all of the law firm’s personal data. This means that the vendor will have access to sensitive and confidential information about the law firm’s clients, such as their financial and medical data, which could expose them to identity theft, fraud, or other harms if mishandled or breached.
Therefore, Richard needs to ensure that the vendor follows the best practices of data protection and security, such as:
Signing a data processing agreement that specifies the scope, purpose, duration, and terms of the data processing activities, as well as the rights and obligations of both parties.
Implementing appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration, or destruction, such as encryption, access control, backup and recovery, logging and monitoring, etc.
Complying with the relevant laws and regulations that govern the collection, use, transfer, and retention of personal data, such as the GDPR or other local privacy laws.
Reporting any data breaches or incidents to the law firm and the relevant authorities as soon as possible and taking corrective actions to mitigate the impact and prevent recurrence.
Deleting or returning the data to the law firm after the completion of the project or upon request.
What should be the first major goal of a company developing a new privacy program?
- A . To survey potential funding sources for privacy team resources.
- B . To schedule conversations with executives of affected departments.
- C . To identify potential third-party processors of the organization’s information.
- D . To create Data Lifecycle Management policies and procedures to limit data collection.
B
Explanation:
The first major goal of a company developing a new privacy program should be to schedule conversations with executives of affected departments. This is because a privacy program requires the support and involvement of senior management and key stakeholders from different business units, such as legal, IT, marketing, human resources, etc. By engaging with them early on, a privacy professional can understand their needs, expectations, challenges, and risks, and align the privacy program objectives and strategies with the organization’s goals and culture.
Reference: [How to Develop a Privacy Program], [Privacy Program Management]
Which is TRUE about the scope and authority of data protection oversight authorities?
- A . The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators.
- B . All authority in the European Union rests with the Data Protection Commission (DPC).
- C . No one agency officially oversees the enforcement of privacy regulations in the United States.
- D . The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority.
C
Explanation:
The true statement about the scope and authority of data protection oversight authorities is that no one agency officially oversees the enforcement of privacy regulations in the United States. Unlike other regions, such as the European Union or Canada, the United States does not have a comprehensive federal privacy law or a single national data protection authority. Instead, it has a patchwork of sector-specific and state-level laws and regulations, enforced by various federal and state agencies, such as the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), the Department of Commerce (DOC), etc. Additionally, individuals can also bring private lawsuits against organizations that violate their privacy rights.
Reference: [Data Protection Authorities], [Privacy Law in the United States]
What should a privacy professional keep in mind when selecting which metrics to collect?
- A . Metrics should be reported to the public.
- B . The number of metrics should be limited at first.
- C . Metrics should reveal strategies for increasing company earnings.
- D . A variety of metrics should be collected before determining their specific functions.
B
Explanation:
A privacy professional should keep in mind that the number of metrics should be limited at first when selecting which metrics to collect. Metrics are quantitative measures that help evaluate the performance and effectiveness of a privacy program. However, collecting too many metrics can be overwhelming, confusing, and costly. Therefore, a privacy professional should start with a few key metrics that are relevant, meaningful, actionable, and aligned with the organization’s privacy goals and priorities. These metrics can be refined and expanded over time as the privacy program matures and evolves.
Reference: [Privacy Metrics], [Measuring Privacy Program Effectiveness]
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen’s line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company’s growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company’s own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen’s CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO’s recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What Data Lifecycle Management (DLM) principle should the company follow if they end up allowing departments to interpret the privacy policy differently?
- A . Prove the authenticity of the company’s records.
- B . Arrange for official credentials for staff members.
- C . Adequately document reasons for inconsistencies.
- D . Create categories to reflect degrees of data importance.
C
Explanation:
If the company ends up allowing departments to interpret the privacy policy differently, they should follow the Data Lifecycle Management (DLM) principle of adequately documenting reasons for inconsistencies. This principle requires that data should be accurate, complete, and consistent throughout its lifecycle and that any deviations or discrepancies should be justified and recorded1 This would help the company to maintain data quality and integrity, as well as to demonstrate accountability and compliance with data protection regulations2
The other options are not DLM principles that the company should follow if they allow departments to interpret the privacy policy differently. Proving the authenticity of the company’s records is a principle related to data preservation and archiving, not data interpretation3 Arranging for official credentials for staff members is a principle related to data access and security, not data interpretation4 Creating categories to reflect degrees of data importance is a principle related to data classification and retention, not data interpretation5
Reference: 1: Data Lifecycle Management: A Complete Guide | Splunk; 2: Data Lifecycle Management | IBM; 3: Data Preservation | Digital Preservation Handbook; 4: Data Access Management Best Practices | Smartsheet; 5: Data Classification: What It Is And How To Do It | Varonis
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen’s line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company’s growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company’s own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen’s CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO’s recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What is the most likely reason the Chief Information Officer (CIO) believes that generating a list of needed IT equipment is NOT adequate?
- A . The company needs to have policies and procedures in place to guide the purchasing decisions.
- B . The privacy notice for customers and the Business Continuity Plan (BCP) still need to be reviewed.
- C . Staff members across departments need time to review technical information concerning any new databases.
- D . Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies (PETs).
A
Explanation:
The most likely reason the Chief Information Officer (CIO) believes that generating a list of needed IT equipment is not adequate is that the company needs to have policies and procedures in place to guide the purchasing decisions. Policies and procedures are essential for ensuring that the IT equipment meets the business needs and objectives, as well as the legal and regulatory requirements for data protection and security6 Policies and procedures can help the company to: Define the roles and responsibilities of the IT staff and other stakeholders involved in the purchasing process.
Establish the criteria and standards for selecting and evaluating the IT equipment vendors and products.
Determine the budget and timeline for acquiring and deploying the IT equipment.
Implement the best practices for installing, configuring, testing, maintaining, and disposing of the IT equipment.
Monitor and measure the performance and effectiveness of the IT equipment.
Without policies and procedures in place, the company may face risks such as:
Wasting time and money on unnecessary or inappropriate IT equipment.
Exposing sensitive data to unauthorized access or loss due to inadequate or incompatible IT equipment.
Failing to comply with data protection laws or industry standards due to non-compliant or outdated IT equipment.
Facing legal or reputational consequences due to data breaches or incidents caused by faulty or insecure IT equipment.
Therefore, generating a list of needed IT equipment is not adequate without having policies and procedures in place to guide the purchasing decisions.
Reference: 6: IT Policies & Procedures: A Quick Guide – ProjectManager; 7: IT Policies & Procedures: A Quick Guide – ProjectManager
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen’s line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company’s growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company’s own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen’s CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO’s recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission (FCC) could potentially take action against NatGen for what?
- A . Deceptive practices.
- B . Failing to institute the hotline.
- C . Failure to notify of processing.
- D . Negligence in consistent training.
A
Explanation:
If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission (FCC) could potentially take action against NatGen for deceptive practices. This is because the FCC has the authority to enforce Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. By allowing different departments to use, collect, store, and dispose of customer data in ways that may not be consistent with the company’s privacy policy, NatGen may be misleading its customers about how their personal information is protected and used. This could violate the FTC Act and expose NatGen to enforcement actions, fines, and reputational damage.
Reference: [FCC Enforcement], [FTC Act], [Privacy Policy]
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar
energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen’s line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company’s growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company’s own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen’s CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO’s recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
Based on the scenario, what additional change will increase the effectiveness of the privacy compliance hotline?
- A . Outsourcing the hotline.
- B . A system for staff education.
- C . Strict communication channels.
- D . An ethics complaint department.
B
Explanation:
Based on the scenario, an additional change that will increase the effectiveness of the privacy compliance hotline is a system for staff education. A privacy compliance hotline is a mechanism for employees, customers, or other stakeholders to report any concerns or violations of the company’s privacy policy or applicable laws. However, a hotline alone is not sufficient to ensure a robust and compliant privacy program. Employees also need to be educated and trained on the importance of privacy, the company’s privacy policy and procedures, their roles and responsibilities, and the consequences of non-compliance. A system for staff education can help raise awareness, foster a culture of privacy, and prevent or mitigate potential risks.
Reference: [Privacy Compliance Hotline], [Staff Education]
If an organization maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence?
- A . The Board of Directors.
- B . The Chief Financial Officer.
- C . The Human Resources Director.
- D . The organization’s General Counsel.
A
Explanation:
If an organization maintains a separate ethics office, its officer would typically report to the Board of Directors in order to retain the greatest degree of independence. This is because the Board of Directors is the highest governing body of the organization and has the authority and responsibility to oversee the ethical conduct and performance of the organization and its management1 Reporting to the Board of Directors would enable the ethics officer to avoid any potential conflicts of interest or undue influence from other senior executives or managers who may have a stake in the ethical issues or decisions that the ethics office handles2 Reporting to the Board of Directors would also enhance the credibility and legitimacy of the ethics office and its recommendations, as well as demonstrate the organization’s commitment to ethical values and culture3. The other options are not as suitable as reporting to the Board of Directors for retaining the greatest degree of independence for the ethics office. Reporting to the Chief Financial Officer may create a conflict of interest or a perception of bias if the ethical issues or decisions involve financial matters or implications4 Reporting to the Human Resources Director may limit the scope or authority of the ethics office to deal with ethical issues or decisions that go beyond human resources policies or practices5 Reporting to the organization’s General Counsel may blur the distinction or create confusion between legal compliance and ethical conduct, as well as raise concerns about attorney-client privilege or confidentiality6
Reference: 1: Board Responsibilities | BoardSource; 2: Ethics Officer: Job Description, Duties and Requirements; 3: The Role Of The Ethics And Compliance Officer In The 21st Century | Corporate Compliance Insights; 4: Ethics Officer: Job Description, Duties and Requirements; 5: Ethics Officer: Job Description, Duties and Requirements; 6: Ethics Officer: Job Description, Duties and Requirements
Reference: https://hbr.org/1994/03/managing-for-organizational-integrity
What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST)?
- A . It provides suggestions about how to collect and measure data.
- B . It can be tailored to an organization’s particular needs.
- C . It is updated annually to reflect changes in government policy.
- D . It is focused on organizations that do business internationally.
B
Explanation:
A key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST) is that it can be tailored to an organization’s particular needs. The privacy metric template is a tool that helps organizations measure their privacy performance and outcomes based on their own goals and objectives7. The template consists of four components: privacy objective, privacy outcome category, privacy outcome statement, and privacy metric statement. The template allows organizations to customize each component according to their specific context, scope, scale, and level of detail8. The template also provides examples and guidance on how to use it effectively and consistently9
The other options are not key features of the privacy metric template adapted from NIST. The template does not provide suggestions on how to collect and measure data, but rather focuses on defining what data to collect and measure based on the desired privacy outcomes. The template is not updated annually to reflect changes in government policy, but rather reflects a general framework that can be applied across different sectors and jurisdictions. The template is not focused on organizations that do business internationally, but rather can be used by any organization regardless of its geographic scope or location.
Reference: 7: Privacy Framework | NIST; 8: NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0; 9: NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0
What United States federal law requires financial institutions to declare their personal data collection practices?
- A . The Kennedy-Hatch Disclosure Act of 1997.
- B . The Gramm-Leach-Bliley Act of 1999.
- C . SUPCLA, or the federal Superprivacy Act of 2001.
- D . The Financial Portability and Accountability Act of 2006.
B
Explanation:
The United States federal law that requires financial institutions to declare their personal data collection practices is the Gramm-Leach-Bliley Act (GLBA) of 1999. The GLBA is also known as the Financial Services Modernization Act or the Financial Modernization Act10 The GLBA regulates how financial institutions collect, use, disclose, and protect the nonpublic personal information of their customers11 The GLBA requires financial institutions to provide a privacy notice to their customers that explains what kinds of information they collect, how they use and share that information, and how they safeguard that information12 The GLBA also gives customers the right to opt out of certain information sharing practices with third parties13
The other options are not US federal laws that require financial institutions to declare their personal data collection practices. The Kennedy-Hatch Disclosure Act of 1997 is a proposed but not enacted legislation that would have required health insurers to disclose their policies and practices regarding the use and disclosure of genetic information14 SUPCLA, or the federal Superprivacy Act of 2001, is a fictional law that does not exist in reality. The Financial Portability and Accountability Act of 2006 is also a fictional law that does not exist in reality, although it may be confused with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which regulates the privacy and security of health information15
Reference: 10: Gramm-Leach-Bliley Act | Federal Trade Commission; 11: Financial Privacy | Federal Trade Commission; 12: Financial Privacy | Federal Trade Commission; 13: Financial Privacy | Federal Trade Commission; 14: S. 422 (105th): Genetic Information Nondiscrimination in Health Insurance Act of 1997; 15: Health Information Privacy | HHS.gov
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development.
While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program?
How can you build on your success?
What are the next action steps?
Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?
- A . Data Lifecycle Management Standards.
- B . United Nations Privacy Agency Standards.
- C . International Organization for Standardization 9000 Series.
- D . International Organization for Standardization 27000 Series.
D
Explanation:
This series of standards provides a framework for establishing, implementing, maintaining and improving an information security management system (ISMS), which includes data protection as a key component.
Reference: https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention
program? How can you build on your success?
What are the next action steps?
How can Consolidated’s privacy training program best be further developed?
- A . Through targeted curricula designed for specific departments.
- B . By adopting e-learning to reduce the need for instructors.
- C . By using industry standard off-the-shelf programs.
- D . Through a review of recent data breaches.
A
Explanation:
This would allow Consolidated to tailor the privacy training to the specific needs and risks of each department, and to ensure that the employees are aware of the relevant policies and procedures for their roles.
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?
What are the next action steps?
What stage of the privacy operational life cycle best describes Consolidated’s current privacy program?
- A . Assess.
- B . Protect.
- C . Respond.
- D . Sustain.
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?
What are the next action steps?
What practice would afford the Director the most rigorous way to check on the program’s compliance with laws, regulations and industry best practices?
- A . Auditing.
- B . Monitoring.
- C . Assessment.
- D . Forensics.
A
Explanation:
This is the most rigorous way to check on the program’s compliance with laws, regulations and industry best practices, as it involves an independent and objective examination of the program’s records, activities and performance against established criteria.
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?
What are the next action steps?
What analytic can be used to track the financial viability of the program as it develops?
- A . Cost basis.
- B . Gap analysis.
- C . Return to investment.
- D . Breach impact modeling.
C
Explanation:
This analytic can be used to track the financial viability of the program as it develops, as it measures the net benefit of the program compared to its cost. It can show how much value the program adds to the organization by preventing or reducing data breaches, fines, lawsuits, reputational damage and other potential costs.
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program’s sponsor, the vice president of operations, as well as by a Privacy Team that started
from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company’s "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?
What are the next action steps?
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?
- A . Privacy by Design.
- B . Privacy Step Assessment.
- C . Information Security Planning.
- D . Innovation Privacy Standards.
A
Explanation:
This is a process that embeds privacy protections into the design and development of new technologies, systems, products or services that involve personal data. It ensures that privacy is considered at every stage of the development process, from conception to completion, and that the privacy principles are integrated into the core functionality of the program.
Which of the following indicates you have developed the right privacy framework for your organization?
- A . It includes a privacy assessment of each major system.
- B . It improves the consistency of the privacy program.
- C . It works at a different type of organization.
- D . It identifies all key stakeholders by name.
B
Explanation:
Developing the right privacy framework for your organization means that you have a clear and coherent set of policies, procedures, and practices that align with your privacy objectives and obligations. A good privacy framework should improve the consistency of the privacy program by ensuring that all relevant stakeholders understand and follow the same standards and expectations across different functions, processes, and systems. A consistent privacy program can also help reduce errors, risks, and costs associated with privacy compliance.
Rationalizing requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?
- A . Harmonizing shared obligations and privacy rights across varying legislation and/or regulators.
- B . Implementing a solution that significantly addresses shared obligations and privacy rights.
- C . Applying the strictest standard for obligations and privacy rights that doesn’t violate privacy laws elsewhere.
- D . Addressing requirements that fall outside the common obligations and rights (outliers) on a case-by-case basis.
C
Explanation:
Rationalizing requirements in order to comply with the various privacy requirements required by applicable law and regulation means that you have a systematic and logical approach to harmonize and streamline your compliance efforts. Rationalizing requirements does include harmonizing shared obligations and privacy rights across varying legislation and/or regulators, implementing a solution that significantly addresses shared obligations and privacy rights, and addressing requirements that fall outside the common obligations and rights (outliers) on a case-by-case basis. These steps can help you avoid duplication, inconsistency, or inefficiency in your compliance activities.
What is the name for the privacy strategy model that describes delegated decision making?
- A . De-centralized.
- B . De-functionalized.
- C . Hybrid.
- D . Matrix.
D
Explanation:
A matrix is a type of organizational structure that involves delegated decision making. In a matrix structure, employees report to more than one manager or leader, usually based on different functions or projects. For example, a software developer may report to both a product manager and a technical manager. A matrix structure allows for more flexibility, collaboration, and innovation in complex and dynamic environments.
The other options are not examples of delegated decision making structures. A de-centralized structure involves distributing decision making authority across different levels or units of the organization, rather than concentrating it at the top. A de-functionalized structure involves breaking down functional silos and creating cross-functional teams or processes. A hybrid structure involves combining elements of different types of structures, such as functional, divisional, or matrix.
Which of the following controls does the PCI DSS framework NOT require?
- A . Implement strong asset control protocols.
- B . Implement strong access control measures.
- C . Maintain an information security policy.
- D . Maintain a vulnerability management program.
A
Explanation:
The PCI DSS framework does not require implementing strong asset control protocols. Asset control protocols are policies and procedures that govern how an organization manages its physical and digital assets, such as inventory, equipment, software, data, etc. Asset control protocols may include aspects such as identification, classification, valuation, tracking, maintenance, disposal, etc. Asset control protocols are important for ensuring the security and integrity of an organization’s assets, but they are not part of the PCI DSS framework.
Which of the following privacy frameworks are legally binding?
- A . Binding Corporate Rules (BCRs).
- B . Generally Accepted Privacy Principles (GAPP).
- C . Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
- D . Organization for Economic Co-Operation and Development (OECD) Guidelines.
A
Explanation:
Binding Corporate Rules (BCRs) are a set of legally binding rules that allow multinational corporations or groups of companies to transfer personal data across borders within their organization in compliance with the EU data protection law1 BCRs are approved by the competent data protection authorities in the EU and are enforceable by data subjects and the authorities2 BCRs are one of the mechanisms recognized by the EU General Data Protection Regulation (GDPR) to ensure an adequate level of protection for personal data transferred outside the European Economic
Area (EEA)3
Which of the following is an example of Privacy by Design (PbD)?
- A . A company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.
- B . The human resources group develops a training program for employees to become certified in privacy policy.
- C . A labor union insists that the details of employers’ data protection methods be documented in a new contract.
- D . The information technology group uses privacy considerations to inform the development of new networking software.
D
Explanation:
This is an example of Privacy by Design (PbD), which is an approach to systems engineering that integrates privacy into the design and development of products, services, and processes from the outset7 PbD aims to ensure that privacy is embedded into the core functionality of any system or service, rather than being added as an afterthought or a trade-off. PbD is based on seven foundational principles: proactive not reactive; preventive not remedial; privacy as the default setting; privacy embedded into design; full functionality C positive-sum, not zero-sum; end-to-end security C full lifecycle protection; visibility and transparency C keep it open; and respect for user privacy C keep it user-centric8
In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?
- A . Evaluate the qualifications of a third-party processor before any data is transferred to that processor.
- B . Obtain a guarantee of prompt notification in instances involving unauthorized access of the data.
- C . Set a time-limit as to how long the personal data may be stored by the organization.
- D . Challenge the authenticity of the personal data and have it corrected if needed.
D
Explanation:
In regards to the collection of personal data conducted by an organization, the data subject must be allowed to challenge the authenticity of the personal data and have it corrected if needed. This is a fundamental right of data subjects under various data protection laws and regulations, such as the EU General Data Protection Regulation (GDPR) 1, the California Consumer Privacy Act (CCPA) 2, and the Personal Data Protection Act (PDPA) of Singapore 3. This right enables data subjects to verify the
accuracy and completeness of their personal data and to request rectification or erasure of any inaccurate or incomplete data. This right also helps organizations to maintain high standards of data quality and integrity.
SCENARIO
Please use the following to answer the next QUESTION:
It’s just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It’s a great deal, and after a month, more than half the organization’s employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It’s enough to give you data- protection nightmares, and you’ve pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization’s marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
Which is the best way to ensure that data on personal equipment is protected?
- A . User risk training.
- B . Biometric security.
- C . Encryption of the data.
- D . Frequent data backups.
C
Explanation:
Encryption of the data is the best way to ensure that data on personal equipment is protected, as it prevents unauthorized access to the data even if the equipment is lost or stolen. Encryption is the process of transforming data into an unreadable format that can only be decrypted with a valid key
or password. Encryption can be applied to the entire device, a specific folder or file, or a removable storage media. Encryption is one of the most effective technical safeguards for data protection and is recommended by many privacy laws and standards.
Reference: IAPP CIPM Study Guide, page 831; ISO/IEC 27002:2013, section 10.1.1
SCENARIO
Please use the following to answer the next QUESTION:
It’s just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It’s a great deal, and after a month, more than half the organization’s employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It’s enough to give you data- protection nightmares, and you’ve pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization’s marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?
- A . The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organization.
- B . Any computer or other equipment is company property whenever it is used for company business.
- C . While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
- D . The use of personal equipment must be reduced as it leads to inevitable security risks.
C
Explanation:
This answer reflects the principle of accountability, which states that the company is responsible for ensuring that personal data is processed in compliance with applicable laws and regulations, regardless of who owns or controls the equipment that stores or processes the data. The company should establish policies and procedures for managing the use of personal equipment for work-related tasks, such as requiring encryption, authentication, remote wipe, backup and reporting of incidents. The company should also provide training and awareness to the employees on how to protect the data on their personal equipment and what are their obligations and liabilities.
Reference: IAPP CIPM Study Guide, page 841; ISO/IEC 27002:2013, section 6.2.1
SCENARIO
Please use the following to answer the next QUESTION:
It’s just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It’s a great deal, and after a month, more than half the organization’s employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It’s enough to give you data- protection nightmares, and you’ve pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization’s marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
In order to determine the best course of action, how should this incident most productively be viewed?
- A . As the accidental loss of personal property containing data that must be restored.
- B . As a potential compromise of personal information through unauthorized access.
- C . As an incident that requires the abrupt initiation of a notification campaign.
- D . As the premeditated theft of company data, until shown otherwise.
B
Explanation:
This answer recognizes the risk of data breach that may result from the loss of the laptop, as it may expose the personal information of the clients to unauthorized or unlawful processing. A data breach is defined as a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A data breach may have serious consequences for the individuals whose data is compromised, such as identity theft, fraud, discrimination, financial loss or reputational damage. Therefore, it is important to view this incident as a potential compromise of personal information and take appropriate measures to contain, assess and mitigate the impact of the breach.
Reference: IAPP CIPM Study Guide, page 86; ISO/IEC 27002:2013, section 16.1.1
SCENARIO
Please use the following to answer the next QUESTION:
It’s just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It’s a great deal, and after a month, more than half the organization’s employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It’s enough to give you data- protection nightmares, and you’ve pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization’s marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
What should you do first to ascertain additional information about the loss of data?
- A . Interview the person reporting the incident following a standard protocol.
- B . Call the police to investigate even if you are unsure a crime occurred.
- C . Investigate the background of the person reporting the incident.
- D . Check company records of the latest backups to see what data may be recoverable.
A
Explanation:
This answer is the best way to ascertain additional information about the loss of data, as it allows you to gather relevant facts and details from the person who witnessed or experienced the incident.
A standard protocol for interviewing the person reporting the incident should include questions such as:
When and where did the incident occur?
What type and amount of data was involved?
How was the data stored or protected on the laptop?
Who else had access to or knowledge of the laptop or the data?
What actions have been taken so far to recover or secure the laptop or the data?
How did you discover or report the incident?
Do you have any evidence or clues about who may have taken or accessed the laptop or the data? Do you have any other information that may be relevant or helpful for the investigation? Interviewing the person reporting the incident following a standard protocol can help you to establish a clear timeline and scope of the incident, identify potential sources of evidence, assess the level of risk and harm to the individuals and the organization, and determine the next steps for responding to and resolving the incident.
Reference: IAPP CIPM Study Guide, page 87; ISO/IEC 27002:2013, section 16.1.4
Which is NOT an influence on the privacy environment external to an organization?
- A . Management team priorities.
- B . Regulations.
- C . Consumer demand.
- D . Technological advances.
A
Explanation:
The privacy environment external to an organization refers to the factors that are outside the control of the organization, such as regulations, consumer demand, technological advances, and social norms. These factors can affect the organization’s privacy practices and policies, and require the organization to adapt and comply. Management team priorities are an internal factor that influence the privacy environment within the organization, as they reflect the organization’s vision, mission, values, and goals.
Reference: CIPM Study Guide, page 14.
How are individual program needs and specific organizational goals identified in privacy framework development?
- A . By employing metrics to align privacy protection with objectives.
- B . Through conversations with the privacy team.
- C . By employing an industry-standard needs analysis.
- D . Through creation of the business case.
D
Explanation:
The creation of the business case is the first step in privacy framework development, as it helps to identify the individual program needs and specific organizational goals. The business case is a document that outlines the rationale, objectives, benefits, costs, risks, and alternatives for implementing a privacy program. It also helps to communicate the value of privacy to stakeholders and gain their support. The other options are subsequent steps in privacy framework development, after the business case has been established.
Reference: CIPM Study Guide, page 15.
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company’s privacy program at today’s meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging
Nationwide Grill’s market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer C a former CEO and currently a senior advisor C said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations’ best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton’s had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton’s’s corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company’s incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company C not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company’s privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
What is the most realistic step the organization can take to help diminish liability in the event of another incident?
- A . Requiring the vendor to perform periodic internal audits.
- B . Specifying mandatory data protection practices in vendor contracts.
- C . Keeping the majority of processing activities within the organization.
- D . Obtaining customer consent for any third-party processing of personal data.
B
Explanation:
This answer is the most realistic step the organization can take to help diminish liability in the event of another incident, as it can ensure that the vendor complies with the same standards and obligations as the organization regarding data protection. Vendor contracts should include clauses that specify the scope, purpose, duration and type of data processing, as well as the rights and responsibilities of both parties. The contracts should also require the vendor to implement appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration or destruction, and to notify the organization of any security incidents or breaches. The contracts should also allow the organization to monitor, audit or inspect the vendor’s performance and compliance with the contract terms and applicable laws and regulations.
Reference: IAPP CIPM Study Guide, page 82; ISO/IEC 27002:2013, section 15.1.2
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company’s privacy program at today’s meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill’s market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer C a former CEO and currently a senior advisor C said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations’ best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton’s had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton’s’s corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company’s incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company C not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company’s privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
Based on the scenario, Nationwide Grill needs to create better employee awareness of the company’s privacy program by doing what?
- A . Varying the modes of communication.
- B . Communicating to the staff more often.
- C . Improving inter-departmental cooperation.
- D . Requiring acknowledgment of company memos.
A
Explanation:
This answer is the best way to create better employee awareness of the company’s privacy program, as it can increase the effectiveness and retention of the information by appealing to different learning styles and preferences. Varying the modes of communication can include using different formats and channels, such as posters, emails, memos, videos, webinars, podcasts, newsletters, quizzes, games or interactive modules. Varying the modes of communication can also help to avoid information overload or duplication, which may cause employees to ignore or disregard the privacy messages.
Reference: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company’s privacy program at today’s meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill’s market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer C a former CEO and currently a senior advisor C said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling
customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations’ best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton’s had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton’s’s corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company’s incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company C not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company’s privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
How could the objection to Spencer’s training suggestion be addressed?
- A . By requiring training only on an as-needed basis.
- B . By offering alternative delivery methods for trainings.
- C . By introducing a system of periodic refresher trainings.
- D . By customizing training based on length of employee tenure.
B
Explanation:
This answer is the best way to address the objection to Spencer’s training suggestion, as it can provide flexibility and convenience for employees who work in different locations or have different schedules. Alternative delivery methods for trainings can include online courses, webinars, podcasts, videos or self-paced modules that can be accessed anytime and anywhere by employees. Alternative delivery methods can also reduce the cost and time required for in-person trainings, while still ensuring that employees receive consistent and relevant information on the company’s privacy program.
Reference: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company’s privacy program at today’s meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill’s market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer C a former CEO and currently a senior advisor C said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations’ best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton’s had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton’s’s corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company’s incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company C not BD staff. In a similar way, he said, Human Resources (HR) needs
to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company’s privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
The senior advisor, Spencer, has a misconception regarding?
- A . The amount of responsibility that a data controller retains.
- B . The appropriate role of an organization’s security department.
- C . The degree to which training can lessen the number of security incidents.
- D . The role of Human Resources employees in an organization’s privacy program.
A
Explanation:
Spencer has a misconception regarding the amount of responsibility that a data controller retains, as he suggests that the contractors should be held contractually liable for telling customers about any security incidents, and that Nationwide Grill should not be forced to soil the company name for a problem it did not cause. However, as a data controller, Nationwide Grill is ultimately responsible for ensuring that the personal data of its customers is processed in compliance with applicable laws and regulations, regardless of whether it uses contractors or not. Nationwide Grill cannot transfer or delegate its accountability or liability to the contractors, and it has a duty to inform the customers and the relevant authorities of any security incidents or breaches that may affect their data. Therefore, Spencer’s view is unrealistic and risky, as it may expose Nationwide Grill to legal actions, fines, reputational damage and loss of trust.
Formosa International operates in 20 different countries including the United States and France.
What organizational approach would make complying with a number of different regulations easier?
- A . Data mapping.
- B . Fair Information Practices.
- C . Rationalizing requirements.
- D . Decentralized privacy management.
C
Explanation:
Rationalizing requirements is an organizational approach that involves identifying and harmonizing the common elements of different privacy regulations and standards. This can make compliance easier and more efficient, as well as reduce the risk of conflicts or gaps in privacy protection. Rationalizing requirements can also help to create a consistent privacy policy and culture across different jurisdictions and business units.
Reference: CIPM Study Guide, page 23.
When implementing Privacy by Design (PbD), what would NOT be a key consideration?
- A . Collection limitation.
- B . Data minimization.
- C . Limitations on liability.
- D . Purpose specification.
C
Explanation:
Limitations on liability are not a key consideration when implementing Privacy by Design (PbD). PbD is a methodology that aims to protect privacy by embedding it into the design of systems and data. The key considerations for PbD are based on seven principles that include collection limitation, data minimization, and purpose specification, among others. Limitations on liability are more relevant for contractual or legal aspects of privacy, not for design or engineering aspects.
Reference: CIPM Study Guide, page 25; The 7 Principles of Privacy by Design.
For an organization that has just experienced a data breach, what might be the least relevant metric for a company’s privacy and governance team?
- A . The number of security patches applied to company devices.
- B . The number of privacy rights requests that have been exercised.
- C . The number of Privacy Impact Assessments that have been completed.
- D . The number of employees who have completed data awareness training.
A
Explanation:
The number of security patches applied to company devices might be the least relevant metric for a company’s privacy and governance team after a data breach. While security patches are important for preventing future breaches, they do not directly measure the impact or response of the current breach. The other metrics are more relevant for assessing how the company handled the breach, such as how it complied with the privacy rights of affected individuals, how it evaluated the privacy risks of its systems, and how it trained its employees on data awareness.
Reference: CIPM Study Guide, page 28.
In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?
- A . If a company created a credit-scoring platform five years ago.
- B . If a health-care professional or lawyer processed personal data from a patient’s file.
- C . If a social media company created a new product compiling personal data to generate user profiles.
- D . If an after-school club processed children’s data to determine which children might have food allergies.
A
Explanation:
A Privacy Impact Assessment (PIA) is a process that helps to identify and mitigate the privacy risks of a project or activity that involves personal data. A PIA is usually required when there is a new or significant change in the way personal data is collected, used, or disclosed. Therefore, a PIA would be the least likely to be required if a company created a credit-scoring platform five years ago, as this would not be a new or significant change. The other situations involve new or changed processing of personal data that could have privacy impacts, such as sensitive data (health or children’s data), profiling data (user profiles), or large-scale data (patient’s file).
Reference: CIPM Study Guide, page 30; Guide to undertaking privacy impact assessments.
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?
- A . An obligation on the processor to report any personal data breach to the controller within 72 hours.
- B . An obligation on both parties to report any serious personal data breach to the supervisory authority.
- C . An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
- D . An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.
D
Explanation:
Under the GDPR, a written agreement between the controller and processor must include an obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority and the data subjects about personal data breaches. This is stated in Article 28(3)(f) of the GDPR1. The other options are not required by the GDPR, although they may be included in the agreement as additional clauses. The obligation to report any personal data breach to the controller within 72 hours is imposed on the processor by Article 33(2) of the GDPR1, not by the agreement. The obligation to report any serious personal data breach to the supervisory authority is imposed on the controller by Article 33(1) of the GDPR1, not by the agreement. The termination of the agreement in case of a personal data breach is not a mandatory provision under the GDPR, but rather a contractual matter that may depend on the circumstances and severity of the breach.
Reference: GDPR
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What does this example best illustrate about training requirements for privacy protection?
- A . Training needs must be weighed against financial costs.
- B . Training on local laws must be implemented for all personnel.
- C . Training must be repeated frequently to respond to new legislation.
- D . Training must include assessments to verify that the material is mastered.
B
Explanation:
This answer is the best way to illustrate the training requirements for privacy protection, as it shows the importance of understanding and complying with the different legal and regulatory frameworks that apply to the organization’s data processing activities in different jurisdictions. Training on local laws must be implemented for all personnel who are involved in or responsible for collecting, using, disclosing, storing or transferring personal data across borders, as they may face different obligations and restrictions depending on the nature and location of the data and the data subjects. Training on local laws can help to prevent or mitigate the risks of violating the privacy rights of individuals, facing legal actions, fines, sanctions or investigations from authorities, or losing trust and reputation among customers, partners and stakeholders.
Reference: IAPP CIPM Study Guide, page 901; ISO/IEC 27002:2013, section 7.2.2
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
Knowing that the regulator is now investigating, what would be the best step to take?
- A . Consult an attorney experienced in privacy law and litigation.
- B . Use your background and knowledge to set a course of action.
- C . If you know the organization is guilty, advise it to accept the punishment.
- D . Negotiate the terms of a settlement before formal legal action takes place.
A
Explanation:
This answer is the best step to take knowing that the regulator is now investigating, as it can help the organization to obtain legal advice and representation on how to respond to and cooperate with the investigation, as well as how to defend or resolve any potential claims or disputes that may arise from the incident. Consulting an attorney experienced in privacy law and litigation can also help the organization to understand its rights and obligations under the applicable laws and regulations, as well as the possible outcomes and consequences of the investigation. An attorney can also assist the organization in preparing and submitting any required documents or evidence, communicating with the regulator or other parties, negotiating a settlement or agreement, or challenging or appealing any decisions or actions taken by the regulator.
Reference: IAPP CIPM Study Guide, page 871; ISO/IEC 27002:2013, section 16.1.5
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What should you advise this company regarding the status of security cameras at their offices in the United States?
- A . Add security cameras at facilities that are now without them.
- B . Set policies about the purpose and use of the security cameras.
- C . Reduce the number of security cameras located inside the building.
- D . Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time.
D
Explanation:
This answer is the best way to advise this company regarding the status of security cameras at their offices in the United States, as it can help to protect the privacy and security of the employees and visitors who are recorded by the cameras, as well as to comply with any applicable laws and regulations that may limit or regulate the use of surveillance video. Restricting access to surveillance video means that only authorized personnel who have a legitimate business need can view, copy, share or disclose the video, and that they must follow proper procedures and safeguards to prevent unauthorized or unlawful access, use or disclosure. Destroying the recordings after a designated period of time means that the video is not kept longer than necessary for the purpose for which it was collected, and that it is disposed of securely and irreversibly. The designated period of time should be based on the legal, operational and risk factors that may affect the retention of the video, such as potential litigation, investigations, audits or claims.
Reference: IAPP CIPM Study Guide, page 831; ISO/IEC 27002:2013, section 8.3.2
You would like your organization to be independently audited to demonstrate compliance with international privacy standards and to identify gaps for remediation.
Which type of audit would help you achieve this objective?
- A . First-party audit.
- B . Second-party audit.
- C . Third-party audit.
- D . Fourth-party audit.
C
Explanation:
A third-party audit would help an organization achieve the objective of demonstrating compliance with international privacy standards and identifying gaps for remediation. A third-party audit is an audit conducted by an independent and external auditor who is not affiliated with either the audited organization or its customers. A third-party audit can provide an objective and impartial assessment of the organization’s privacy practices and policies, as well as verify its compliance with relevant standards and regulations. A third-party audit can also help the organization identify areas for improvement and recommend corrective actions. A third-party audit can enhance the organization’s reputation, trustworthiness, and credibility among its stakeholders and customers.
A first-party audit is an audit conducted by the organization itself or by someone within the organization who has been designated as an auditor. A first-party audit is also known as an internal audit. A first-party audit can help the organization monitor its own performance, evaluate its compliance with internal policies and procedures, and identify potential risks and opportunities for improvement. However, a first-party audit may not be sufficient to demonstrate compliance with external standards and regulations, as it may lack independence and objectivity.
A second-party audit is an audit conducted by a party that has an interest in or a relationship with the audited organization, such as a customer, a supplier, or a partner. A second-party audit is also known as an external audit. A second-party audit can help the party verify that the audited organization meets its contractual obligations, expectations, and requirements. A second-party audit can also help the party evaluate the quality and reliability of the audited organization’s products or services. However, a second-party audit may not be able to provide a comprehensive and unbiased assessment of the audited organization’s privacy practices and policies, as it may be influenced by the party’s own interests and objectives.
Reference: Types of Audits: 14 Types of Audits and Level of Assurance (2022)