IAPP CIPM Certified Information Privacy Manager (CIPM) Online Training
IAPP CIPM Online Training
The questions for CIPM were last updated at Nov 26,2024.
- Exam Code: CIPM
- Exam Name: Certified Information Privacy Manager (CIPM)
- Certification Provider: IAPP
- Latest update: Nov 26,2024
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company’s privacy program at today’s meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill’s market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer C a former CEO and currently a senior advisor C said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations’ best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton’s had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton’s’s corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company’s incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company C not BD staff. In a similar way, he said, Human Resources (HR) needs
to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company’s privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
The senior advisor, Spencer, has a misconception regarding?
- A . The amount of responsibility that a data controller retains.
- B . The appropriate role of an organization’s security department.
- C . The degree to which training can lessen the number of security incidents.
- D . The role of Human Resources employees in an organization’s privacy program.
Formosa International operates in 20 different countries including the United States and France.
What organizational approach would make complying with a number of different regulations easier?
- A . Data mapping.
- B . Fair Information Practices.
- C . Rationalizing requirements.
- D . Decentralized privacy management.
When implementing Privacy by Design (PbD), what would NOT be a key consideration?
- A . Collection limitation.
- B . Data minimization.
- C . Limitations on liability.
- D . Purpose specification.
For an organization that has just experienced a data breach, what might be the least relevant metric for a company’s privacy and governance team?
- A . The number of security patches applied to company devices.
- B . The number of privacy rights requests that have been exercised.
- C . The number of Privacy Impact Assessments that have been completed.
- D . The number of employees who have completed data awareness training.
In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?
- A . If a company created a credit-scoring platform five years ago.
- B . If a health-care professional or lawyer processed personal data from a patient’s file.
- C . If a social media company created a new product compiling personal data to generate user profiles.
- D . If an after-school club processed children’s data to determine which children might have food allergies.
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?
- A . An obligation on the processor to report any personal data breach to the controller within 72 hours.
- B . An obligation on both parties to report any serious personal data breach to the supervisory authority.
- C . An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
- D . An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What does this example best illustrate about training requirements for privacy protection?
- A . Training needs must be weighed against financial costs.
- B . Training on local laws must be implemented for all personnel.
- C . Training must be repeated frequently to respond to new legislation.
- D . Training must include assessments to verify that the material is mastered.
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
Knowing that the regulator is now investigating, what would be the best step to take?
- A . Consult an attorney experienced in privacy law and litigation.
- B . Use your background and knowledge to set a course of action.
- C . If you know the organization is guilty, advise it to accept the punishment.
- D . Negotiate the terms of a settlement before formal legal action takes place.
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office’s video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly’s direction, the office became a model of efficiency and customer service. Kelly monitored his workers’ activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly’s surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company’s license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company’s training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What should you advise this company regarding the status of security cameras at their offices in the United States?
- A . Add security cameras at facilities that are now without them.
- B . Set policies about the purpose and use of the security cameras.
- C . Reduce the number of security cameras located inside the building.
- D . Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time.
You would like your organization to be independently audited to demonstrate compliance with international privacy standards and to identify gaps for remediation.
Which type of audit would help you achieve this objective?
- A . First-party audit.
- B . Second-party audit.
- C . Third-party audit.
- D . Fourth-party audit.
Latest CIPM Dumps Valid Version with 90 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
