- Expert Verified, Online, Free.

 Custom View Settings

Question #151 Topic 1

What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?

A. Reducing storage costs.

B. Ensuring data is kept for no longer than necessary.

C. Crafting policies which ensure minimal data is collected. Most Voted

D. Increasing awareness of the importance of confidentiality.

Correct Answer: C

Community vote distribution

C (58%) D (42%)

Question #152 Topic 1

There are different forms of monitoring available for organizations to consider when aligning with their privacy program goals.

Which of the following forms of monitoring is best described as ‘auditing’?

A. Evaluating operations, systems, and processes. Most Voted

B. Tracking, reporting and documenting complaints from all sources.

C. Assisting in the completion of attesting reporting for SOC2, ISO, or BS7799.

D. Ensuring third parties have appropriate security and privacy requirements in place.

Correct Answer: A

Community vote distribution

A (100%)

Question #153 Topic 1

Which will best assist you in quickly identifying weaknesses in your network and storage?

A. Running vulnerability scanning tools. Most Voted

B. Reviewing your privacy program metrics.

C. Reviewing your role-based access controls.

D. Establishing a complaint-monitoring process.

Correct Answer: A

Community vote distribution

A (100%)
Question #154 Topic 1

Which of the following is NOT a type of privacy program metric?

A. Business enablement metrics.

B. Data enhancement metrics. Most Voted

C. Value creation metrics.

D. Risk-reduction metrics.

Correct Answer: C

Community vote distribution

B (100%)

Question #155 Topic 1

How do privacy audits differ from privacy assessments?

A. They are non-binding.

B. They are evidence-based. Most Voted

C. They are based on standards.

D. They are conducted by external parties.

Correct Answer: B

Community vote distribution

B (82%) D (18%)

Question #156 Topic 1

An organization’s internal audit team should do all of the following EXCEPT?

A. Implement processes to correct audit failures. Most Voted

B. Verify that technical measures are in place.

C. Review how operations work in practice.

D. Ensure policies are being adhered to.

Correct Answer: A

Community vote distribution

A (100%)
Question #157 Topic 1

“Respond” in the privacy operational lifecycle includes which of the following?

A. Information security practices and functional area integration.

B. Privacy awareness training and compliance monitoring.

C. Communication to stakeholders and alignment to laws.

D. Information requests and privacy rights requests. Most Voted

Correct Answer: D

Community vote distribution

D (78%) B (22%)

Question #158 Topic 1

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?

A. Carry out a root cause analysis on each breach to understand why the incident happened.

B. Communicate to everyone that breaches must be reported and how they should be reported.

C. Provide role-specific training to areas where breaches are happening so they are more aware.

D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt. Most Voted

Correct Answer: D

Community vote distribution

D (60%) A (40%)

Question #159 Topic 1

Which of the following information must be provided by the data controller when complying with GDPR “right to be informed” requirements?

A. The purpose of personal data processing. Most Voted

B. The data subject’s right to withdraw consent.

C. The contact details of the Data Protection Officer (DPO).

D. The name of any organizations with whom personal data was shared.

Correct Answer: A

Community vote distribution

A (100%)
Question #160 Topic 1

A Data Privacy Officer (DPO) who posts privacy message reminders on posters and on company video screens throughout the office to reinforce

the organization's privacy message is furthering which organizational program?

A. Public Service.

B. Awareness. Most Voted

C. Training.

D. Ethics.

Correct Answer: B

Community vote distribution

B (100%)

Question #161 Topic 1

The primary purpose of privacy awareness activities is to?

A. Provide specialized information to individuals or departments handling sensitive information.

B. Consistently reinforce practices that promote a culture of accountability around privacy. Most Voted

C. Ensure appropriate training has been provided on a clearly defined schedule.

D. Train recipients on standard privacy responsibilities and practices.

Correct Answer: B

Community vote distribution

B (100%)
Question #162 Topic 1

SCENARIO -

Please use the following to answer the next question:

Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for

several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget

vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit

card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the

Society’s store had been hacked. The thefts could have been employee-related.

Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third

parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the

“misunderstanding” has not occurred again.

As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters,

however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues

of sales of items such as shirts and coffee cups from the store have been significant. The Society’s operating budget is slim, and all sources of

revenue are essential.

Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data

cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a

small charge to pass through to you, it won’t be exorbitant, especially considering the advantages of a cloud.”

You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared

conventions and technologies for privacy protection. You make a note to find out if Jason’s Finnish provider is signing on.

If the vendor's actions raise concerns about privacy protection, what action should you take first?

A. Review the vendor selection process to see what may have been overlooked.

B. Convene the privacy team to discuss your suspicions.

C. Investigate to ensure that customer data is secure. Most Voted

D. Phone the vendor to share your concerns.

Correct Answer: D

Community vote distribution

C (100%)

Question #163 Topic 1

Which of the following controls are generally NOT part of a Privacy Impact Assessment (PIA) review?

A. Access.

B. Incident. Most Voted

C. Retention.

D. Collection.

Correct Answer: B

Community vote distribution

B (100%)
Question #164 Topic 1

When developing a privacy program and selecting a program sponsor or "champion" the most important consideration should be?

A. That they manage the information privacy program.

B. That they have the authority to approve policy and provide funding.

C. That they will be an effective advocate and understand the importance of privacy. Most Voted

D. That they have the authority to approve any policy the privacy manager deems necessary

Correct Answer: C

Community vote distribution

C (100%)

Question #165 Topic 1

All of the following are components of a data collection notice EXCEPT?

A. Identification of who is collecting the information.

B. Identification of with whom the information could be shared.

C. Identification of potential uses of personal information in the future. Most Voted

D. Identification of the meta-data which could be generated from collection of the information.

Correct Answer: C

Community vote distribution

C (100%)
Question #166 Topic 1

SCENARIO -

Please use the following to answer the next question:

Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in

California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and

has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space’s practices and assess what her privacy

priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance

efforts.

Penny’s colleague in Marketing is excited by the new sales and the company’s plans, but is also concerned that Penny may curtail some of the

growth opportunities he has planned. He tells her “I heard someone in the breakroom talking about some new privacy laws but I really don’t think

it affects us. We’re just a small company. I mean we just sell accessories online, so what’s the real risk?” He has also told her that he works with a

number of small companies that help him get projects completed in a hurry. “We’ve got to meet our deadlines otherwise we lose money. I just sign

the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don’t have.”

In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website

from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Penny’s colleague in IT has told her

that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer

database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team “didn’t know what to do or who

should do what. We hadn’t been trained on it but we’re a small team though, so it worked out OK in the end.” Penny is concerned that these issues

will compromise Ace Space’s privacy and data protection.

Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a

data “shake up”. Her mission is to cultivate a strong privacy culture within the company.

Penny has a meeting with Ace Space’s CEO today and has been asked to give her first impressions and an overview of her next steps.

To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?

A. Implement audit logging and monitoring tools.

B. Ensure an inventory of IT assets is maintained.

C. Host a town hall discussion for all IT employees to delivery necessary training.

D. Perform a gap analysis of the technical countermeasures required to meet privacy compliance. Most Voted

Correct Answer: A

Community vote distribution

D (100%)

Question #167 Topic 1

Which of the following is least relevant to establishing a culture of data privacy at a company?

A. Monitoring compliance.

B. Adherence to ISO 27001. Most Voted

C. Deploying training and awareness.

D. Adopting Privacy by Design (PbD).

Correct Answer: B

Community vote distribution

B (67%) A (33%)
Question #168 Topic 1

A Privacy Program Framework is an implementation roadmap that does all of the following EXCEPT?

A. Measure a successful security program. Most Voted

B. Incorporate data classification and broad privacy checklists.

C. Provide documented privacy management procedures and processes.

D. Prompt for details to determine all privacy-relevant decisions for the organization.

Correct Answer: A

Community vote distribution

A (100%)
Question #169 Topic 1

SCENARIO -

Please use the following to answer the next question:

Hi Zoe,

Thank you so much for your email. I am so glad you have jumped right into your new position as our in-house privacy professional. BastTech

greatly needs your expertise. I hope you are comfortably settling into your new home in the United States after your move from the United

Kingdom! Georgia is a wonderful state.

I particularly appreciate your enthusiasm in using your recent informal assessment to begin rectifying gaps in our privacy program and making

sure we are in compliance with all laws. However, I also want to make sure that we are prioritizing our initiatives by spending time on the

measures that are most important to our customers, our company, and the tech industry as a whole.

Specifically, I know that you are advocating for an update of our Business Continuity Disaster Response (BCDR) plan with an eye toward privacy

concerns. I think this effort is something that we may be able to postpone. I'm sure that after ten years the document can be updated in spots;

however, we have first-rate, experienced executive leaders that would have things well in hand in the unlikely event of a disaster.

Further, you mentioned that you would like to assess our longtime subcontractor's disaster plan through a second-party audit. Papyrus, our

longtime subcontractor, does keep a great deal of personal data about our customers. However, I am not sure I understand your request and

would like to discuss this further during our meeting Wednesday.

You also say that your audit uncovered some inadequacies in staff compliance with our security procedures and local laws. I just wanted to

emphasize that the audit findings only need to be communicated to the executive leadership. I would rather not cause unnecessary alarm across

departments.

I know you are also looking closely at the recent loss of a file belonging to a staff member in Human Resources (HR). It was an unfortunate

incident, but rest assured, we handled the situation according to Georgia state law. The only difficult part was easing the concerns of our many

remote employees all across the country whose data was on the computer. But I believe everything is settled. At least this stands as proof that in

the event of another breach of any type, Information Security (IS) will take the lead while other departments move on with business as usual

without having to get involved. Thankfully, we have taken the measure of supplementing our General Commercial Liability Insurance with cyber

insurance.

Anyway, we will talk more on Wednesday. I just wanted to communicate some of my current thinking.

Thanks,

Whitney -

Interim Assistant Business Manager, BastTech.

Based on the email, what should Zoe suggest to Whitney regarding the informal audit?

A. That several audits be conducted in quick succession.

B. That the results of the audit eventually be made public.

C. That more people assist with conducting audits in the future.

D. That the information from the audit be disseminated to key personnel. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #170 Topic 1

SCENARIO -

Please use the following to answer the next question:

Hi Zoe,

Thank you so much for your email. I am so glad you have jumped right into your new position as our in-house privacy professional. BastTech

greatly needs your expertise. I hope you are comfortably settling into your new home in the United States after your move from the United

Kingdom! Georgia is a wonderful state.

I particularly appreciate your enthusiasm in using your recent informal assessment to begin rectifying gaps in our privacy program and making

sure we are in compliance with all laws. However, I also want to make sure that we are prioritizing our initiatives by spending time on the

measures that are most important to our customers, our company, and the tech industry as a whole.

Specifically, I know that you are advocating for an update of our Business Continuity Disaster Response (BCDR) plan with an eye toward privacy

concerns. I think this effort is something that we may be able to postpone. I'm sure that after ten years the document can be updated in spots;

however, we have first-rate, experienced executive leaders that would have things well in hand in the unlikely event of a disaster.

Further, you mentioned that you would like to assess our longtime subcontractor's disaster plan through a second-party audit. Papyrus, our

longtime subcontractor, does keep a great deal of personal data about our customers. However, I am not sure I understand your request and

would like to discuss this further during our meeting Wednesday.

You also say that your audit uncovered some inadequacies in staff compliance with our security procedures and local laws. I just wanted to

emphasize that the audit findings only need to be communicated to the executive leadership. I would rather not cause unnecessary alarm across

departments.

I know you are also looking closely at the recent loss of a file belonging to a staff member in Human Resources (HR). It was an unfortunate

incident, but rest assured, we handled the situation according to Georgia state law. The only difficult part was easing the concerns of our many

remote employees all across the country whose data was on the computer. But I believe everything is settled. At least this stands as proof that in

the event of another breach of any type, Information Security (IS) will take the lead while other departments move on with business as usual

without having to get involved. Thankfully, we have taken the measure of supplementing our General Commercial Liability Insurance with cyber

insurance.

Anyway, we will talk more on Wednesday. I just wanted to communicate some of my current thinking.

Thanks,

Whitney -

Interim Assistant Business Manager, BastTech.

Based on Whitney's thoughts about the lost file, in what area of privacy law does she have a misunderstanding?

A. The scope of federal law.

B. The applicability of state laws. Most Voted

C. The requirements under Georgia state law.

D. The applicability of the Health Insurance Portability and Accountability Act (HIPAA) on employee data.

Correct Answer: B

Community vote distribution

B (100%)
Question #171 Topic 1

SCENARIO -

Please use the following to answer the next question:

Hi Zoe,

Thank you so much for your email. I am so glad you have jumped right into your new position as our in-house privacy professional. BastTech

greatly needs your expertise. I hope you are comfortably settling into your new home in the United States after your move from the United

Kingdom! Georgia is a wonderful state.

I particularly appreciate your enthusiasm in using your recent informal assessment to begin rectifying gaps in our privacy program and making

sure we are in compliance with all laws. However, I also want to make sure that we are prioritizing our initiatives by spending time on the

measures that are most important to our customers, our company, and the tech industry as a whole.

Specifically, I know that you are advocating for an update of our Business Continuity Disaster Response (BCDR) plan with an eye toward privacy

concerns. I think this effort is something that we may be able to postpone. I'm sure that after ten years the document can be updated in spots;

however, we have first-rate, experienced executive leaders that would have things well in hand in the unlikely event of a disaster.

Further, you mentioned that you would like to assess our longtime subcontractor's disaster plan through a second-party audit. Papyrus, our

longtime subcontractor, does keep a great deal of personal data about our customers. However, I am not sure I understand your request and

would like to discuss this further during our meeting Wednesday.

You also say that your audit uncovered some inadequacies in staff compliance with our security procedures and local laws. I just wanted to

emphasize that the audit findings only need to be communicated to the executive leadership. I would rather not cause unnecessary alarm across

departments.

I know you are also looking closely at the recent loss of a file belonging to a staff member in Human Resources (HR). It was an unfortunate

incident, but rest assured, we handled the situation according to Georgia state law. The only difficult part was easing the concerns of our many

remote employees all across the country whose data was on the computer. But I believe everything is settled. At least this stands as proof that in

the event of another breach of any type, Information Security (IS) will take the lead while other departments move on with business as usual

without having to get involved. Thankfully, we have taken the measure of supplementing our General Commercial Liability Insurance with cyber

insurance.

Anyway, we will talk more on Wednesday. I just wanted to communicate some of my current thinking.

Thanks,

Whitney -

Interim Assistant Business Manager, BastTech.

To better respond to privacy incidents, Whitney should consider making better use of what?

A. An appropriate industry framework.

B. Training offered outside the company.

C. Protocols for amending personal data.

D. Roles of stakeholders across departments. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #172 Topic 1

SCENARIO -

Please use the following to answer the next question:

Hi Zoe,

Thank you so much for your email. I am so glad you have jumped right into your new position as our in-house privacy professional. BastTech

greatly needs your expertise. I hope you are comfortably settling into your new home in the United States after your move from the United

Kingdom! Georgia is a wonderful state.

I particularly appreciate your enthusiasm in using your recent informal assessment to begin rectifying gaps in our privacy program and making

sure we are in compliance with all laws. However, I also want to make sure that we are prioritizing our initiatives by spending time on the

measures that are most important to our customers, our company, and the tech industry as a whole.

Specifically, I know that you are advocating for an update of our Business Continuity Disaster Response (BCDR) plan with an eye toward privacy

concerns. I think this effort is something that we may be able to postpone. I'm sure that after ten years the document can be updated in spots;

however, we have first-rate, experienced executive leaders that would have things well in hand in the unlikely event of a disaster.

Further, you mentioned that you would like to assess our longtime subcontractor's disaster plan through a second-party audit. Papyrus, our

longtime subcontractor, does keep a great deal of personal data about our customers. However, I am not sure I understand your request and

would like to discuss this further during our meeting Wednesday.

You also say that your audit uncovered some inadequacies in staff compliance with our security procedures and local laws. I just wanted to

emphasize that the audit findings only need to be communicated to the executive leadership. I would rather not cause unnecessary alarm across

departments.

I know you are also looking closely at the recent loss of a file belonging to a staff member in Human Resources (HR). It was an unfortunate

incident, but rest assured, we handled the situation according to Georgia state law. The only difficult part was easing the concerns of our many

remote employees all across the country whose data was on the computer. But I believe everything is settled. At least this stands as proof that in

the event of another breach of any type, Information Security (IS) will take the lead while other departments move on with business as usual

without having to get involved. Thankfully, we have taken the measure of supplementing our General Commercial Liability Insurance with cyber

insurance.

Anyway, we will talk more on Wednesday. I just wanted to communicate some of my current thinking.

Thanks,

Whitney -

Interim Assistant Business Manager, BastTech.

Based on the email, Zoe is most likely to praise Whitney for what?

A. Knowing the business well.

B. Making consumers a priority.

C. Anticipating potential financial impacts. Most Voted

D. Prioritizing the privacy tasks that Zoe should focus on.

Correct Answer: C

Community vote distribution

C (71%) D (29%)
Question #173 Topic 1

Which of the following changes typically does NOT require a Privacy Impact Assessment (PIA)?

A. When the volume of the personal data being processed changes.

B. When new features are added that change the way personal data is accessed.

C. When the privacy policy is updated to include a data subject access request option. Most Voted

D. When the solution is moved from on-premise data center to a hosted cloud service.

Correct Answer: C

Community vote distribution

C (100%)

Question #174 Topic 1

A Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are conducted during what

phase of a System Development Life Cycle (SDLC)?

A. Testing.

B. Design. Most Voted

C. Deployment.

D. Maintenance.

Correct Answer: B

Community vote distribution

B (100%)

Question #175 Topic 1

Which privacy principles and guidelines helped form the basis for the EU Data Protection Directive and The General Data Protection Regulation

(GDPR)?

A. Canadian Standards Association Privacy Code (CSA).

B. The European Telecommunications Standards Institute (ETSI).

C. The Asia Pacific Economic Cooperation Privacy Framework (APEC).

D. The Organization for Economic Cooperation and Development (OECD). Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #176 Topic 1

Protection from threats to facilities, systems that process and store electronic copies, and IT work/equipment locations best describes which

category of security control?

A. Physical Control. Most Voted

B. Technical Control.

C. Geographic Control.

D. Administrative Control.

Correct Answer: A

Community vote distribution

A (100%)

Question #177 Topic 1

A company has started developing a privacy program. The Data Protection Officer (DPO) has been working long hours to develop cohesive

procedures and processes; however, he failed to fully document each aspect of the data retention process. Which level from the Privacy Maturity

Model most closely describes the company?

A. Ad Hoc.

B. Defined.

C. Managed.

D. Repeatable. Most Voted

Correct Answer: D

Community vote distribution

D (55%) A (45%)
Question #178 Topic 1

SCENARIO -

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United

States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's leadership, the company was highly successful due its

higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is

looking to cut costs across all departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has

taken several notes on ways she believes the company can spend less money trying to uphold its privacy mission. First, Felicity intends to discuss

the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the

purview of the company's Information Technology (IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the

approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the amount. She cannot understand why so much time

has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for

documenting employee compliance with the company's privacy policy. She hopes Jin can propose cheaper, more efficient ways of monitoring

compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance

of the company's privacy policy. New staff members seem especially overwhelmed. Despite the consistent monitoring, two years ago the

company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources

(HR) department. Felicity believes that much company time could be saved if the Ethics Officer position were done away with, and that any ethical

concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected

throughout the company, will help the company save money. Felicity believes that austerity is the only way forward.

If all of Felicity's changes are enacted, who within the company would be most in danger of having little recourse?

A. Those who want to report wrongdoing. Most Voted

B. Those who need better access to data.

C. Those who receive professional development.

D. Those who were recently hired to process data.

Correct Answer: A

Community vote distribution

A (100%)
Question #179 Topic 1

SCENARIO -

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United

States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's leadership, the company was highly successful due its

higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is

looking to cut costs across all departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has

taken several notes on ways she believes the company can spend less money trying to uphold its privacy mission. First, Felicity intends to discuss

the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the

purview of the company's Information Technology (IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the

approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the amount. She cannot understand why so much time

has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for

documenting employee compliance with the company's privacy policy. She hopes Jin can propose cheaper, more efficient ways of monitoring

compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance

of the company's privacy policy. New staff members seem especially overwhelmed. Despite the consistent monitoring, two years ago the

company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources

(HR) department. Felicity believes that much company time could be saved if the Ethics Officer position were done away with, and that any ethical

concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected

throughout the company, will help the company save money. Felicity believes that austerity is the only way forward.

Based on the scenario, Felicity is in danger of NOT exercising enough caution regarding?

A. The company's acceptance of advanced technology.

B. The company's ongoing relationship with outside vendors. Most Voted

C. The allocation of duties to a Chief Information Officer (CIO).

D. The staff charged with assisting with Privacy Impact Assessments (PIAs).

Correct Answer: C

Community vote distribution

B (100%)
Question #180 Topic 1

SCENARIO -

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United

States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's leadership, the company was highly successful due its

higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is

looking to cut costs across all departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has

taken several notes on ways she believes the company can spend less money trying to uphold its privacy mission. First, Felicity intends to discuss

the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the

purview of the company's Information Technology (IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the

approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the amount. She cannot understand why so much time

has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for

documenting employee compliance with the company's privacy policy. She hopes Jin can propose cheaper, more efficient ways of monitoring

compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance

of the company's privacy policy. New staff members seem especially overwhelmed. Despite the consistent monitoring, two years ago the

company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources

(HR) department. Felicity believes that much company time could be saved if the Ethics Officer position were done away with, and that any ethical

concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected

throughout the company, will help the company save money. Felicity believes that austerity is the only way forward.

How could Jin address Felicity's desire to update the privacy program without increasing organizational risk?

A. By merging selected departments.

B. By easing penalties for employees.

C. By enacting fewer privacy program rules.

D. By automating some privacy program processes. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #181 Topic 1

SCENARIO -

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United

States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's leadership, the company was highly successful due its

higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is

looking to cut costs across all departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has

taken several notes on ways she believes the company can spend less money trying to uphold its privacy mission. First, Felicity intends to discuss

the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the

purview of the company's Information Technology (IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the

approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the amount. She cannot understand why so much time

has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for

documenting employee compliance with the company's privacy policy. She hopes Jin can propose cheaper, more efficient ways of monitoring

compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance

of the company's privacy policy. New staff members seem especially overwhelmed. Despite the consistent monitoring, two years ago the

company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources

(HR) department. Felicity believes that much company time could be saved if the Ethics Officer position were done away with, and that any ethical

concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected

throughout the company, will help the company save money. Felicity believes that austerity is the only way forward.

Based on Felicity's intended changes, which of the following is most likely to be of concern to Jin regarding the safety of personal data?

A. The impacts of online marketing.

B. The effective use of several types of controls. Most Voted

C. The wording of the company's privacy notice.

D. The rigor of the company's various hiring practices.

Correct Answer: B

Community vote distribution

B (100%)

Question #182 Topic 1

Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational lifecycle?

A. Respond.

B. Assess.

C. Protect.

D. Sustain. Most Voted

Correct Answer: D

Community vote distribution

D (60%) C (40%)
Question #183 Topic 1

Which item below best represents how a Privacy Group can effectively communicate with functional areas?

A. Rely solely on items from work units for constructing an impact assessment.

B. Work closely with functional areas by acting as both an advisor and advocate. Most Voted

C. Focus attention on Directors and Senior Managers as they are responsible for the work.

D. Choose a work unit representative and funnel all communications through that one person.

Correct Answer: B

Community vote distribution

B (100%)

Question #184 Topic 1

What is the most secure standard for disposition of a hard drive containing personal data?

A. Degaussing. Most Voted

B. Formatting.

C. Decryption.

D. Recycling.

Correct Answer: A

Community vote distribution

A (100%)

Question #185 Topic 1

Which of the following would NOT be beneficial in integrating privacy requirements and representation into functional areas across an

organization?

A. Creating a structure that provides a communication chain (formally and informally) that a privacy professional can use in performing key

data protection activities.

B. Creating a governance structure composed of representatives from each business function and geographic region in which the organization

has a presence.

C. Creating a program where the privacy officer (or privacy team) can lead on privacy matters by having exclusive responsibility to execute the

privacy mission. Most Voted

D. Creating a privacy committee or council composed of various stakeholders.

Correct Answer: C

Community vote distribution

C (100%)
Question #186 Topic 1

Which of the following is a common disadvantage of a third-party audit?

A. It identifies weaknesses of internal controls.

B. It lends credibility to an internal audit program.

C. It requires a learning curve about the organization. Most Voted

D. It provides a level of unbiased, expert recommendations.

Correct Answer: C

Community vote distribution

C (100%)

Question #187 Topic 1

SCENARIO -

Please use the following to answer the next question:

Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to

several emails informing him that an individual cloud server failed due to a flood in its server room, damaging its hardware and destroying all the

data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was

being stored there because it was not included in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor

conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.

Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger

cloud vendor three years ago. She also advised him that the account was mostly used by Human Resources (HR) and Accounts Payable (AP).

Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive

personal data on that drive, including health and financial related personal data and "other stuff." Jonathan also learns that the data stored in that

account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and learns

that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data

being stored there.

Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs.

Two days later, the company receives 32 data subject access requests and Accounts Payable confirms Jonathan's worry that these data subjects'

personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.

Jonathan wants to formalize monitoring to prevent a similar issue from happening again. What scope of monitoring would be most useful?

A. Monitoring compliance with data mapping and disaster recovery. Most Voted

B. Monitoring new privacy legislation and industry standards for information security.

C. Monitoring the vulnerabilities across environments containing sensitive personal data.

D. Monitoring of vendor contracts to ensure security controls are systematically addressed.

Correct Answer: C

Community vote distribution

A (100%)
Question #188 Topic 1

SCENARIO -

Please use the following to answer the next question:

Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to

several emails informing him that an individual cloud server failed due to a flood in its server room, damaging its hardware and destroying all the

data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was

being stored there because it was not included in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor

conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.

Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger

cloud vendor three years ago. She also advised him that the account was mostly used by Human Resources (HR) and Accounts Payable (AP).

Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive

personal data on that drive, including health and financial related personal data and "other stuff." Jonathan also learns that the data stored in that

account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and learns

that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data

being stored there.

Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs.

Two days later, the company receives 32 data subject access requests and Accounts Payable confirms Jonathan's worry that these data subjects'

personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.

Which step did Jonathan correctly determine most significantly contributed to the issue at hand?

A. Due diligence on the cloud provider that hosted the impacted account had not been performed.

B. Training and awareness around appropriate storage of sensitive personally identifiable data had not been performed.

C. This cloud account and the personal data stored there had not been accounted for in the data mapping or accounted for in the data

inventory. Most Voted

D. Specific instructions on backing up data to human resources and accounts payable had not been given to Human Resources and Accounts

Payable.

Correct Answer: C

Community vote distribution

C (100%)
Question #189 Topic 1

SCENARIO -

Please use the following to answer the next question:

Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to

several emails informing him that an individual cloud server failed due to a flood in its server room, damaging its hardware and destroying all the

data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was

being stored there because it was not included in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor

conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.

Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger

cloud vendor three years ago. She also advised him that the account was mostly used by Human Resources (HR) and Accounts Payable (AP).

Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive

personal data on that drive, including health and financial related personal data and "other stuff." Jonathan also learns that the data stored in that

account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and learns

that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data

being stored there.

Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs.

Two days later, the company receives 32 data subject access requests and Accounts Payable confirms Jonathan's worry that these data subjects'

personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.

Based on the scenario above, what is the most appropriate next step Jonathan should take?

A. Consult with the legal team to determine how to address the data subjects' requests and determine the risk of noncompliance. Most Voted

B. Consult with other key stakeholders to create a presentation on the incident and lessons learned for the board of directors.

C. Consult with the public relations team to discuss potential brand impact of not responding to the data subjects' requests.

D. Consult with the information technology team to understand how and why this cloud account was not disabled.

Correct Answer: A

Community vote distribution

A (100%)

Question #190 Topic 1

Internal audits add value to the privacy program primarily though what?

A. Evaluating the effectiveness of the privacy program. Most Voted

B. Remediating gaps in the privacy program noted by management.

C. Remediating gaps in the privacy program noted within audit reports.

D. Determining the applicability of certain privacy regulations to the organization.

Correct Answer: A

Community vote distribution

A (100%)
Question #191 Topic 1

The owner of an ice cream store has decided to begin accepting credit and debit cards for payment. To comply with industry standards, the owner

will need to do which of the following?

A. Seek ISO 27001 certification.

B. Implement PCI data security controls. Most Voted

C. Issue a privacy notice to store customers.

D. Use only vendor-supplied system passwords.

Correct Answer: B

Community vote distribution

B (100%)

Question #192 Topic 1

You are the Privacy Officer (PO) at a University. Recently, the police have contacted you as they suspect that one of your students is using a library

computer to commit financial fraud. The police would like your assistance in investigating this individual and are requesting computer logs and

usage data of the student. What is your first step in responding to the request?

A. Refuse the request as the police do not have a warrant.

B. Provide the data to police and record it for your own archives.

C. Contact the University's legal counsel to determine if the request is lawful. Most Voted

D. Review policies, procedures and legislation to determine the University's obligation to co-operate with the police.

Correct Answer: C

Community vote distribution

C (100%)

Question #193 Topic 1

What is the name for the privacy strategy model that describes delegated decision making?

A. Decentralized. Most Voted

B. Hierarchical.

C. Localized.

D. Hybrid.

Correct Answer: A

Community vote distribution

A (100%)
Question #194 Topic 1

Which aspect of a privacy program can best aid an organization’s response time to a Data Subject Access Request (DSAR)?

A. Conducting privacy training.

B. Maintaining a written DSAR policy. Most Voted

C. Creating a comprehensive data inventory.

D. Implementing Privacy Impact Assessment (PIAs).

Correct Answer: C

Community vote distribution

B (67%) C (33%)

Question #195 Topic 1

All of the following are components of a data collection notice EXCEPT identification of?

A. Data subject rights.

B. How the data is processed securely.

C. Potential uses of personal information in the future. Most Voted

D. The metadata which could be generated from collection of the information.

Correct Answer: D

Community vote distribution

C (100%)

Question #196 Topic 1

Under the General Data Protection Regulation (GDPR), what obligation does a data controller or processor have after appointing a Data Protection

Officer (DPO)?

A. To submit for approval to the DPO a code of conduct to govern organizational practices and demonstrate compliance with data protection

principles.

B. To provide resources necessary to carry out the defined tasks of the DPO and to maintain their expert knowledge. Most Voted

C. To ensure that the DPO acts as the sole point of contact for individuals’ questions about their personal data.

D. To ensure that the DPO receives sufficient instructions regarding the exercise of their defined tasks.

Correct Answer: B

Community vote distribution

B (100%)
Question #197 Topic 1

Under the European Data Protection Board (formerly Article 29 Working Party), which Processing operation would require a Data Protection

Impact Assessment (DPIA)?

A. An online newspaper using its subscriber list to email a daily newsletter.

B. A healthcare clinic that processes personal data of its patients in its billing system.

C. A hospital processing patient’s generic and health data in its hospital information system. Most Voted

D. An online store displaying advertisements based on items viewed or purchased on its own website.

Correct Answer: C

Community vote distribution

C (67%) D (33%)

Question #198 Topic 1

What is the Privacy Officer’s first action after being told that her firm is planning to sell its credit card processing business?

A. Perform a Record of Processing Activity (ROPA).

B. Review technical security controls.

C. Review contractual obligations. Most Voted

D. Review data mapping.

Correct Answer: C

Community vote distribution

C (100%)
Question #199 Topic 1

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that

mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the

“reasonable and appropriate security” requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data

mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams

involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's

little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and

your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email,

sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security

teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to

existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials

to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development

environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle

Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what

project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to

measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and

measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place

addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the

resources for such monitoring.

Based on your findings regarding how data is transferred to InStyle Data Corp.’s customers, what can you do from a control perspective that is

most likely to mitigate risk from this data processing activity?

A. Require in the customer contract that the customer only allow an authorized end user to open the file.

B. Keep an adult log of files with sensitive personal data sent to the customer and the intended recipient.

C. Allow InStyle Data Corp. employees to only use their personal email address to send files if it’s an emergency.

D. Implement a method of data transfer for the files containing sensitive personal information with end-to-end encryption. Most Voted

Correct Answer: D

Community vote distribution

D (100%)
Question #200 Topic 1

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that

mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the

“reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data

mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams

involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's

little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and

your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email,

sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security

teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to

existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials

to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development

environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle

Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what

project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to

measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and

measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place

addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the

resources for such monitoring.

What aspect of the data management life cycle have you as Privacy Manager NOT accounted for?

A. Auditability.

B. Minimalism.

C. Enforcement. Most Voted

D. Retrievability.

Correct Answer: C

Community vote distribution

C (100%)

 Previous Questions Next Questions 

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple

registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

Start Learning for free