QUESTION 1
Which is NOT an influence on the privacy environment external to an organization?
A. Management team priorities.
B. Technological advances.
C. Consumer demand.
D. Regulations.
Correct Answer: A
QUESTION 2
Under the General Data Protection Regulation (GDPR), international data transfer is allowed using the mechanisms in all of the following scenarios EXCEPT between companies who?
A. Are part of the same group of enterprise using approved Binding Corporate Rules (BCRs).
B. Have signed up to the EU Standard Contractual Clauses.
C. Have put in place a binding confidentiality agreement.
D. Have put in place an approved code of conduct.
Correct Answer: C
QUESTION 3
What should be the first major goal of a company developing a new privacy program?
A. To survey potential funding sources for privacy team resources.
B. To schedule conversations with executives of affected departments.
C. To identify potential third-party processors of the organization’s information.
D. To create Data Lifecycle Management (DLM) policies and procedures to limit data collection.
Correct Answer: D
QUESTION 4
When building a data privacy program, what is a good starting point to understand the scope of privacy program needs?
A. Perform Data Protection Impact Assessments (DPIAs).
B. Perform risk assessments.
C. Complete a data inventory.
D. Identify applicable privacy laws.
Correct Answer: C
QUESTION 5
Which of the following helps build trust with customers and stakeholders?
A. Only publish what is necessary to be compliant with applicable laws.
B. Enable customers to view and change their own personal information.
C. Publish your privacy notice using broad language to ensure all of your organization’s activities are captured.
D. Provide a dedicated privacy space with the privacy notice, explanatory documents and operation frameworks.
Correct Answer: D
QUESTION 6
Which of the following indicates you have developed the right privacy framework for your organization?
A. It identifies all key stakeholders by name.
B. It works at a different type of organization.
C. It improves the consistency of the privacy program.
D. It includes a privacy assessment of each major system.
Correct Answer: C
QUESTION 7
Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC) and none of your business (NYOB) established?
A. To protect civil liberties and raise consumer awareness.
B. To provide standards for online transactions.
C. To promote consumer confidence in the Internet industry.
D. To promote security on the Internet through strong encryption.
Correct Answer: A
QUESTION 8
“Respond” in the privacy operational life cycle includes which of the following?
A. Communicating to stakeholders and alignment to laws.
B. Using metrics to improve effectiveness of the program.
C. Handing information and data subject requests.
D. Evaluating security controls.
Correct Answer: B
QUESTION 9
Which is the best way to view an organization’s privacy framework?
A. As an industry benchmark that can apply to many organizations.
B. As a living structure that aligns to changes in the organization.
C. As a fixed structure that directs changes in the organization.
D. As an aspirational goal that improves the organization.
Correct Answer: B
QUESTION 10
Implementation of a Privacy Program Framework (PPF) requires that you do all of the following EXCEPT?
A. Analyze your organization’s privacy risks.
B. Measure the success of your privacy program.
C. Determine privacy-relevant decisions that impact your organization.
D. Review documented privacy management procedures and processes.
Correct Answer: D
QUESTION 11
In the European Union, the GDPR gives Supervisory Authorities the right to which of the following actions?
A. Suspend data transfers undertaken by a controller to a third country.
B. Prevent a national data protection bill from becoming law.
C. Prosecute a controller in a criminal investigation.
D. Award punitive damages to a data subject.
Correct Answer: A
QUESTION 12
Which privacy principles and guidelines helped form the basis for the EU Data Protection Directive and The General Data Protection Regulation (GDPR)?
A. Canadian Standards Association Privacy Code (CSA).
B. The European Telecommunications Standards Institute (ETSI).
C. The Asla-Paciic Economic Cooperation Privacy Framework (APEC).
D. The Organization for Economic Cooperation and Development (OECD).
Correct Answer: D
QUESTION 13
All of the following statements about complying with breach notification law are correct EXCEPT?
A. A consulting firm may certify that a breach notification law does not apply to your organization.
B. Breach notification may be required when state law requires it and Federal law is silent.
C. A foreign breach notification law may apply to a breach that only involves your citizens.
D. A Federal agency may not be required to comply with a state breach notification law.
Correct Answer: A
QUESTION 14
Under the General Data Protection Regulation (GDPR), what obligation does a data controller or processor have after appointing a Data Protection Officer (DPO)?
A. To submit for approval to the DPO a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.
B. To provide resources necessary to carry out the defined tasks of the DPO and to maintain their expert knowledge.
C. To ensure that the DPO acts as the sole point of contact for individuals’ questions about their personal data.
D. To ensure that the DPO receives sufficient instructions regarding the exercise of their defined tasks.
Correct Answer: B
QUESTION 15
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
·personal identifiers such as name, address, age, gender;
·vehicle registration information;
·facial images of park attendees;
·health information (e.g., physical disabilities, use of mobility devices) The stated purpose of the RFP is to:
“Improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point; this occurred despite the fact that your department has an already well-established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
Which of the following data protection actions has been implemented by the National Forest Parks and Recreation Department?
A. Policy creation.
B. Data minimization.
C. Sufficient engagement with the privacy team.
D. Identification of all of the sources, types, and uses of personal information (Pl).
Correct Answer: A
QUESTION 16
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
·personal identifiers such as name, address, age, gender;
·vehicle registration information;
·facial images of park attendees;
·health information (e.g., physical disabilities, use of mobility devices) The stated purpose of the RFP is to:
“Improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point; this occurred despite the fact that your department has an already well-established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
From a privacy management perspective, what is problematic about the “stated purpose” of the RFP?
A. It seeks to improve the robustness of customer data.
B. It seeks to track and monitor service usage by the customers.
C. It could improve customer service through unauthorized means.
D. It does not specify what information will be collected for improving customer data.
Correct Answer: D
QUESTION 17
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
·personal identifiers such as name, address, age, gender;
·vehicle registration information;
·facial images of park attendees;
·health information (e.g., physical disabilities, use of mobility devices) The stated purpose of the RFP is to:
“Improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point; this occurred despite the fact that your department has an already well-established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
All of the following are appropriate as next steps for the Privacy Office in developing a privacy assessment metric for the RFP EXCEPT?
A. Clarifying what information is to be collected and for what purpose.
B. Canceling this RFP and re-issuing it after thorough consultation with your office.
C. Obtaining a list of vendors and the services they are offering in response to the RFP requirements.
D. Extending the deadline for the RFP giving your office more time to assess the privacy needs of the program.
Correct Answer: B
QUESTION 18
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
·personal identifiers such as name, address, age, gender;
·vehicle registration information;
·facial images of park attendees;
·health information (e.g., physical disabilities, use of mobility devices) The stated purpose of the RFP is to:
“Improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point; this occurred despite the fact that your department has an already well-established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
Which of the following is the least important privacy consideration associated with assessing data when implementing a large scale project like this?
A. Standardization of privacy safeguards on a national scale.
B. Classification of the types of personal information collected by the system.
C. Identifying operational risks associated with data storage, access, and disposal.
D. Third-party vendor assessment to determine how well privacy practices of vendors align with your organization’s practices.
Correct Answer: A
QUESTION 19
Which of the following is legally binding and enforceable?
A. Organization for Economic Co-Operation and Development (OECD) Guidelines.
B. Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
C. Binding Corporate Rules (BCRs).
D. ISO 27701.
Correct Answer: C
QUESTION 20
Which of the following is the optimum first step to take when creating a Privacy Officer governance model?
A. Involve senior leadership.
B. Provide flexibility to the General Counsel Office.
C. Leverage communications and collaboration with public affairs teams.
D. Develop internal partnerships with information technology (IT) and information security.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.