QUESTION 181
All of the following are policy controls EXCEPT?
A. Deleting data upon request.
B. Getting explicit consent for sensitive data.
C. Providing a notice at the point of data collection.
D. Using asset management to document what data is collected.
Correct Answer: D
QUESTION 182
Which term describes a piece of personal data that alone may NOT identify an individual?
A. A singularity.
B. Unbundled data.
C. A single attribute.
D. Non-aggregated Infopoint.
Correct Answer: C
QUESTION 183
All of the following are accurate regarding the use of technical security controls EXCEPT?
A. Technical security controls are part of a data governance strategy.
B. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.
C. Most privacy legislation lists the types of technical security controls that must be implemented.
D. A person with security knowledge should be involved with the deployment of technical security controls.
Correct Answer: C
QUESTION 184
All of the following monitoring activities allow organizations to ensure vendors are complying with contractual obligations EXCEPT?
A. Completing information security reviews.
B. Providing internal assessments.
C. Conducting assessments.
D. Providing policies and procedures.
Correct Answer: D
QUESTION 185
SCENARIO
Please use the following to answer the next question:
Orderly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Order(ly) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees
have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
What element of the Privacy by Design (PbD) framework might Orderly) violate?
A. Failure to obtain opt-in consent to marketing.
B. Failure to observe data localization requirements.
C. Failure to implement the least privilege access standard.
D. Failure to integrate privacy throughout the system development life cycle
Correct Answer: C
QUESTION 186
SCENARIO
Please use the following to answer the next question:
Orderly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Order(ly) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees
have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
What administrative safeguards should be implemented to protect the collected data while in use by the product management team?
A. Document the data flows for the collected data.
B. Implement a policy restricting data access on a “need to know” basis.
C. Conduct a Privacy Impact Assessment (PIA) to evaluate the risks involved.
D. Limit data transfers to the Us by keeping data collected in Europe within a local data center.
Correct Answer: B
QUESTION 187
AU.S.-based online shop uses software to track the browsing behavior of its EU customers to predict future purchases and the shop shares this information with third parties.
According to the GDPR, the shop’s primary obligation is to?
A. Prove that it uses sufficient security safeguards to protect customer data.
B. Seek authorization from the European supervisory authorities.
C. Avoid the use of dark patterns.
D. Solicit informed consent to each activity separately.
Correct Answer: D
QUESTION 188
All of the following would be key considerations when implementing PbD EXCEPT?
A. Purpose specification.
B. Limitations on liability.
C. Collection limitation.
D. Data minimization.
Correct Answer: B
QUESTION 189
Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC) and none of your business (NYOB) established?
A. To provide standards for online transactions.
B. To protect civil liberties and raise consumer awareness.
C. To promote consumer confidence in the Internet industry.
D. To promote security on the Internet through strong encryption.
Correct Answer: B
QUESTION 190
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp.’s current state and advising the business how it can meet the “reasonable and appropriate security” requirement. Instyle Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. Instyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s
little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that Instyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that Instyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that Instyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data or updates to existing Instyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of Instyle Data Corp.’s test and development environment logs, you discover In style Data Corp. sometimes gives login credentials to any Instyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including national ID numbers, health information and financial information. All credentialed instyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the Issues you spotted, along with recommended remedial actions and a method to measure implementation. Instyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
Based on your findings regarding how data is transferred to Instyle Data Corp.’s customers, what can you do from a control perspective that is most likely to mitigate risk from this data processing activity?
A. Require in the customer contract that the customer only allow an authorized end user to open the file.
B. Implement a method of data transfer for the files containing sensitive personal information with end-to-end encryption.
C. Keep a secure audit log of files with sensitive personal data sent to the customer and the intended recipient and audit on a quarterly basis.
D. Allow employees to only use their personal email address to send files exclusively unde emergency circumstances, provided that such transmissions are logged and monitored.
Correct Answer: B
QUESTION 191
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp.’s current state and advising the business how it can meet the “reasonable and appropriate security” requirement. Instyle Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. Instyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s
little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that Instyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that Instyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that Instyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data or updates to existing Instyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of Instyle Data Corp.’s test and development environment logs, you discover In style Data Corp. sometimes gives login credentials to any Instyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including national ID numbers, health information and financial information. All credentialed instyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the Issues you spotted, along with recommended remedial actions and a method to measure implementation. Instyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
Given the findings of your gap assessment at Instyle Data Corp, which action should you prioritize as a privacy manager to ensure ongoing compliance with the privacy law?
A. Develop a formal process to notify the privacy and information security teams of any new personal data flows or products that process personal information (Pl) before they go live.
B. Conduct a regular audit of email communication to ensure that sensitive personal data is not sent using personal email accounts.
C. Implement a data inventory and data mapping process to document all personal data processing activities across Instyle.
D. Establish a policy to restrict access to personal data in the test and development environment.
Correct Answer: A
QUESTION 192
Which of the following Privacy by Design foundational principles is described by the following statement: “PbD seeks to accommodate all legitimate interests and objectives, rather than making unnecessary trade-offs.”?
A. Privacy as the default.
B. Respect for user privacy.
C. Visibility and transparency -keep it open.
D. Full functionality – positive sum, not zero-sum.
Correct Answer: D
QUESTION 193
All of the following would typically be included in an organization’s business continuity plan (BCP) or disaster recovery plan (DRP)EXCEPT?
A. Recovery time objectives.
B. Emergency response guidelines.
C. A statement of organizational responsibilities.
D. A retention schedule for storage and destruction of information.
Correct Answer: D
QUESTION 194
SCENARIO
Please use the following to answer the next question:
Today is your first day at a fast-growing international real estate firm headquartered in New York, with offices in Canada and Germany. You are the firm’s first ever privacy officer.
While touring the office to meet your new colleagues and learn the layout of the office, you notice piles of printing jobs left on the printer in the copy room. You also note a recycle bin and garbage can near the printers. With a quick glance, you see a completed loan application form print out with applicant name, social security number and home address lying in the recycle bin. You make a note to follow up immediately.
You are then introduced to the head of IT who gives you a warm welcome and explains his star project this year -enterprise customer relationship management (CRM) mobility. He is very proud that he is leading this innovation that allows firm-wide employees to access the existing CRM database remotely from anywhere on the internet. The business value of this mobility initiative is significant. Since he doesn’t have internal web development expertise, he outsourced the development work to a small IT firm in New York that has just successfully delivered another IT initiative for the company.
After the tour you start working on a plan based on your observations. One immediate action is to schedule a meeting with the head of IT to discuss the CRM mobility project.
Considering the business value of the CRM mobility project, the least probable focus of your meeting with the head of IT regarding the vendor would be?
A. Standard contractual clauses.
B. The project data flows.
C. Vendor security controls.
D. Information asset inventory.
Correct Answer: D
QUESTION 195
SCENARIO
Please use the following to answer the next question:
Today is your first day at a fast-growing international real estate firm headquartered in New York, with offices in Canada and Germany. You are the firm’s first ever privacy officer.
While touring the office to meet your new colleagues and learn the layout of the office, you notice piles of printing jobs left on the printer in the copy room. You also note a recycle bin and garbage can near the printers. With a quick glance, you see a completed loan application form print out with applicant name, social security number and home address lying in the recycle bin. You make a note to follow up immediately.
You are then introduced to the head of IT who gives you a warm welcome and explains his star project this year -enterprise customer relationship management (CRM) mobility. He is very proud that he is leading this innovation that allows firm-wide employees to access the existing CRM database remotely from anywhere on the internet. The business value of this mobility initiative is significant. Since he doesn’t have internal web development expertise, he outsourced the development work to a small IT firm in New York that has just successfully delivered another IT initiative for the company.
After the tour you start working on a plan based on your observations. One immediate action is to schedule a meeting with the head of IT to discuss the CRM mobility project.
All of the following should be mandatory in the contract for the outsourced vendor EXCEPT?
A. Generation of reports and metrics.
B. Information security controls.
C. Liability for data breach.
D. Cyber insurance.
Correct Answer: A
QUESTION 196
All of the following would be recommended for effective identity access management (IAM) EXCEPT?
A. User responsibility.
B. Demographics.
C. Biometrics.
D. Credentials.
Correct Answer: B
QUESTION 197
Which is the most accurate definition of privacy enhancing technologies (PETS)?
A. Value-added components of regulatory reporting systems.
B. Business enterprise software systems that include privacy control functions.
C. Extensions to technical controls for improving the quality of privacy control.
D. Web applications that are compliant with international protocols and adapt to nearly all information technology infrastructures.
Correct Answer: C
QUESTION 198
In the metric management process, what action is likely to result in a biased sample?
A. Using the mean rather than the median.
B. Excluding certain elements from the data population.
C. Extrapolating a random subset of information from a larger data set.
D. Massaging measurement numbers to enhance the data’s effectiveness.
Correct Answer: B
QUESTION 199
Last year Ecosoft 1014 was hacked and a number of servers and programs were affected. Since the incident, the company started collecting metrics on data privacy and system outages to try to stop it from happening in the future.
What analysis would be most helpful based on the data they have collected?
A. Return on Investment (Rol).
B. Compliance analysis.
C. Business Resiliency.
D. Trend analysis.
Correct Answer: D
QUESTION 200
SCENARIO
Please use the following to answer the next question:
You are the privacy operations lead at a mid-size multi-national business to business (B2B) technology organization. The privacy program is moderately mature and you are looking to enhance and expand training and awareness at all levels of the business. You want to launch an effort that helps bring privacy into focus for specific job families, categories and lines of the business (e.g., developers, program managers, architects) but your privacy team is small and you don’t have a large budget to make this happen.
You set up a meeting with Internal communications to identify possible awareness opportunities to meet these objectives and have secured spots at several
upcoming all team meetings to present on privacy. Your goals are to establish an enterprise-wide privacy program awareness plan and toolkit involving various stakeholders that is then tailored to internal operational departments.
Which of the following actions would help you best determine internal stakeholders to achieve your goals using a risk-based approach?
A. Ask supervisors to nominate a staffer to participate.
B. Conduct small group sessions to identify and understand the relevant stakeholders.
C. Post a message on your website asking for assistance with your privacy awareness plan.
D. Send an enterprise-wide email to all employees asking for volunteers to help with awareness. campaigns.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.