QUESTION 41
An organization’s business continuity plan or disaster recovery plan does NOT typically include?
A. Recovery time objectives.
B. Emergency response guidelines.
C. A statement of organizational responsibilities.
D. A retention schedule for storage and destruction of information.
Correct Answer: D
QUESTION 42
What steps can an organization take to ensure it’s data inventory is kept up to date?
A. Identify a process owner for each processing activity in the data inventory.
B. Conduct an annual review of the data inventory against the Privacy Notice.
C. Review the data inventory when there are changes to laws and regulations.
D. Link the data inventory to the implementation of new systems or applications.
Correct Answer: A
QUESTION 43
All of the following changes will likely trigger a data inventory update EXCEPT?
A. Onboarding of a new vendor.
B. Acquisition of a new subsidiary.
C. Passage of a new privacy regulation.
D. Outsourcing the Customer Relationship Management (CRM) function.
Correct Answer: C
QUESTION 44
What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
A. Reducing storage costs.
B. Ensuring data is kept for no longer than necessary.
C. Crafting policies which ensure minimal data is collected.
D. Increasing awareness of the importance of confidentiality.
Correct Answer: D
QUESTION 45
During a merger and acquisition, the most comprehensive review of privacy risks and gaps occurs when conducting what activity?
A. Transfer Impact Assessment (TIA).
B. Risk identification review.
C. Due diligence.
D. Integration.
Correct Answer: C
QUESTION 46
What is one obligation that the General Data Protection Regulation (GDPR) imposes on data processors?
A. To implement appropriate technical and organizational measures that ensure an appropriate level of security.
B. To honor all data access requests from data subjects.
C. To inform data subjects about the identity and contact details of the controller.
D. To carry out DPIAs in cases where processing is likely to result in high risk to the rights and freedoms of individuals.
Correct Answer: A
QUESTION 47
Which of the following is NOT recommended for effective identity Access Management?
A. User responsibility.
B. Demographics.
C. Biometrics.
D. Credentials.
Correct Answer: B
QUESTION 48
Privacy/security questionnaires are used primarily to do what?
A. Map data flows.
B. Assess vendor risk.
C. Determine access controls.
D. Comply with contractual requirements.
Correct Answer: B
QUESTION 49
When vetting third-party processors of data protected by the General Data Protection Regulation (GDPR), why is it important to know the physical location of stored personal data from clients?
A. To determine their incidence response time.
B. To determine the country laws that would govern the contract.
C. To determine the likelihood of a security breach in the location.
D. To ensure the country has adequate protection or if safeguards are required.
Correct Answer: D
QUESTION 50
With regards to information security, which of these is an example of physical controls?
A. Anti-virus software.
B. Network traffic filters.
C. Biometric access controls.
D. Intrusion Detection System (IDS).
Correct Answer: C
QUESTION 51
What interview preparation will best ensure that information-gathering from colleagues produces a complete data a inventory?
A. Request the primary key(s) for significant corporate databases; this will be the basis of the personal information inventory.
B. Establish a broad, common definition of personal information for the inventor; you can always narrow it later if necessary.
C. Explain the concepts of privacy-by-design and privacy-by-default so that interview participants understand the program goals.
D. Clarify the General Data Protection Regulation (GDPR) Article 6: Lawfulness of Processing as this basic rule is similar across jurisdictions.
Correct Answer: B
QUESTION 52
Protection from threats to facilities, systems that process and store electronic copies, and IT work/equipment locations best describes which category of security control?
A. Physical Control.
B. Technical Control.
C. Geographic Control.
D. Administrative Control.
Correct Answer: A
QUESTION 53
Post-liquidation, a company that has acquired assets would require separate consent from data subject if personally identifiable data were being retained for which purpose?
A. For tax purposes.
B. For analytical purposes.
C. To be able to ensure payment of pension funds.
D. To secure employment benefits for former employees.
Correct Answer: B
QUESTION 54
Which of the following is a risk associated with personal data in a merger?
A. Data sharing rights.
B. Media sanitization.
C. Mobile device security.
D. Role-based access policies.
Correct Answer: A
QUESTION 55
Which statement is false regarding the use of technical security controls?
A. Technical security controls are part of a data governance strategy.
B. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.
C. Most privacy legislation lists the types of technical security controls that must be implemented.
D. A person with security knowledge should be involved with the deployment of technical security controls.
Correct Answer: C
QUESTION 56
Which of the following best supports implementing controls to bring privacy policies into effect?
A. The internal audit department establishing the audit controls which test for policy effectiveness.
B. The legal department or outside counsel conducting a thorough review of the privacy program and policies.
C. The CIO as part of the senior management team creating enterprise privacy policies to ensure controls are available.
D. The IT group supporting and enhancing the privacy program and privacy policy by developing processes and controls.
Correct Answer: D
QUESTION 57
Which of the following would NOT be beneficial in integrating privacy requirements and representation into functional areas across an organization?
A. Creating a structure that provides a communication chain (formally and informally) that privacy professional can use in performing key data protection activities.
B. Creating a governance structure composed of representatives from each business function geographic region in which the organization has a presence.
C. Creating a program where the privacy officer (or privacy team) can lead on privacy matters by having exclusive responsibility to execute the privacy mission.
D. Creating a privacy committee or council composed of various stakeholders.
Correct Answer: C
QUESTION 58
SCENARIO
Please use the following to answer the next question:
Julia is a product manager at Avatar, where she is responsible for leading the development of the company’s flagship product, Order(ly). Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, Order(ly) is about to be made available for purchase worldwide.
The packaging and user guide for Order(ly) indicate that it is a “privacy friendly” product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Avatar and selected marketing partners in order to be able to use the application.
Jacob, the head of privacy at Avatar, was working on an agreement with a European distributor of Order(ly) when he fielded many questions about the product from the distributor. Jacob needed to look more closely at the product in order to be able to answer the questions as he was not involved in the product development
process.
In speaking with the product team, he learned that Order(ly) collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Order(ly) for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Avatar employees have access to user data under a program called BGldeas. Avatar is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, BGldeas is not well-defined and is considered a long-term goal.
What administrative safeguards should be implemented to protect the collected data while in use by Julia and her product management team?
A. Document the data flows for the collected data.
B. Implement a policy restricting data access on a “need to know” basis.
C. Conduct a Privacy Impact Assessment (PlA) to evaluate the risks involved.
D. Limit data transfers to the US by keeping data collected in Europe within a local data center.
Correct Answer: B
QUESTION 59
SCENARIO
Please use the following to answer the next question:
Julia is a product manager at Avatar, where she is responsible for leading the development of the company’s flagship product, Order(ly). Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, Order(ly) is about to be made available for purchase worldwide.
The packaging and user guide for Order(ly) indicate that it is a “privacy friendly” product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Avatar and selected marketing partners in order to be able to use the application.
Jacob, the head of privacy at Avatar, was working on an agreement with a European distributor of Order(ly) when he fielded many questions about the product from the distributor. Jacob needed to look more closely at the product in order to be able to answer the questions as he was not involved in the product development process.
In speaking with the product team, he learned that Order(ly) collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Order(ly) for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Avatar employees have access to user data under a program called BGldeas. Avatar is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, BGldeas is not well-defined and is considered a long-term goal.
What element of the Privacy by Design (PbD) framework might Order(ly) violate?
A. Failure to obtain opt-in consent to marketing.
B. Failure to observe data localization requirements.
C. Failure to implement the least privilege access standard.
D. Failure to integrate privacy throughout the system development life cycle.
Correct Answer: C
QUESTION 60
SCENARIO
Please use the following to answer the next question:
Julia is a product manager at Avatar, where she is responsible for leading the development of the company’s flagship product, Order(ly). Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, Order(ly) is about to be made available for purchase worldwide.
The packaging and user guide for Order(ly) indicate that it is a “privacy friendly” product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Avatar and selected marketing partners in order to be able to use the application.
Jacob, the head of privacy at Avatar, was working on an agreement with a European distributor of Order(ly) when he fielded many questions about the product from the distributor. Jacob needed to look more closely at the product in order to be able to answer the questions as he was not involved in the product development process.
In speaking with the product team, he learned that Order(ly) collected and stored all of a user’s sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is stored by Order(ly) for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Avatar employees have access to user data under a program called BGldeas. Avatar is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, BGldeas is not well-defined and is considered a long-term goal.
What security controls are missing from the BGldeas program?
A. Data access is not limited to those who “need to know” for their role.
B. Collection of data without a defined purpose might violate the famines principle.
C. Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR).
D. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.