QUESTION 61
When implementing Privacy by Design (PbD), what would NOT be a key consideration?
A. Data minimization.
B. Collection limitation.
C. Limitations on liability.
D. Purpose specification.
Correct Answer: C
QUESTION 62
Which of the following is an example of Privacy by Design (PbD)?
A. When HR develops a training program for employees to become certified in privacy policy.
B. When IT uses privacy considerations to inform the development of new networking software.
C. When a labor union insists that the details of employers’ data protection methods be documented in a new contract.
D. When a company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.
Correct Answer: B
QUESTION 63
What is most critical when outsourcing data destruction service?
A. Obtain a certificate of data destruction.
B. Confirm data destruction must be done on-site.
C. Conduct an annual in-person audit of the provider’s facilities.
D. Ensure that they keep an asset inventory of the original data.
Correct Answer: A
QUESTION 64
Which item below best represents how a Privacy Group can effectively communicate with functional areas?
A. Work independently and share the knowledge with functional groups.
B. Work closely with functional areas by acting as both an advisor and an advocate.
C. Choose a work unit representative and funnel all communications through that one person.
D. Monitor the responsibilities of Managers who are responsible for the privacy of functional areas.
Correct Answer: B
QUESTION 65
Data retention and destruction policies should meet all of the following requirements EXCEPT?
A. Data destruction triggers and methods should be documented.
B. Personal information should be retained only for as long as necessary to perform its stated purpose.
C. Documentation related to audit controls (third-party or internal) should be saved in a non-permanent format by default.
D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g., HR, business development, finance).
Correct Answer: C
QUESTION 66
What is the main reason to begin with 3-5 key metrics during the program development process?
A. To keep the focus on the main organizational objectives.
B. To avoid undue financial costs.
C. To minimize selective data use.
D. To keep the process limited to as few people as possible.
Correct Answer: A
QUESTION 67
Which of the following conditions will definitely trigger a Data Protection Impact Assessment (DPIA)?
A. When a new application is developed to track data subject access requests.
B. When a new system is deployed to track an individual’s location or behavior.
C. When Human Resources engages a new employee benefit provider.
D. When a company acquires a new business entity.
Correct Answer: B
QUESTION 68
Each of the following is a type of privacy program monitoring EXCEPT?
A. Addressing internal and external data processing activities.
B. Ensuring policies and controls are in place for compliance.
C. Tracking maturity of economic-enhancing processes.
D. Following legislative, legal, and regulatory changes.
Correct Answer: C
QUESTION 69
An organization’s internal audit team should do all of the following EXCEPT?
A. Implement processes to correct audit failures.
B. Verify that technical measures are in place.
C. Review how operations work in practice.
D. Ensure policies are being adhered to.
Correct Answer: A
QUESTION 70
What are you doing if you succumb to “overgeneralization” when analyzing data from metrics?
A. Trying to use several measurements to gauge one aspect of a program.
B. Possessing too many types of data to perform a valid analysis.
C. Using data that is too broad to capture specific meanings.
D. Using limited data in an attempt to support broad conclusions.
Correct Answer: D
QUESTION 71
Which most accurately describes the reasons an organization will conduct a Privacy Impact Assessment (PIA)?
A. To assess an organization’s compliance with applicable laws, regulations, standards and internal procedures.
B. To establish an inventory of its data processing activities in compliance with Article 30 of the GDPR.
C. To identify and reduce the privacy risks to individuals at the commencement of a project.
D. To analyze the impact of an incident response and determine next steps.
Correct Answer: C
QUESTION 72
How do privacy audits differ from privacy assessments?
A. They are non-binding.
B. They are evidence-based.
C. They are based on standards.
D. They are conducted by external parties.
Correct Answer: B
QUESTION 73
Which of the following is true about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?
A. The DPIA result must be reported to the corresponding supervisory authority.
B. The DPIA must include a description of the proposed processing operation and its purpose.
C. The DPIA report must be published to demonstrate the transparency of the data processing.
D. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.
Correct Answer: B
QUESTION 74
As the Data Protection Officer (DPO) for the growing company, Vision 0000, what would be the most cost effective way to monitor changes in laws and regulations?
A. Regularly engage regulators.
B. Hire a well-known external law firm.
C. Attend workshops and interact with other professionals.
D. Subscribe to mailing lists that report on regulatory changes.
Correct Answer: D
QUESTION 75
If a privacy professional wants to show that an organization’s privacy program is working as intended, the professional should?
A. Collect feedback from customers about the privacy program.
B. Carry a out a personal data breach tabletop exercise.
C. Collect and analyze privacy program metrics.
D. Review privacy policies.
Correct Answer: C
QUESTION 76
Your company wants to convert paper records that contain customer personal information into electronic form, upload the records into a new third-party marketing tool and then merge the customer personal information in the marketing tool with information from other applications. As the Privacy Officer, which of the following should you complete to effectively make these changes?
A. A record of authority.
B. A personal data inventory.
C. A Privacy Threshold Analysis (PTA).
D. A Privacy Impact Assessment (PIA).
Correct Answer: D
QUESTION 77
SCENARIO
Please use the following to answer the next question:
You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon learn that so far, the company has done little to control the use of customer information.
During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in various systems, including their customer records management system, their invoicing system, their call recording system, their marketing database and within two different email clients.
There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the company’s reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.
You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the company has told the customers that they have done what was asked, you learn that all the company did was remove these customers from their marketing lists – in other words, all their data is still in the various digital systems for marketing, invoicing and records management.
On top of all this, you learn that a customer service agent based in the energy corporation’s US call center cannot find the details of the specific customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on independent review sites and the energy regulator in the UK is thinking of suspending the company’s license.
As artificial intelligence is seen as the new energy future linking to the Internet of Things (loT), the company has partnered with another company specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an Idea of which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which electrical devices their customers use in their homes and when they use them the most.
The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to get things right with their privacy program.
Which of the following should be your top priority for getting data use under control?
A. Making sure the data warehouse is secure with strong firewalls and antivirus software.
B. Ensuring the business is transparent with customers over how their data is to be used.
C. Ensuring the company’s records management and privacy policies are effective.
D. Conducting a data transfer assessment on the corporation’s US call center.
Correct Answer: C
QUESTION 78
SCENARIO
Please use the following to answer the next question:
You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon learn that so far, the company has done little to control the use of customer information.
During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in various systems, including their customer records management system, their invoicing system, their call recording system, their marketing database and within two different email clients.
There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the company’s reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.
You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the company has told the customers that they have done what was asked, you learn that all the company did was remove these customers from their marketing lists – in other words, all their data is still in the various digital systems for marketing, invoicing and records management.
On top of all this, you learn that a customer service agent based in the energy corporation’s US call center cannot find the details of the specific customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on independent review sites and the energy regulator in the UK is thinking of suspending the company’s license.
As artificial intelligence is seen as the new energy future linking to the Internet of Things (loT), the company has partnered with another company specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an Idea of which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which electrical devices their customers use in their homes and when they use them the most.
The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to get things right with their privacy program.
Following the marketing campaigns, which of the following should have been prioritized by the company?
A. Anonymizing the customer’s data within all the systems.
B. Putting in place new processes for valid deletion requests.
C. Verifying the identity of the customers who made the requests.
D. Providing a privacy notice to all individuals who received marketing communications.
Correct Answer: B
QUESTION 79
SCENARIO
Please use the following to answer the next question:
You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon learn that so far, the company has done little to control the use of customer information.
During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in various systems, including their customer records management system, their invoicing system, their call recording system, their marketing database and within two different email clients.
There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the company’s reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.
You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the company has told the customers that they have done what was asked, you learn that all the company did was remove these customers from their marketing lists – in other words, all their data is still in the various digital systems for marketing, invoicing and records management.
On top of all this, you learn that a customer service agent based in the energy corporation’s US call center cannot find the details of the specific customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on independent review sites and the energy regulator in the UK is thinking of suspending the company’s license.
As artificial intelligence is seen as the new energy future linking to the Internet of Things (loT), the company has partnered with another company specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an Idea of which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which electrical devices their customers use in their homes and when they use them the most.
The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to get things right with their privacy program.
If you were to carry out a post incident review of the company’s breach preparedness, which of the following should be changed to improve the company’s incident response capabilities?
A. Preventing another leak to a competitor.
B. Supplying customers with the electrical devices.
C. Addressing the behaviors of the call center staff.
D. Using the new business partner as part of the technology roll out.
Correct Answer: C
QUESTION 80
A company recently faced a medium severity data breach that involved personal information of a few hundred customers. The privacy officer’s decision to evaluate the incident plan is part of which stage of breach response?
A. Planning.
B. Recovering.
C. Investigating.
D. Notifying Regulators.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.