QUESTION 81
In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?
A. Evaluate the qualifications of a third-party processor before any data is transferred to that processor.
B. Set a time-limit as to how long the personal data may be stored by the organization.
C. Challenge the authenticity of the personal data and have it corrected if needed.
D. Obtain a guarantee of prompt notification in instances involving unauthorized access of the data.
Correct Answer: C
QUESTION 82
An organization’s privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor. Which of the of following actions should the privacy officer take first?
A. Send firm-wide email notification to employees.
B. Report the incident to law enforcement.
C. Perform a risk of harm analysis.
D. Contact the recipient to delete the email.
Correct Answer: C
QUESTION 83
Which of the following forms of monitoring is best described as ‘auditing’ when measuring the effectiveness of the privacy program?
A. Evaluating operations, systems, and processes.
B. Tracking, reporting and documenting complaints from all sources.
C. Assessing appropriate security and privacy requirements with third parties.
D. Evaluating the privacy risks associated with processing personal information in relation to a project, product, or service.
Correct Answer: A
QUESTION 84
What is the main purpose in notifying data subjects of a data breach?
A. To avoid financial penalties and legal liability.
B. To enable regulators to understand trends and developments that may shape the law.
C. To ensure organizations have accountability for the sufficiency of their security measures.
D. To allow individuals to take any actions required to protect themselves from possible consequences.
Correct Answer: D
QUESTION 85
Which of the following company initiatives would automatically trigger the need for a DPIA under the GDPR?
A. Doing an international transfer to a company in a country without adequacy protection or appropriate safeguards.
B. Introducing an anonymous equality and diversity monitoring form as part of job application process.
C. Changing processors due to a data breach suffered by its previous processor.
D. Introducing finger print scans for employees to enter the premises.
Correct Answer: D
QUESTION 86
Under the General Data Protection Regulation (GDPR), when a would a data subject have the right to require the erasure of his or her data without undue delay?
A. When the data is no longer necessary for its original purpose.
B. When the processing is carried out by automated means.
C. When the data subject a is a public authority.
D. When the erasure is in the public interest.
Correct Answer: A
QUESTION 87
Under the General Data in Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to
processing conducted on the controller’s behalf?
A. An obligation on (O the processor to report any personal data breach to the controller within 72 hours.
B. An obligation on both parties to report any serious personal data breach to the supervisory authority.
C. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for personal data breach.
D. An obligation on the processor to assist the controller in complying with the controller’s obligations the supervisory authority about personal data breaches.
Correct Answer: A
QUESTION 88
While trying to e-mail her manager, an employee has e-mailed a list of all the company’s customers, including their bank details, to an employee with to the same name at a different company. Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?
A. Notification to data subjects.
B. Containment of impact of breach.
C. Remediation offers to data subjects.
D. Notification to the Information Commissioner’s Office (ICO).
Correct Answer: B
QUESTION 89
A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all employees to view. What is the first step to mitigate further risks?
A. Notify all employees whose information was contained in the file.
B. Check access logs to see who accessed the folder.
C. Notify legal counsel of a privacy incident.
D. Restrict access to the folder.
Correct Answer: D
QUESTION 90
A “right to erasure” request could be rejected if the processing of personal data is for?
A. An outdated original purpose.
B. Compliance with legal obligation.
C. The offer of information society services.
D. The establishment of personal legal claims.
Correct Answer: B
QUESTION 91
Which of the following is the most likely way an independent privacy organization might work to promote sound privacy practices?
A. By developing principles for self-regulation.
B. By enacting new legislation.
C. By completing on-site audits.
D. By issuing penalties for violations of rules.
Correct Answer: A
QUESTION 92
Which ls the best first step in establishing a baseline regarding privacy in an organization?
A. Interviewing the organization’s top decision-makers.
B. Surveying shareholders on their knowledge of privacy.
C. Collecting information on the organization’s compliance with privacy regulations and standards.
D. Designating a person responsible for the development and implementation of the organization’s privacy program.
Correct Answer: C
QUESTION 93
What are the advantages for a company that a chooses a hybrid of centralized and decentralized management practices?
A. Clearly defined company goals that employees can pursue according to their specific roles.
B. Decisions made by experienced executives and delegated to lower-tier company officers.
C. Flexible departments with great diversity and little need for structure.
D. Controlled spending and a reduced need for employee training.
Correct Answer: A
QUESTION 94
Which of the following is least likely to address individual program needs and specific organizational goals identified in privacy framework development?
A. Through creation of the business case.
B. Through conversations with the privacy team.
C. By employing an industry-standard needs analysis.
D. By employing metrics to align privacy protection with objectives.
Correct Answer: C
QUESTION 95
Which is true about the scope and authority of data protection oversight authorities?
A. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate national data protection authority.
B. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators.
C. No one agency officially oversees the enforcement of privacy regulations in the United States.
D. All authority in the European Union rests with the Data Protection Commission (DPC).
Correct Answer: C
QUESTION 96
Creating a privacy governance model for an organization that is required to appoint data protection officers under the GDPR poses what additional challenge?
A. They must respond immediately to employees.
B. They must report directly to top management.
C. They must reply personally to data subjects.
D. They must react without delay to suppliers.
Correct Answer: B
QUESTION 97
SCENARIO
Please use the following to answer the next question:
Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the Clo, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.
During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual’s information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.
At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.
After the audit had been completed, the Audit Manager and Liam met to discuss her team’s findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.
All of the key phases of an audit have occurred in the scenario EXCEPT?
A. Prepare.
B. Audit.
C. Report.
D. Follow-up.
Correct Answer: B
QUESTION 98
SCENARIO
Please use the following to answer the next question:
Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the Clo, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.
During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual’s information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.
At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.
After the audit had been completed, the Audit Manager and Liam met to discuss her team’s findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.
What maturity level should the internal audit assign to Mesa’s privacy policies and procedures if they use the Privacy Maturity Model (PMM)?
A. Repeatable.
B. Ad-hoc.
C. Defined.
D. Managed.
Correct Answer: B
QUESTION 99
SCENARIO
Please use the following to answer the next question:
Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the Clo, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.
During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual’s information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.
At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.
After the audit had been completed, the Audit Manager and Liam met to discuss her team’s findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.
Why do Mesa’s E-commerce and marketing efforts need to be compliant with the GDPR?
A. Mesa is US-based.
B. Mesa uses mailing lists and engages in direct marketing.
C. Mesa uses automated systems and tools to process personal data.
D. Mesa has a global E-commerce presence and may have customers in Europe.
Correct Answer: D
QUESTION 100
SCENARIO
Please use the following to answer the next question:
Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the Clo, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.
During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual’s information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.
At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.
After the audit had been completed, the Audit Manager and Liam met to discuss her team’s findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.
What key error related to program governance did Liam make prior to the audit kick-off meeting?
A. He did not properly escalate his concerns and develop a remediation plan with leadership support.
B. He met with stakeholders in marketing and E-commerce without the auditors.
C. He did not conduct a data inventory assessment prior to adopting the policy.
D. He asked stakeholders to delete customer data out of the CRM tool.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.