QUESTION 101
When developing a privacy program and selecting a program sponsor or ‘champion” the least important consideration should be that they?
A. Are a part of the organization’s top management.
B. Have the authority to approve policy and provide funding.
C. Will be an effective advocate and understand the importance of privacy.
D. Have accountability for the organization’s privacy and/or information security, risk, compliance, or legal decisions.
Correct Answer: D
QUESTION 102
Understanding the sensitivity of personal data that an organization holds IS a crucial step for a privacy professional attempting to do what?
A. Convince stakeholders to increase the funding for the privacy program.
B. Determine the maturity of the privacy program in relation to current laws.
C. Form a starting point for assessing the adequacy of the privacy program.
D. Decide how comprehensive oversight of its privacy program needs to be.
Correct Answer: C
QUESTION 103
Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
A. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
B. Employees must sign an ad hoc contractual agreement each time personal data is exported.
C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
Correct Answer: A
QUESTION 104
The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?
A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
C. Failure to process personal information in a manner compatible with its original purpose.
D. Failure to respond to data subject request to rectify inaccuracies in personal data.
Correct Answer: B
QUESTION 105
When devising effective employee policies to address a particular issue, which of the following should be included in the first draft?
A. Rationale for the policy.
B. Points of contact for the employee.
C. Roles and responsibilities of the different groups of individuals.
D. Explanation of how the policy is applied within the organization.
Correct Answer: A
QUESTION 106
All of the following are components of a data collection notice EXCEPT the identification of?
A. The potential uses of personal information in the future.
B. The length of time the personal information will be stored.
C. The meta-data which could be generated from collection of the information.
D. The lawful interests pursued by the responsible party collecting the information.
Correct Answer: C
QUESTION 107
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
personal identifiers such as name, address, age, gender; vehicle registration information;
facial images of park attendees;
health information (e.g., physical disabilities, use of mobility devices)
The stated purpose of the RFP is to:
“improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point, this occurred despite the fact that your department has an already well- established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
From a privacy management perspective, what is problematic about the “stated purpose” of the RFP?
A. It seeks to improve the robustness of customer data.
B. It seeks to track and monitor service usage by the customers.
C. It could improve customer service through unauthorized means.
D. It does not specify what information will be collected for improving customer data.
Correct Answer: D
QUESTION 108
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
personal identifiers such as name, address, age, gender; vehicle registration information;
facial images of park attendees;
health information (e.g., physical disabilities, use of mobility devices)
The stated purpose of the RFP is to:
“improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before
the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point, this occurred despite the fact that your department has an already well- established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
Which of the following data protection actions has been implemented by the National Forest Parks and Recreation Department?
A. Policy creation.
B. Data minimization.
C. Sufficient engagement with the privacy team.
D. Identification of all of the sources, types, and uses of personal information (Pl).
Correct Answer: A
QUESTION 109
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
personal identifiers such as name, address, age, gender; vehicle registration information;
facial images of park attendees;
health information (e.g., physical disabilities, use of mobility devices)
The stated purpose of the RFP is to:
“improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point, this occurred despite the fact that your department has an already well- established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
All of the following are appropriate as next steps for the Privacy Office in developing a privacy assessment metric for the RFP EXCEPT?
A. Clarifying what information is to be collected and for what purpose.
B. Canceling this RFP and re-issuing it after thorough consultation with your office.
C. Obtaining a list of vendors and the services they are offering in response to the RFP requirements.
D. Extending the deadline for the RFP giving your office more time to assess the privacy needs of the program.
Correct Answer: B
QUESTION 110
SCENARIO
Please use the following to answer the next question:
You are the Privacy Manager within the Privacy Office at a National Forest Parks and Recreation Department. While having lunch with a colleague from the Information Technology (IT) division, you learn that the IT Director has put out a Request for Proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
personal identifiers such as name, address, age, gender; vehicle registration information;
facial images of park attendees;
health information (e.g., physical disabilities, use of mobility devices)
The stated purpose of the RFP is to:
“improve the National Forest, Parks, and Recreation Department’s ability to track and monitor service usage thereby increasing the robustness of our customer data and to improve service offerings.”
Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team. No one from the Privacy Office has been a part of the RFP up to this point, this occurred despite the fact that your department has an already well- established policy for notifying the Privacy Office of any new projects that may affect the collection, retention, or use of personal information.
Which of the following is the least important privacy consideration associated with assessing data when implementing a large scale project like this?
A. Standardization of privacy safeguards on a national scale.
B. Classification of the types of personal information collected by the system.
C. Identifying operational risks associated with data storage, access, and disposal.
D. Third-party vendor assessment to determine how well privacy practices of vendors align with your organization’s practices.
Correct Answer: A
QUESTION 111
When implementing an organization’s privacy program, what right should be granted to the data subject?
A. To have their data amended or erased if errors are found.
B. To limit or refuse the disclosure of their data for any reason.
C. To provide feedback regarding an organization’s privacy policy.
D. To verify that an organization uses the highest level of privacy protection available.
Correct Answer: A
QUESTION 112
If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?
A. Review reporting activity on breaches to understand when incidents are being reported and when they are not to improve communication and training.
B. Improve communication to reinforce to everyone that breaches must be reported and how they should be reported.
C. Provide role-specific training to areas where breaches are happening SO they are more aware.
D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.
Correct Answer: D
QUESTION 113
All of the following are environmental controls EXCEPT?
A. Fire alarm.
B. Leak detection.
C. Motion sensors.
D. Uninterruptable power supply.
Correct Answer: D
QUESTION 114
In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?
A. Geographic features.
B. Monetary exchange.
C. Political history.
D. Cultural norms.
Correct Answer: D
QUESTION 115
Which of the following is an example of Privacy by Design (PbD)?
A. When HR develops a training program for employees to become certified in privacy policy.
B. When IT uses privacy considerations to inform the development of new networking software.
C. When a labor union insists that the details of employers’ data protection methods be documented in a new contract.
D. When a company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.
Correct Answer: B
QUESTION 116
What is the function of the privacy operational life cycle?
A. It allows the organization to respond to ever-changing privacy demands.
B. It ensures that outdated privacy policies are retired on a set schedule.
C. It establishes initial plans for privacy protection and implementation.
D. It allows privacy policies to mature to a fixed form.
Correct Answer: A
QUESTION 117
All of the following changes will likely trigger a data Inventory update EXCEPT?
A. Onboarding of a new vendor.
B. Acquisition of a new subsidiary.
C. Passage of a new privacy regulation.
D. Outsourcing the Customer Relationship Management (CRM) function.
Correct Answer: C
QUESTION 118
What is the key privacy objective in undertaking an evaluation of technical controls?
A. To identify and mitigate privacy risks associated with technical systems and data processing activities.
B. To evaluate and mitigate third party risk associated with service provider relationships.
C. To determine if the current privacy framework is adequate for the company’s needs.
D. To review and evaluate gaps in targeted internal privacy awareness training.
Correct Answer: A
QUESTION 119
When vetting third-party processors of data protected by the General Data Protection Regulation (GDPR), why is it important to know the physical location of stored personal data from clients?
A. To determine their incidence response time.
B. To determine the country laws that would govern the contract.
C. To determine the likelihood of a security breach in the location.
D. To ensure the country has adequate protection or if safeguards are required.
Correct Answer: D
QUESTION 120
The purpose of a data flow map is to help an organization do all of the following EXCEPT?
A. Determine unidentified opportunities for information collection.
B. Assist compliance with privacy-related laws and regulations.
C. Identify any gaps in its ability to protect information.
D. Recognize who in the organization has access to what information.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.