QUESTION 121
What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
A. Reducing storage costs.
B. Ensuring data is kept for no longer than necessary.
C. Crafting policies which ensure minimal data is collected.
D. Increasing awareness of the importance of confidentiality.
Correct Answer: C
QUESTION 122
Which of the following is NOT a main technical data control area?
A. Obfuscation.
B. Tokenization.
C. Access controls.
D. Data minimization.
Correct Answer: D
QUESTION 123
Post-liquidation, a company that has acquired assets would require separate consent from a data subject if personally identifiable data were being retained for which purpose?
A. For tax purposes.
B. For analytical purposes.
C. To be able to ensure payment of pension funds.
D. To secure employment benefits for former employees.
Correct Answer: B
QUESTION 124
Which of the following is a physical control that can limit privacy risk?
A. Keypad or biometric access.
B. User access reviews.
C. Encryption.
D. Tokenization.
Correct Answer: A
QUESTION 125
Under the General Data Protection Regulation (GDPR), what are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the
personal data concerned.
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
Correct Answer: D
QUESTION 126
When conducting due diligence during an acquisition, what should a privacy professional avoid?
A. Discussing with the acquired company the type and scope of their data processing.
B. Allowing legal in both companies to handle the privacy laws and compliance.
C. Planning for impacts on the data processing operations post-acquisition.
D. Benchmarking the two companies’ privacy policies against one another.
Correct Answer: B
QUESTION 127
Protection from threats to facilities, systems that process and store electronic copies, and IT work/equipment locations best describes which category of security control?
A. Physical Control.
B. Technical Control.
C. Geographic Control.
D. Administrative Control.
Correct Answer: A
QUESTION 128
During a merger and acquisition, the most comprehensive review of privacy risks and gaps occurs when conducting what activity?
A. Transfer Impact Assessment (TIA).
B. Risk identification review.
C. Due diligence.
D. Integration.
Correct Answer: C
QUESTION 129
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp’s current state and advising the business how it can meet the “reasonable and appropriate security requirement. InStyle
Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related polices ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that InStyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of InStyle Data Corp.’s test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
In order to mitigate the risk of new data flows, products, or updates that cause InStyle Data Corp. to be noncompliant with the new law, establishing which of the following processes would most completely address this risk?
A. A process whereby privacy and security would be consulted right before the go-live date for the new data flows, products, or updates.
B. Best practices that require employees to sign an attestation that they understand the sensitivity of new data flows, products, and updates.
C. Access controls based on a need-to-know basis for InStyle Data Corp. employees SO that not everyone has access to personal data in data flows, products, and updates.
D. Requirements for a Privacy Impact Assessment (PIA)/ Data Privacy Impact Assessment (DPIA) as part of the business’ standard process in developing new data flows, products, and updates.
Correct Answer: D
QUESTION 130
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp’s current state and advising the business how it can meet the “reasonable and appropriate security requirement. InStyle
Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related polices ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that InStyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of InStyle Data Corp.’s test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
Having completed the gap assessment, you and your partner need to first undertake a thorough review of?
A. Data life cycle.
B. Security policies.
C. System development life cycle.
D. Privacy Impact Assessment (PIA).
Correct Answer: A
QUESTION 131
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp’s current state and advising the business how it can meet the “reasonable and appropriate security requirement. InStyle
Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related polices ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that InStyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of InStyle Data Corp.’s test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
What aspect of the data management life cycle will still be unaddressed if you cannot find the resources to become compliant?
A. Auditability.
B. Enforcement.
C. Retrievability.
D. Access management.
Correct Answer: B
QUESTION 132
SCENARIO
Please use the following to answer the next question:
You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. become compliant with a new data protection law.
The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don’t comply with the new law.
You are paired with a security manager and tasked with reviewing InStyle Data Corp’s current state and advising the business how it can meet the “reasonable and appropriate security requirement. InStyle
Data Corp. has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related polices ad hoc and many have never been implemented.
The various teams involved in the creation and testing of InStyle Data Corp.’s products experience significant turnover and do not have well defined roles. There’s little documentation addressing what personal data is processed by which product and for what purpose.
Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers through email, sometimes using InStyle Data Corp. employees’ personal email accounts. You also learn that InStyle Data Corp.’s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.
Through a review of InStyle Data Corp.’s test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.
You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.
Based on your findings regarding how data is transferred to InStyle Data Corp.’s customers, what can you do from a control perspective that is most likely to mitigate risk from this data processing activity?
A. Require in the customer contract that the customer only allow an authorized end user to open the file.
B. Keep an audit log of files with sensitive personal data sent to the customer and the intended recipient
C. Allow InStyle Data Corp. employees to only use their personal email address to send files if it’s an emergency.
D. Implement a method of data transfer for the files containing sensitive personal information with end-to-end encryption.
Correct Answer: D
QUESTION 133
Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?
A. Assessing data.
B. Protecting personal data.
C. Sustaining program performance.
D. Responding to requests and incidents.
Correct Answer: B
QUESTION 134
The best way to help ensure that reasonable and appropriate security measures are in place to protect personal data is to establish?
A. A quarterly audit of both the test and development environments to validate alterations or deletions of any data by employees and contractors.
B. A physical security policy that prohibits contractors from bringing personal devices into any environment, but permits employees to do SO.
C. A privilege management process so that only certain employees or contractors have the ability to alter or delete personal data.
D. A stricter credentialing process so that only employees, and not contractors, have access to sensitive personal data.
Correct Answer: C
QUESTION 135
A marketing team regularly exports spreadsheets to use for analysis including customer name, birthdate and home address. These spreadsheets are routinely shared between members of various teams via email even with employees that do not need such granular data. What is the best way to lower overall risk?
A. Set up security measures in the company’s email client to prevent spreadsheets with customer information to accidentally being sent to external recipients.
B. Anonymize exportable data by creating categories of information, like age range and geographic region.
C. Allow the free exchange of information to continue but require spreadsheets be password protected.
D. Allow only certain users to export customer data from the database.
Correct Answer: B
QUESTION 136
The following are examples of Privacy by Design (PbD) EXCEPT?
A. Incorporating privacy consultations into technology procurement requests.
B. Assessing privacy risks in the architecture of a proposed customer-facing tool.
C. Integrating pre-defined privacy controls into standard product launch procedures.
D. Conducting a root cause analysis on privacy incidents to recommend response improvements.
Correct Answer: D
QUESTION 137
An organization’s internal audit team should do all of the following EXCEPT?
A. Implement processes to correct audit failures.
B. Verify that technical measures are in place.
C. Review how operations work in practice.
D. Ensure policies are being adhered to.
Correct Answer: A
QUESTION 138
Which of the following is a common disadvantage of a third-party audit?
A. It identifies weaknesses of internal controls.
B. It lends credibility to an internal audit program.
C. It requires a learning curve about the organization.
D. It provides a level of unbiased, expert recommendations.
Correct Answer: C
QUESTION 139
Under the GDPR, when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply, which right can the data subject exercise?
A. Right to withdraw consent.
B. Right to data portability.
C. Right to restriction.
D. Right to erasure.
Correct Answer: D
QUESTION 140
Which of the following controls are generally NOT part of a Privacy Impact Assessment (PIA) review?
A. Access.
B. Incident.
C. Retention.
D. Collection.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.