QUESTION 141
Under the European Data Protection Board, which processing operation would require a Data Protection Impact Assessment (DPIA)?
A. An online newspaper using its subscriber list to email a daily newsletter.
B. A healthcare clinic that processes personal data of its patients in its billing system.
C. A hospital processing patient’s genetic and health data in its hospital information system.
D. An online store displaying advertisements based on items viewed or purchased on its own website.
Correct Answer: C
QUESTION 142
Under Article 35 of the GDPR, a data controller must take a risk-based approach to determine whether to complete a?
A. Privacy program review.
B. Privacy threshold assessment.
C. Transfer Impact Assessment (TIA).
D. Data Protection Impact Assessment (DPIA).
Correct Answer: D
QUESTION 143
A Privacy Threshold Analysis (PTA), Privacy impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are conducted during what phase of a System Development Life Cycle (SDLC)?
A. Testing.
B. Design.
C. Deployment.
D. Maintenance.
Correct Answer: B
QUESTION 144
Training and awareness metrics in a privacy program are necessary to?
A. Identify data breaches.
B. Implement privacy policies.
C. Demonstrate compliance with regulations.
D. Educate customers on the organization’s data practices.
Correct Answer: C
QUESTION 145
As the Data Protection Officer (DPO) for the growing company, Vision 5946, what would be the most cost effective way to monitor changes in laws and regulations?
A. Regularly engage regulators.
B. Hire a well-known external law firm.
C. Attend workshops and interact with other professionals.
D. Subscribe to mailing lists that report on regulatory changes.
Correct Answer: D
QUESTION 146
After an incident, all of the following are potential objectives for improvements to the way an organization handles breach management, EXCEPT?
A. Contacting regulators.
B. Reviewing lessons learned.
C. Ensuring appropriate privacy/security funding.
D. Getting commitment from stakeholders related to any process updates.
Correct Answer: A
QUESTION 147
Your company wants to convert paper records that contain customer personal information into electronic form, upload the records into a new third-party marketing tool and then merge the customer personal information in the marketing tool with information from other applications. As the Privacy Officer, which of the following should you complete to effectively make these changes?
A. A record of authority.
B. A personal data inventory.
C. A Privacy Threshold Analysis (PTA).
D. A Privacy Impact Assessment (PIA).
Correct Answer: D
QUESTION 148
Your company provides a SaaS tool for B2B services and does not interact with individual consumers. A client’s current employee reaches out with right to delete request, what is the most appropriate response?
A. Forward the request to the contact on file for the client asking them how they would like you to proceed.
B. Redirect the individual back to their employer to understand their rights and how this might impact access to company tools.
C. Process the request assuming that the individual understands the implications to their organization if their information is deleted.
D. Explain you are unable to process the request because business contact information and associated data is not covered under privacy rights laws
Correct Answer: B
QUESTION 149
Your marketing team wants to know why they need a check box for their SMs opt-in. You explain it is part of the consumer’s right to?
A. Request correction.
B. Raise complaints.
C. Have access.
D. Be informed.
Correct Answer: D
QUESTION 150
Which of the following information is NOT required to be provided by the data controller when complying with GDPR “right to access” requirements?
A. The data subject request process.
B. The purpose of personal data processing.
C. The name of the Data Protection Officer (DPO).
D. The type of organizations with whom personal data was shared.
Correct Answer: A
QUESTION 151
You’re managing the internal privacy mailbox and are notified that a sales team member recently sent emails to their clients that included an excel spreadsheet of their client data. They just realized that the spreadsheet only hid the data of other clients and was not deleted. How do you respond?
A. Confirm they have deleted the spreadsheet and requested all clients to do the same.
B. Ask what type of data was included on the spreadsheet and trigger an incident notice.
C. Ask them to send you the spreadsheet and advise them to notify the clients’ cyber security team.
D. Confirm how many people received the spreadsheet and advise the employee to keep this issue to themselves.
Correct Answer: B
QUESTION 152
When a data breach incident has occurred, the first priority is to determine?
A. Who caused the breach.
B. How the breach occurred.
C. How to contain the breach.
D. When the breach occurred.
Correct Answer: C
QUESTION 153
An online retailer detects an incident involving customer shopping history but no keys have been compromised. The Privacy Office is most concerned when it also involves?
A. Internal unique personal identifiers.
B. Plain text personal identifiers.
C. Hashed mobile identifiers.
D. No personal identifiers.
Correct Answer: D
QUESTION 154
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?
A. An obligation on the processor to report any personal data breach to the controller within 72 hours.
B. An obligation on both parties to report to any serious personal data breach to the supervisory authority.
C. An obligation on both parties to agree to termination of the agreement if the other party is responsible for a personal data breach.
D. An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.
Correct Answer: D
QUESTION 155
You are the Privacy Officer at a University. Recently, the police have contacted you as they suspect that one of your students is using a library computer to commit financial fraud. The police would like your assistance in investigating this individual and are requesting computer logs and usage data of the student. What is your first step in responding to the request?
A. Refuse the request as the police do not have a warrant.
B. Provide the data to police and record for your own archives.
C. Contact the University’s legal counsel to determine if the request is lawful.
D. Review polices. procedures and legislation to determine the University’s obligation to co-operate with the police
Correct Answer: C
QUESTION 156
Which is the best way to think about an organization’s privacy framework?
A. As an industry benchmark that can apply to many organizations.
B. As a living structure that aligns to changes in the organization.
C. As a fixed structure that directs changes in the organization.
D. As an aspirational goal that improves the organization.
Correct Answer: B
QUESTION 157
What are the advantages for a company that chooses a hybrid governance model?
A. Clearly defined company goals that employees can pursue according to their specific roles.
B. Decisions made by experienced executives and delegated to lower-tier company officers.
C. Controlled spending and more efficient use of resources within the organization.
D. Flexible departments with great diversity and little need for structure.
Correct Answer: A
QUESTION 158
Your company’s lead applied scientist believes there’s an opportunity to proactively address customer issues using machine learning She requests access to all of the company’s customer data and several publicly available datasets.
All the following are appropriate next steps EXCEPT?
A. Understanding the geographic location of your customers.
B. Providing a public disclosure to all customers describing the purpose and nature of processing.
C. Checking your company’s public privacy notice to ensure this processing is in line with current disclosures.
D. Requesting further information from your scientist to understand the goal of the model and the eventual operational description.
Correct Answer: A
QUESTION 159
SCENARIO
Please use the following to answer the next question: Liam is the newly appointed information technology (IT) compliance manager at Mesa, a Us-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the Us and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
All of the key phases of an audit have occurred with Liam’s involvement in the situation EXCEPT?
A. Prepare.
B. Audit.
C. Report.
D. Follow-up.
Correct Answer: D
QUESTION 160
SCENARIO
Please use the following to answer the next question: Liam is the newly appointed information technology (IT) compliance manager at Mesa, a Us-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that
a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the Us and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
The advantage of a differential backup compared to an incremental backup to secure personally identifiable information (P1l) is?
A. It creates no duplicate files.
B. Faster backup creation.
C. Faster restoration time.
D. It require less storage space.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.