QUESTION 161
SCENARIO
Please use the following to answer the next question: Liam is the newly appointed information technology (IT) compliance manager at Mesa, a Us-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the Us and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
What is the key privacy objective in undertaking an evaluation of technical controls?
A. To review and evaluate gaps in targeted internal privacy awareness training.
B. To determine if the current privacy framework is adequate for the company’s needs.
C. To evaluate and mitigate third-party risk associated with service provider relationships.
D. To identity and mitigate privacy risks associated with technical systems and data processing activities.
Correct Answer: D
QUESTION 162
SCENARIO
Please use the following to answer the next question: Liam is the newly appointed information technology (IT) compliance manager at Mesa, a Us-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the Us and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
All of the following are physical controls EXCEPT?
A. Moisture detection.
B. Fire/smoke alarm.
C. Motion sensors.
D. Uninterruptable power supply.
Correct Answer: D
QUESTION 163
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential
European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
What security controls are missing from the user data storage system?
A. Data access is not limited to those who “need to know” for their role
B. Storage of medical data in the cloud is not permissible under the GDPR.
C. Collection of data without a defined purpose might violate the famines principle.
D. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data.
Correct Answer: A
QUESTION 164
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
Under the GDPR, what are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
B. The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
Correct Answer: D
QUESTION 165
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
What is the purpose of data pseudonymization in data privacy?
A. To delete unused data and reduce data storage requirements.
B. To prevent sharing of sensitive personal data to unauthorized third parties.
C. To prevent monitoring of the usage of personal data within an organization.
D. To transform personal data into a format that cannot be directly linked back to the individual.
Correct Answer: D
QUESTION 166
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
An online retailer detects an incident involving customer shopping history, but no keys have been compromised. The privacy office is most concerned when it also involves?
A. No personal identifiers.
B. Hashed mobile identifiers.
C. Plain text personal identifiers.
D. Internal unique personal identifiers.
Correct Answer: C
QUESTION 167
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
All of the following are effective controls for mitigating risk and protecting personal data EXCEPT?
A. Implementing segregation of duty access controls.
B. Defining protocols for access rights.
C. Applying a schema to classify personal data.
D. Overwriting electronical records of personal data.
Correct Answer: D
QUESTION 168
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
What analysis can be used to evaluate the effective data governance of an organization?
A. A gap analysis.
B. A risk-benefit analysis.
C. A cost-benefit analysis.
D. A regulatory impact analysis.
Correct Answer: A
QUESTION 169
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
All of the following would be answered through the creation of a data inventory EXCEPT?
A. Where the data is located.
B. How the data is protected.
C. How the data is being used.
D. What the format of the data is.
Correct Answer: B
QUESTION 170
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time,
however, this latter initiative is not well-defined and is considered a long-term goal.
All of the following are access control measures required by the Payment Card Industry Data Security Standard (PCI DSS) EXCEPT?
A. Restrict physical access to cardholder data.
B. Update antivirus software before granting access.
C. Assign a unique ID to each person with computer access.
D. Restrict access to cardholder data by business need-to-know.
Correct Answer: B
QUESTION 171
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
Which of the following is an appropriate technical control to limit the use of personal information?
A. Encrypt personal information at rest and in transit.
B. Conduct regular audits on high-risk vendors.
C. Implement role-based access to personal information.
D. Run simulation exercises on the data breach response plan.
Correct Answer: C
QUESTION 172
SCENARIO
Please use the following to answer the next question: Order(ly) is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. A family creates a single account and the primary user has access to all information about the other users. In order to be able to use the application, the primary user must check a box consenting to receive marketing emails from the developer and selected marketing partners.
After having had a successful launch in the United States, Orderdly) is about to be made available for purchase worldwide. The privacy officer for the potential European distributor discovered that Orderly) collects and stores the sensitive medical information of its users for the medical appointment scheduler. In fact, all of
the user’s information is stored by Orderdy) for the purpose of creating additional products and analyzing usage of the products. This data is stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all employees have access to user data with the additional hopes that at some point in the future the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence. At this time, however, this latter initiative is not well-defined and is considered a long-term goal.
Last year Ecosoft 9313 was hacked and a number of servers and programs were affected. Since the incident, the company started collecting metrics on data privacy and system outages to try to stop it from happening in the future.
What analysis would be most helpful based on the data they have collected?
A. Return on Investment (ROI).
B. Compliance analysis.
C. Business Resiliency.
D. Trend analysis.
Correct Answer: D
QUESTION 173
SCENARIO
Please use the following to answer the next question: Recently, a boutique fashion company headquartered in California, USA needed to fill a very large online order from one of their best customers located in Paris, France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Vancouver, Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Vancouver partner’s store to the customer’s home address. The partner sent SMs messages to provide the customer with direct shipping updates.
The merchandise arrived to the customer and they were happy with the experience.
However, soon after, the customer started receiving telemarketing calls and emails from other fashion boutiques and stores. The customer contacted the boutique to complain that their opt-out preferences were being ignored.
What should the boutique have done to properly handle and govern the customer’s personal information?
A. Performed a sub-processor due diligence review of the partner store.
B. Ensured that standard contractual clauses were in place between the boutique and the partner store.
C. Ensured that the other store’s website was using encryption before providing them with the customer’s information.
D. Notified the customer that part of their order would be fulfilled by the partner and obtain the customer’s consent before sharing any data.
Correct Answer: D
QUESTION 174
SCENARIO
Please use the following to answer the next question:
Recently, a boutique fashion company headquartered in California, USA needed to fill a very large online order from one of their best customers located in Paris,
France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Vancouver, Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Vancouver partner’s store to the customer’s home address. The partner sent SMs messages to provide the customer with direct shipping updates.
The merchandise arrived to the customer and they were happy with the experience.
However, soon after, the customer started receiving telemarketing calls and emails from other fashion boutiques and stores. The customer contacted the boutique to complain that their opt-out preferences were being ignored.
Which law is applicable to the customer’s right to opt out?
A. General Data Protection Regulation (GDPR).
B. UK Data Protection Act (DPA).
C. California Privacy Rights Act (CPRA).
D. Canada Personal Information Protection and Electronic Documents Act (PIPEDA).
Correct Answer: A
QUESTION 175
SCENARIO
Please use the following to answer the next question:
Recently, a boutique fashion company headquartered in California, USA needed to fill a very large online order from one of their best customers located in Paris, France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Vancouver, Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Vancouver partner’s store to the customer’s home address. The partner sent SMs messages to provide the customer with direct shipping updates.
The merchandise arrived to the customer and they were happy with the experience.
However, soon after, the customer started receiving telemarketing calls and emails from other fashion boutiques and stores. The customer contacted the boutique to complain that their opt-out preferences were being ignored.
According to the GDPR, the requirements of a DPIA include that it?
A. Be reported to the corresponding supervisory authority.
B. Publish the report to demonstrate the transparency of the data processing.
C. Provide a description of the proposed processing operation and its purpose.
D. Is required if the processing activity entails risk to the rights and freedoms of an EU individual.
Correct Answer: C
QUESTION 176
SCENARIO
Please use the following to answer the next question:
Recently, a boutique fashion company headquartered in California, USA needed to fill a very large online order from one of their best customers located in Paris,
France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Vancouver, Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Vancouver partner’s store to the customer’s home address. The partner sent SMs messages to provide the customer with direct shipping updates.
The merchandise arrived to the customer and they were happy with the experience.
However, soon after, the customer started receiving telemarketing calls and emails from other fashion boutiques and stores. The customer contacted the boutique to complain that their opt-out preferences were being ignored.
Your company provides business to business (B2B) services where the tool is not customer facing and an employee reaches out with a right to delete request. What is the most appropriate response?
A. Forward the request to the contact on file for the client asking them how they would like you to proceed.
B. Redirect the individual back to their employer to understand their rights and how this might impact access to company tools.
C. Process the request assuming that the individual understands the implications to their organization if their information is deleted
D. Explain you are unable to process the request because business contact information and associated data is not covered under privacy rights laws.
Correct Answer: B
QUESTION 177
The least important detail to include in your organization’s incident response plan is?
A. The specific team members to contact in case of an incident.
B. The methods of data collection used by your organization.
C. Your organization’s third-party relationships.
D. The laws applicable to your organization.
Correct Answer: B
QUESTION 178
An avionics company considering deploying an Al algorithm as part of an autopilot system should be primarily concerned with which attribute of the Al system?
A. Security.
B. Transparency.
C. Explainability.
D. Accountability.
Correct Answer: D
QUESTION 179
As the data protection officer for the growing company, Vision 2030, what would be the most cost-effective way to monitor changes in laws and regulations?
A. Regularly engage regulators.
B. Hire a well-known external law firm.
C. Attend workshops and interact with other professionals.
D. Subscribe to mailing lists that report on regulatory changes
Correct Answer: D
QUESTION 180
Which of the following would be least beneficial in integrating privacy requirements and representation into functional areas across an organization?
A. Creating a structure that provides a communication chain (formally and informally) that a privacy professional can use in performing key data protection activities.
B. Creating a governance structure composed of representatives from each business function and geographic region in which the organization has a presence.
C. Creating a program where the privacy officer (or privacy team) can lead on privacy matters by having exclusive responsibility to execute the privacy mission.
D. Creating a privacy committee or council composed of various stakeholders.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.