CIPM® Sample Questions

An IAPP Publication
v5.1
 About the IAPP CIPM Sample Questions

The IAPP CIPM Sample Questions are designed to support your preparation for the
CIPM certification exam. Developed using IAPP study resources as well as subject
matter experts’ practical knowledge of the topics set forth in the IAPP’s CIPM Body
of Knowledge, the sample questions can help identify your relative strengths and
weaknesses in the major domains of the CIPM Body of Knowledge.

All items on the IAPP CIPM Sample Questions were reviewed for accuracy at the
time of publication.

The IAPP CIPM Sample Questions were developed independently of the CIPM
certification exam and are not intended to represent actual CIPM certification
exam content.

Your performance on the IAPP CIPM Sample Questions is not a

predictor of your performance on the CIPM certification exam.

Do you have questions or comments?

Please contact us at training@iapp.org

The CIPM Sample Questions and references may not be reproduced

in any manner other than for use by the original purchaser.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of the International
Association of Privacy Professionals, Inc. registered in the U.S. CIPP, CIPP/E, CIPM and CIPT are also
registered in the EU as Community Trademarks (CTM).

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved. No part
of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by
any means, mechanical, photocopying, recording or otherwise, without the prior, written permission
of the publisher, International Association of Privacy Professionals, Pease International Tradeport,
75 Rochester Ave., Portsmouth, NH 03801, United States of America.
 Instructions

1. Remove a copy of the Answer Sheet.

2. To simulate a timed test, set a timer for 40 minutes.

3. Complete the test without referring to the Answer Key or References.

4. Check your answers against the Answer Key.

5. For each correct response, write a “1” in the corresponding domain

column of the Answer Key.

6. Add up the number of correct answers under each domain column.

7. To compare how you did in each domain, calculate your scores as a

percent:

a. Divide the number of correct answers by the total number of

questions in that domain
b. Multiply that number by 100

8. Consult the References for detailed explanations of each answer and the
section of the Body of Knowledge to which the question relates.

Note that due to the nature of Privacy Management, some items may
align with more than one domain or subdomain. In these situations, we
have noted both for your information. For the purpose of score
calculation, we have selected the primary domain with which the items
align.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 CIPM Sample Questions

1. All of the following are factors in determining whether an organization can craft a
common solution to the privacy requirements of multiple jurisdictions EXCEPT:

A. Effective date of most restrictive law.

B. Implementation complexity.
C. Legal regulations.
D. Expense considerations.

2. Under the FCRA, if inaccurate information is discovered in a consumer’s file, what is the
usual time period in which the credit reporting agency must examine the disputed
information?

A. In a timely manner.
B. Within 30 days of notification.
C. Within 45 days of notification.
D. Within 60 days of notification.

3. Which of the following is NOT a good reason to perform a privacy audit on a supplier?

A. The vendor management team is validating the supplier as part of a regular

onboarding process.
B. The finance team has concerns that their supplier is inflating their pass-through
expense costs.
C. The legal team received notification of a personal data breach caused by the supplier.
D. The IT team received a notice that the supplier is changing their cloud-storage
subprocessors.

4. A healthcare organization began integrating the concept of privacy into all facets of their
organization, to include targeted and specialized training for handling of sensitive
information, along with the adoption within the conceptual and design phases of new
business processes, IT systems, contractual agreements, devices and policies. What is this
concept of applying privacy solutions into early phases of development known as?

A. Pseudonymization.
B. Data minimization.
C. Privacy by design.
D. Security by design.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
5. An example of media sanitization would be:

A. Installing a password on a laptop and requiring password to be changed on a scheduled

basis.
B. Restricting employees’ thumb drive access to locked drives provided by the
organization.
C. Performing a manufacturer’s reset to restore an office printer to its factory default
settings.
D. Implementing a blocker to limit the ability of connected devices to access specific
online sites.

6. What role would data loss prevention software have in a privacy program?

A. Prevention of all data breaches caused through human error by employees.

B. Protection from an external hacker trying to infiltrate an organization’s networks.
C. Training for staff on data governance and proper data classification procedures.
D. Monitoring of certain types of personal data disclosures to outside entities.

7. When should stakeholders be identified in the development of a privacy framework?

A. After the privacy team has established its agenda.

B. After the data inventory is complete.
C. During the business case development process.
D. During the review of written policies.

8. Which of the following is NOT one of the four principles an organization should consider
when aligning information privacy and information security technologies?

A. Prioritize the expense of the technology and supplement any shortfalls with alternate
programs (Cost-based priority).
B. Ensure privacy, information security and development teams work together to
evaluate controls (Teaming).
C. Ensure security risks are part of the privacy risk framework to include correctly
implemented controls (Stay aware).
D. Prioritize risks and allocate resources accordingly so higher risk concerns are
addressed first (Rank and prioritize).

9. Access to an organization’s information systems should be tied to an employee’s role.

Therefore, which is determined by associated with basic security principles for role-based
access controls (RBAC). Which of the following contains the correct role-based access
controls principles?

A. Least privilege, segregation of duties, need-to-know access.

B. Right-to-access, need-to-know access, segregation of duties.
C. Functional role access, segregation of duties, least privilege.
D. Segregation of duties, need-to-know access, access privilege.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
10. Where should an organization’s procedures for resolving consumer complaints about
privacy protection be found?

A. In the emergency response plan.

B. In memoranda from the CEO.
C. In written policies regarding privacy.
D. In the minutes of organizational board meetings.

11. Each of the following organizations could consider developing a highly centralized privacy
team structure EXCEPT:

A. Grape2Table, a small to medium-sized enterprise sourcing fine wines direct from

vineyards for its customers, with multiple offices throughout France.
B. SudsLow, a large franchise of tradespeople performing cleaning services across the
United States with all executive management based in the central HQ in Ohio.
C. DiverzityCorp, an industrial conglomerate with multiple product and service lines with
separate divisions based in the U.S., Brazil and China, each with its own management
team.
D. Hoopdehoop, an online retail company that sells children’s toys and games throughout
multiple countries in the EU, through a variety of different websites, but is based in
the Netherlands.

12. What is business resiliency?

A. How quickly a business accomplishes a merger.

B. How well a business responds to and adapts after a disaster.
C. How successful a business's auditing process is.
D. How well a business rewards and retains its employees.

13. Each of the following are actions an organization should take when developing a data
retention policy EXCEPT:

A. Work with legal advisors to determine applicable legal data retention requirements.
B. Instruct processors to keep information based on approved legal requirements.
C. Estimate what business impacts are of retaining versus destroying the data.
D. Brainstorm with appropriate personnel scenarios that would require data retention.

14. What is the value of a privacy workshop for an organization's stakeholders?

A. A workshop ensures compliance to policies at all levels of an organization.

B. A workshop ensures all stakeholders commit resources to the privacy program.
C. A workshop ensures common baseline understanding of the risks and challenges.
D. A workshop ensures there is a single privacy policy across the organization.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
15. Acme Co. wants to develop a new mobile application that will allow users to find friends
by continuously tracking the locations of the devices on which the application is installed.
Which one of the following should Acme Co. do before developing the application to
minimize its privacy risks?

A. Determine how to communicate breach notifications.

B. Test the accuracy of the continuous location mechanism.
C. Calculate the return on investment.
D. Conduct a privacy (or data protection) impact assessment.

16. When conducting a baseline assessment of your privacy program, you should:

A. Ensure your documentation reflects the expected future state of the program.
B. Document areas of remediation that are currently in progress.
C. Quantify the costs of existing and needed technical controls.
D. Establish a system for implementing privacy by design.

SCENARIO I
Use the following to answer questions 17-21:

Country Fresh Sundries started in the kitchen of its founder, Margaret Holmes, as she
made soap following a traditional family recipe. It is a much different business today,
having grown first through product placement in health and beauty retail outlets, then
through a thriving catalog business. The company was slow to launch an online store, but
once it did so, the online business grew rapidly. Online sales now account for 65 percent
of business, which is increasingly international in scope. In fact, Country Fresh is now a
leading seller of luxury soaps in Europe and South America, as well as continuing its strong
record of growth in the United States. Despite its rapid ascent, Country Fresh prides itself
on maintaining its homey atmosphere, as symbolized by its company headquarters with a
farmhouse in front of a factory in a rural region of Maine, in the U.S. The company is
notably “employee friendly,” allowing, for instance, employees to use their personal
computers for conducting business and encouraging people to work at home to spend
more time with their families.

As the incoming Director of Privacy, you are the company’s first dedicated privacy
professional. During the interview process, you found that while the people you talked to,
including Shelly Holmes, CEO and daughter of the founder, and Jim Greene, Vice
President for Operations, meant well, they did not possess a sophisticated knowledge of
privacy practices and regulations and were unsure of exactly where the company stood in
relation to compliance and security. Jim candidly admitted, “We know there is a lot we
need to be thinking about and doing regarding privacy, but none of us know much about
it. We have put some safeguards in place, but we are not even sure they are effective. We
need someone to build a privacy program from the ground up.”

The final interview ended after the close of business. The cleaning crew had started its
nightly work. As you walked through the office, you noticed that computers had been left
on at employee workstations and the only shredder you saw was marked with a sign that
said, “Out of Order. Do Not Use.”

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 You have accepted the job offer and are about to report to work on Monday. You are now
on a plane headed toward your new office, considering your course of action in this
position and jotting down some notes.

17. How can you discover where personal data resides at Country Fresh?

A. By focusing solely on emerging technologies, as they present the greatest risks.

B. By checking all public interfaces for breaches of personal data.
C. By performing a gap analysis and creating a plan to bridge those gaps.
D. By conducting a data inventory and mapping data flows.

18. You need a master plan or roadmap to guide your choices in developing and refining
Country Fresh’s privacy program. What is the best action to take?

A. Adopt the privacy program mission statement as a guide to specific actions.

B. Modify industry best practices to fit the organization's needs.
C. Perform a mapping exercise that reveals where personal data resides.
D. Develop an overarching privacy program framework.

19. What step can best help you to identify the specific needs and objectives of Country Fresh
regarding privacy protection?

A. Assess Country Fresh’s privacy maturity.

B. Review privacy laws and standards.
C. Identify the key stakeholders.
D. Physical audit of the facility.

20. In analyzing Country Fresh’s existing privacy program, you find procedures that are
informal and incomplete. What stage does this represent in the AICPA/CICA Privacy
Maturity Model?

A. Early.
B. Ad hoc.
C. Nonrepeatable.
D. Pre-program.

21. Which of the following best describes who at Country Fresh needs to be trained on privacy
protection?

A. Members of the privacy team, exclusively.

B. Department heads and key supervisors who can then train their personnel.
C. New hires only, as experienced employees should be familiar with the procedures.
D. Personnel in all departments who have any contact with personal data.
(end of Scenario I questions)

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 SCENARIO II
Use the following to answer questions 22-25:

Bentley Gems, a high-end United States retail firm that specializes in custom-made
jewelry, creates an opt-in program to provide personalized attention to its customers. On
their first visit, customers are invited to use a kiosk in the retail store to enter their
shopping preferences, as well as personal data such as credit card numbers, banking
information, birthdays, anniversary dates, etc. In an effort to make the customer
experience even richer, the program also collects facial recognition data. This way, when
a customer enters the store, a staff member can call the customer by name and speak
knowledgeably about their preferences, and perhaps even direct them to a particular
item. All the customer preference data, including facial recognition data, is encrypted
and stored on a computer system within the store. This computer system is also secured
physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer
experience, Bentley Gems’ owners do not recognize that this collection of data has the
potential to become a data privacy issue. They do not develop policies or procedures to
address how this data is used or whether it can be resold; they simply assume that if a
customer does not want to participate, they won’t enter data into the kiosk.

One of Bentley’s employees, Matilda, has full access to the data because she is the most
computer-knowledgeable employee. Matilda has a friend, Jacob, who works for Investors,
Inc., a wealth management firm. Wishing to do Jacob a business favor, she copies an
unencrypted set of Bentley Gems’ customer names, preferences, and facial recognition
data onto a hard drive. She sends the data to her friend to use in marketing his wealth
management services to the customers. He intends to use the customer data in a way
similar to the jewelers: to provide highly personalized service. Since she is not selling the
data to him, Matilda does not think there is anything wrong with what she has done.

The owners of Investors, Inc. buy another list of customer’ data legitimately from an
outside vendor which includes some of Bentley Gems customers. This data includes
financial information, as well as names, addresses, and number and brand of automobiles
owned. The owners of Investors, Inc. are unaware the customer list from Bentley Gems
was given informally, and collate it with the list from outside vendor. Now Investors, Inc.
has a very valuable list that contains a deep level of personal data about potential
customers and their buying preferences.

Jacob puts the combined list on an unencrypted public website so Matilda can copy it back
and enhance Bentley Gems’ original data set. Investors, Inc. becomes the victim of an
online attack and the combined collection of unencrypted customer data is stolen. The
owners of Investors, Inc. only find this out when several customers report that their
vehicles were stolen. Further investigation of the crimes by the police links the data
breach to home burglaries. The criminals used the stolen facial recognition data to
identify potential victims, then used address data to find their primary residences. The
owners of Bentley Gems have no knowledge any of this has happened until several months
later, when Matilda quits and informs them of the data breach.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
22. All of the following would protect Bentley Gems’ owners from future employee misuse of
customer data EXCEPT:

A. An updated privacy notice that reflects how customer data may be used.
B. A notice to the customers of Investors, Inc. about customer data mingling.
C. An employment policy that calls for the removal of anyone who shares customer data.
D. A better, policy-driven process for limiting access to customer data.

23. After the breach is made known to Bentley Gems, which task should it accomplish first?

A. Coordinate with Investors, Inc. to limit the damage.

B. Sue Investors, Inc. for the breach.
C. Determine whether notification is legally required.
D. Update its privacy notices to allow customers to opt out of the data use.

24. After the data breach, what data can Investors, Inc. use legally?

A. The combined data from Bentley Gems and the outside vendor.
B. Only the purchased data from the outside vendor.
C. None of the data.
D. The original data from Bentley Gems.

25. What would be the best way for the Investors, Inc. to respond to its customers’
complaints?

A. Assess the relative liabilities of all parties involved.

B. Develop a formal opt-out procedure.
C. Establish a formal complaint and resolution procedure.
D. Create an ombudsman and refer complaints there.

(end of Scenario II questions)

(end of sample questions)

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 References

1. The correct answer is A. Body of Knowledge Domain I(C) Develop a Privacy Program
(Establish a privacy program)
Determining the best approach for meeting the requirements of multiple
jurisdictions will depend upon a number of factors, including which laws your
organization is subject to, how complex the solution will be to develop, the
budgetary allowance, and what personal information is collected and how
that personal information is used and/or shared. There are various methods
of creating a common solution, such as using the strictest standard from each
law for all similar compliance requirements or having common requirements
that are materially aligned but setting up case-by-case solutions for outlying
ones. There is no one-size fits all solution, the chosen approach must align to
the organization’s objectives and goals.

2. The correct answer is B. Body of Knowledge Domain VI(A) Privacy Operational Life
Cycle: Respond (Data subject information requests and privacy rights)
Privacy laws typically provide specific rights to those whose data is being processed.
One of the rights the FCRA provides consumers is the right to correct or delete any
incorrect information that may be contained in their files by notifying the credit
reporting agency. If inaccurate information is discovered in the consumer file, the
credit reporting agency must examine the disputed information, usually within 30
days of notification.

3. The correct answer is B. Body of Knowledge Domain III(B) Privacy Operational

Life Cycle: Assess (Processors and third-party vendor assessment)
While financial irregularities are a good reason to perform a financial audit, they are
not a reason to perform a privacy audit. The purpose of a privacy audit is to
determine the degree to which technology, processes and people comply with
privacy policies and practices. Audits are evidence-based procedures to help
measure how well the programs put in place meet the organization’s goals; show
compliance with legal, regulatory and internal requirements; increase general
awareness; reveal gaps; and provide a basis for remediation planning.

4. The correct answer is C. Body of Knowledge Domain IV(B) Privacy Operational Life
Cycle: Protect (Privacy by Design)
Privacy by Design” (“PbD”) is an approach to systems engineering originally
developed by Ann Cavoukian in the mid-1990s. PbD is a framework that dictates that
privacy and data protection are embedded throughout the entire lifecycle of
technologies, from the early design stage through deployment, use and ultimate
disposal or disposition.

PbD may incorporate security by design, data minimization and pseudonymization

techniques at various stages of data processing to facilitate privacy programs and
policies

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
5. The correct answer is C. Body of Knowledge Domain III(C) Privacy Operational Life
Cycle: Assess (Physical Assessments)
Media sanitization is technically defined as “a process that renders access to target
data on the media infeasible for a given level of effort.” To adequately sanitize
media, the data or the media must be either cleared, purged or destroyed. While
each of the other responses will conceivably provide some security protections,
none of them would meet the generally accepted criteria for media sanitization.

6. The correct answer is D. Body of Knowledge Domain V(A) Privacy Operational Life
Cycle: Sustain (Monitor)
Data loss prevention software can be a useful tool to monitor certain types of
disclosures outside of an organization, both authorized and nonauthorized. It can be
used to check the effectiveness of policies and controls. But it cannot prevent all
data breaches. Even if you have it configured so that it forbids the external
disclosure of personal data via email, for example, a determined person could still
circumvent this. It does not prevent a data thief from hacking into your network. It
is only one tool amongst many, not a panacea.

7. The correct answer is C. Body of Knowledge Domain I(C) Developing a Privacy

Program (Establish a privacy program)
Many organizations create a privacy committee or council composed of the
stakeholders (or representatives of functions) that were identified at the start of
the privacy program implementation process. These individuals and functions will
launch the privacy program, and their expertise and involvement will continue to be
tapped as remediation needs—some of which may sit within their areas of
responsibility—are identified. They will be instrumental in making strategic decisions
and driving them through their own departments.

8. The correct answer is A. Body of Knowledge Domain IV(A) Privacy Operational Life
Cycle: Protect (Information security practices)
To maximize efficiency and productivity while minimizing financial burden, privacy
and security teams must work together. Technology has adapted to fill this
organizational need. However, not all technology is created equal and organizations
must ensure the needs of both privacy and security are met. By working closely to
evaluate security controls, leveraging existing reviews and review processes,
ensuring security risks relevant to the organization are part of the privacy risk
framework, and agreeing upon how risk-factors are ranked, information privacy and
information technology teams can determine which technologies best meet their
aligned needs.

9. The correct answer is A. Body of Knowledge Domain IV(D) Privacy Operational Life
Cycle: Protect (Other Organizational Measures)
The privacy team should work with information security and IT, as well as HR, to
ensure effective access controls. Role-based access controls (RBAC) includes the
following:

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 • Least privilege: Grant access at the lowest possible level required to perform
the function.
• Segregation of duties: Ensure one person cannot exploit or gain access to
information inappropriately.
• Need-to-know access: Restrict access to only information that is critical to
the performance of an authorized, assigned mission.

10. The correct answer is C. Body of Knowledge Domain II(A) Privacy Program
Framework (Develop the Privacy Program Framework)
A privacy policy is a high-level policy that supports documents such as standards and
guidelines that focus on technology and methodologies for meeting policy goals
through manuals, handbooks and/or directives. The privacy policy also supports a
variety of documents which are then communicated internally and externally, that
(a) explain to customers how the organization handles their personal information
(referred to as a privacy notice), (b) explain to employees how the organization
handles personal information, (c) describe steps for employees handling personal
information, and (d) outline how personal data will be processed.

11. The correct answer is C. Body of Knowledge Domain I Developing a Privacy

Program, subdomains (B) Establish a Data Governance Model and (D)
(Structure the privacy team)
The choice about how to structure the privacy team is individual to each different
company. Having a highly centralized team has a lot of advantages for creating
consistency and the efficient development of privacy policies and tools, but in some
companies the centralization can be a disadvantage. The centralization could be at
odds with the management structure of the company, making it difficult to get
decisions made across all divisions and departments. Alternatively, if the needs of
the various parts of the business are diverse, a one-size-fits-all approach may not
work.

For a smaller company, centralization is often the default because there are not
enough resources to have a large privacy team or representatives in multiple
departments. Even in larger global companies, if the business is focused on a core
activity, then a central privacy team can usually accommodate local variances in the
laws. It is important, though, that the privacy team can accommodate the cultural
and linguistic differences as well as the legal ones. Therefore, in a very diverse
organization, too much centralization may not be a good thing as employees may
feel more comfortable talking to someone who speaks the same language and is
more accessible for them in their time zone.

12. The correct answer is B. Body of Knowledge Domain II(C) Privacy Program
Framework (Develop Appropriate Metrics) and VI(B) Privacy Operational Life
Cycle (Privacy incident response)
To the privacy professional, business resiliency is measured through metrics
associated with data privacy, system outages and other factors as defined by the
business case and organization’s objectives. Focusing solely on disasters will lead an
organization to be defensive, but using a proactive approach enables the

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 organization to respond to an unexpected event more quickly and more cost
effectively. In addition to disaster situations, a strong business resilience program
can help your organization prepare for audits and demonstrate compliance with
regulatory requirements.

13. The correct answer is B. Body of Knowledge Domain IV(D) Privacy Operational Life
Cycle: Protect (Other Organizational Measures)
Data management requires answers to questions such as why we have the data, why
we are keeping it, and how long we need to keep it. During the building and review
of a data retention policy, the process begins with identifying all the data stored in
the organization and determine how it is used. Business unit needs regarding how
long information is retained must be considered but must be balanced against legal
requirements, to ensure information is not kept too long or dispositioned before
legally allowed. Instructing employees on approved processes occurs after the policy
has been created.

14. The correct answer is C. Body of Knowledge Domain I(C) Developing a Privacy
Program (Establish a privacy program)
Do not assume that all stakeholders have the same level of understanding about the
regulatory environment or the complexity of the undertaking—there will invariably
be different levels of privacy knowledge among the group. This is an opportunity to
ensure everyone has the same baseline understanding of the risks and challenges the
organization faces, the data privacy obligations that are imposed on it and the
increasing expectations in the marketplace regarding the protection of personal
information.

15. The correct answer is D. Body of Knowledge Domain I(B) Privacy Program
Governance (Develop the Privacy Program Framework)
A privacy impact assessment (PIA), also known as a data protection assessment, is an
analysis of the privacy risks associated with processing personal information in
relation to a project, product or service. To be an effective tool, a PIA also should
suggest or provide remedial actions or mitigations necessary to avoid, reduce or
minimize those risks. Requirements regarding PIAs emanate from industry codes,
organizational policy, laws, regulations and supervisory authorities.

When an organization collects, stores or uses personal data, the individuals whose
data is being processed are exposed to risks. These risks range from personal data
being stolen or inadvertently released and used by criminals to impersonate the
individual, to causing individuals to worry that their data will be used by the
organization for unknown purposes. A data protection impact assessment (DPIA)
describes a process designed to identify risks arising out of the processing of
personal data and to minimize these risks as much and as early as possible. DPIAs
are important tools for negating risk and for demonstrating compliance with the
GDPR.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
16. The correct answer is B. Body of Knowledge Domain III(A) Privacy Operational Life
Cycle: Assess (Document current baseline of your privacy program)
It may be tempting to avoid creating a record of where there are deficiencies in
existing programs, especially if those deficiencies are being addressed. However, if
you fail to document deficiencies, you create an assessment based on hypotheticals
that may not prove true over time and will not provide a true baseline. In addition,
if ongoing remediations are not included, the new privacy program will appear to
have more deficiencies than actually exist and may result in resources being
diverted to solve problems that are already being resolved.

17. The correct answer is D. Body of Knowledge Domain III(A) Privacy Operational
Lifecycle: Assess (Document your current baseline of your privacy program) and
II(A) Privacy Program Framework (Develop the Privacy Program Framework)
The data inventory, also known as a data map, provides answers to these questions
by identifying the data as it moves across various systems, and thus indicating how it
is shared and organized and where it is located. That data is then categorized by
subject area, which identifies inconsistent data versions, enabling identification and
mitigation of data disparities, which in turn serves to identify the most and least
valuable data and reveal how it is accessed, used and stored.

18. The correct answer is D. Body of Knowledge Domain II(A) Privacy Program
Framework (Develop the privacy program framework)
Implementing and managing a program that addresses the various rights and
obligations of each privacy regulation on a one-off basis is a nearly impossible task.
Instead, using an appropriate privacy framework to build an effective privacy
program can: (a) help achieve material compliance with the various privacy laws and
regulations in-scope for your organization; (b) serve as a competitive advantage by
reflecting the value the organization places on the protection of personal
information, thereby generating trust; and (c) support business commitment and
objectives to stakeholders, customers, partners and vendors.

19. The correct answer is C. Body of Knowledge Domain I, Developing a Privacy

Program; subdomains (A) Create a company vision and (C) Establish a privacy
program
While many factors go into identifying specific needs and outlining
objectives, the most critical part is ensuring you have the appropriate
individuals identified and included in the process. Creating a privacy
committee or counsel of stakeholders who represent different functions and
perspectives within the organization will enable you to establish Country
Fresh’s objectives based on its privacy needs. These stakeholders can then
help maintain the privacy program, communicate the privacy policy to
employees, and adapt the program to the constantly changing privacy
landscape.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
20. The correct answer is B. Body of Knowledge Domain II(C) Privacy Program
Governance (Develop Appropriate Metrics)
The Privacy Maturity Model (PMM) is a well-established model that sets out maturity
levels for privacy programs and operations. Maturity is a useful metric because it
focuses on a scale as opposed to an endpoint. PMM uses five maturity levels
described. Maturity level one, “ad hoc,” is used to describe a situation where the
procedures or processes are generally informal, incomplete and inconsistently
applied.

21. The correct answer is D D. Body of Knowledge Domain V(B) Privacy Operational
Lifecycle: Sustain (Audit) and II(A) Privacy Program Framework (Develop the privacy
program framework)
Everyone who handles personal information needs to be trained in privacy policies
and how to deploy them within their area to ensure compliance with all policy
requirements. This applies to employees, management, contractors and other
entities with which your organization might share personal information. Training
programs dealing with privacy policies should be based on clear policies and
standards and have ongoing mechanisms and processes to educate and guide
employees in implementation.

22. The correct answer is B. Body of Knowledge Domain IV(A) Privacy Operational Life
Cycle: Protect (Information security practices)
ISACA defines controls as “the means of managing risk, including policies,
procedures, guidelines, practices or organizational structures, which can be of an
administrative, technical, management, or legal nature.”

A privacy policy is a form of administrative control. It is an internal document

addressed to employees and data users. This document clearly states how personal
information will be handled, stored and transmitted to meet organizational needs as
well as any laws or regulations. It will define all aspects of data privacy for the
organization, including how the privacy notice will be formed, if necessary, and
what it will contain.

However, a privacy notice is an external communication to individuals, customers or

data subjects that describes how the organization collects, uses, shares, retains and
discloses its personal information based on the organization’s privacy policy. While
required under most privacy laws, an external privacy notice does not protect
against misuse of data.

23. The correct answer is C. Body of Knowledge Domain VI(B) Privacy Operational Life
Cycle: Respond (Privacy incident response)
Notification is the process of informing affected individuals that their personal data
has been breached. Many laws and regulations prescribe specific time frames for
providing notification—either to impacted individuals and/or relevant regulators.
The legal requirements change regularly. For planning purposes, however, it is
enough to know that when investigating an incident, time is of the essence. Timing
is even more critical once the incident has been confirmed to be a breach. An

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 organization’s privacy professionals, and those charged with incident response
planning and notification, should be intimately familiar with the prevailing
notification requirements and guidelines and should work with qualified legal
counsel to assist in making the legal determination about the need to give notice.

24. The correct answer is B. Body of Knowledge Domain VI(B) Privacy Operational Life
Cycle: Respond (Privacy incident response)
Though Matilda is an employee of the company who is the data controller, it is
unlikely that she would have the authority to disclose the jewelry store’s customer
data merely because she is “the most computer-knowledgeable employee” and has
access to this information. As such, she would not be legally authorized to share this
information with Investors, Inc. In turn, this means that Investors, Inc. only has
authority to use the customer data legitimately purchased from the outside vendor.
Employee error or negligence is one of the biggest causes of privacy breaches.
Matilda’s decision to disclose personal information to Jacob constitutes a breach,
and therefore, Investors, Inc. has no legal right to keep this data.

25. The correct answer is C. Body of Knowledge Domain VI(B) Privacy Operational Life
Cycle: Respond (Data-subject information requests and privacy rights)
Complaints about how the organization manages data subject rights may come from
both internal sources, such as employees, and from external sources, such as
customers, consumers, competitors, patients, the public, regulators and vendors.
Complaints from data subjects should go through some centralized process. There
needs to be a central point of control that deals with data subject complaints.
Because you have limited time to respond, and may need cooperation from other
parties (e.g., other controllers, processors), having an efficient and consistent
process is critical.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 ANSWER SHEET

1 A B C D 2 A B C D 3 A B C D 4 A B C D

5 A B C D 6 A B C D 7 A B C D 8 A B C D

9 A B C D 10 A B C D 11 A B C D 12 A B C D

13 A B C D 14 A B C D 15 A B C D 16 A B C D

17 A B C D 18 A B C D 19 A B C D 20 A B C D

21 A B C D 22 A B C D 23 A B C D 24 A B C D

A B C D END
25

This page may be

reproduced.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.
 Answer Key
Item Corre Developing Privacy Privacy Privacy Privacy Privacy
Numb ct a Privacy Program Operation Operation Operation Operation
er Answ Program Framework Life Cycle: Life Cycle: Life Cycle: Life Cycle:
er Assess Protect Sustain Respond
1 A
2 B
3 B
4 C
5 C
6 D
7 C
8 A
9 A
10 C
11 C
12 B
13 B
14 C
15 D
16 B
17 D
18 D
19 C
20 B
21 D
22 B
23 C
24 B
25 C
___ of 5 ___ of 4 ___ of 5 ___ of 5 ___ of 2 ___ of 4
SUMMARY correct correct correct correct
correct correct
PERCENTAGE
(# correct / #
total) x 100

This page may be

reproduced.

© 2021 by the International Association of Privacy Professionals (IAPP). All rights reserved.