Professional Documents
Culture Documents
CIPM Exam Reviewer
CIPM Exam Reviewer
Q1)
What is NOT included in privacy vision and mission statements?
1. The value the organization places on privacy.
2. Desired sales and marketing objectives.
3. Strategies to drive the tactics used to achieve the intended outcomes
4. Clarification of roles and responsibilities
Q2)
Q3)
Q4)
Q5)
Q6)
Q7)
In defining program scope and Charter, what must you pay attention to?
1. Monitoring of regulatory activities and multiple jurisdictions
2. writing vision statement
3. your business flow
4. Stakeholders training
Your answer is 2
Explanation
ANSWER [Monitoring of regulatory activities and multiple jurisdictions ]. Companies that span the globe will
need to develop a global privacy strategy relevant to markets, cultures and geographical locations. Generally
speaking, the privacy organization must understand the global perspective in order to meet legal, cultural and
personal expectations, customize privacy approaches from both global and local perspectives, be aware of
privacy challenges that include translations of laws and regulations, enforcement activities and processes, and
monitor all legal compliance factors for both local and global markets.
For example: Your organization may provide health services and be subject to regulations governing the
handling of personal health information. You may also handle financial transactions and therefore be subject to
financial reporting regulations. This example showcases the need for active monitoring of regulatory activities
in multiple jurisdictions.
Q8)
What are EXCEPTIONS to some things management can do to ensure the organization succeeds in the
establishment of a successful privacy program?
1. Support Initiatives
2. Approve funding for resources and technologies
3. Hold employees accountable
4. Secure business contact data and respect customer choices
Your answer is 1
Explanation
ANSWER [Secure business contact data and respect customer choices] . A successful privacy program
requires that management approve funding to resource and equip your privacy team, fund important privacy
enhancing resources and technologies by ensuring privacy requirements are part of every project during budget
discussions, support privacy initiatives such as training and awareness by actively participating in these
initiatives, and hold employees accountable for following privacy policies including notifying direct reports of
the results of enforcement actions
Q9)
The following statements about technical controls as part of the data governance strategy are correct except
which statement?
1. All security controls can be applied across legislations as they have the same categories and solutions
2. Most legislations do not enumerate the types of specific controls that must be implemented
3. Technical controls deployed in one jurisdiction may typically satisfy another jurisdiction
4. When implementing technical controls, be aware of local requirements and prohibitions
Your answer is 2
Explanation
ANSWER: [All security controls can be applied across legislations as they have the same categories and
solutions].
Not true. They are similar but NOT the same across legislations.Technical security controls are part of the data
governance strategy
o Most legislations do not enumerate the types of specific controls that must be implemented
o Most security controls have similar categories and solutions – those deployed in one jurisdiction may
typically satisfy another jurisdiction
However, be aware of local requirements and/or local prohibitions
• China does not permit the use of encryption
• Most EU countries limit the use of DLP technology because they interpret it to be employee monitoring
Q10)
Which is an example of a rationalised approach to a data governance strategy from a geographical perspective?
1. Allow each individual functions and regions to each implement their own solutions
2. Implementing a solution that materially addresses the various requirements of the majority of laws and
regulations
3. Implementation solutions at the HQ level and for each region to adopt based on their laws and
regulations
4. Use the country with the strictest laws and regulations as a guideline for the rest to follow
Your answer is 2
Explanation
ANSWER [Implementing a solution that materially addresses the various requirements of the majority of laws
and regulations].
By “rationalising” the various privacy legal requirements, this means
1) implementing a solution that materially addresses the various requirements of the majority of laws and
regulations, e.g. notice, choice, consent, purpose limitation, data retention limitation, individual rights to
access, correction and deletion of data, obligation to safeguard data
2) addressing those requirements that fall outside the common solution to see whether there is risk in leaving
them out, or the effort to include them is trivial
3) Use customisation (if necessary) to meet local requirements in granting access to individuals to access their
personal data and the timeframes for providing the data to them
Q11)
Q12)
Q13)
Q14)
Q15)
What is the next step after developing a business case a privacy program framework?
1. Develop a business case
2. Perform a gap analysis
3. Do an inventory analysis
4. Communicate the framework
Your answer is 2
Explanation
ANSWER [Perform a gap analysis]. First, we must develop a business case. The business case is the starting
point for assessing the needs of the privacy organization. It defines the individual program needs and the ways
to meet specific business goals. This allows for the understanding of the role of privacy in the context of
business requirements and identification of business benefits and risks. This should be completed at a high
level and can be done when establishing a new privacy program or when evaluating a privacy program that is
currently in place. Following the development of the business case, a gap analysis is performed. We will
review the gap analysis in more detail in unit 2A. The third step in developing the privacy program framework
is reviewing and monitoring the program. This step will be covered in Unit 2C,as will the final step,
communicate the framework.
Q16)
What is meant by "establish the base line" when defining the privacy for the organisation?
1. Define the privacy mission statement
2. Gather information on the organisation’s current compliance policies related to privacy, regulations,
standards and security
3. Perform a gap analysis
4. Create a privacy framework
Your answer is 3
Explanation
ANSWER. Establish the current baseline means gather information on the organisation’s current compliance
policies related to privacy, regulations, standards and security that include:
o Collection limitation
o Data quality
o Purpose specification
o Use limitation
o Security safeguards
o Openness
o Individual participation
o Accountability
This is after you identify the term privacy/personal data/personal information for the organisation and use the
privacy definition as the starting point.
Q17)
All of the following are technical and physical controls that ISO 27002 address in a security policy except:
1. Personnel security
2. Asset classification and control regulations, standards and security
3. implementation of an information security system
4. System development and maintenance
Your answer is 2
Explanation
ANSWER: [implementation of an information security system]. Implementation of an information security
system is included in ISO 27001. ISO 27002 is aligned to security policies that address both technical and
physical controls:
o Security organisation
o Asset classification and control
o Personnel security
o Physical and environmental security
o Communications and operations management
o Access control
o System development and maintenance
o Business continuity management
o Compliance
Q18)
Q19)
Q20)
Q21)
HIPAA security officials would be considered what kind of intended audience for metrics?
1. Secondary Audience
2. Primary Audience
3. Tertiary Audience
4. Stakeholders
Your answer is 2
Explanation
ANSWER [Secondary Audience]. It would be classified as secondary audience
The Intended Audience for Metrics
• Primary audience
o Legal and privacy officers
o Senior leadership, chief information officer (CIO)
o Chief security officer (CSO)
o Program manager (PM)
o Information system owner (ISO)
o Information security officer (ISO)
o Other considered users and managers
• Secondary audience
o Chief financial officer (CFO)
o Training organisations
o Human resources (HR)
o Inspectors-general (IG)
o HIPAA security officials
• Tertiary audience
o External watchdog groups
o Sponsors
o Stockholders
Q22)
Q23)
The following are examples of privacy metrics except:
1. Training
2. Recovered data
3. Incident recovery time
4. Compliance to privacy guidelines
Your answer is 2
Explanation
ANSWER [Compliance to privacy guidelines].
This is not a metric.Examples of metrics are:
o Recovered data – quality of restored/recovered/reconstituted data
o Data lost percent – percentage of data irrevocably lost
o Data lost records – number of records lost
o Training – percentage of information system security and privacy personnel that have received training
o Average incident time – average length of time between cyber and privacy incidents
o Incident recovery time – average length of time to recover from incidents
o Systems compliance – percentage of systems in compliance with organisationally mandated configuration
guidance
o Number of privacy incidents – percentage of privacy incidents reported within required timeframe per
applicable incident category
o Average time between incidents – average length of time between cyber and privacy incidents
o Average time to recover – average length of time for the organisation to recover from damage caused by a
privacy incident
o Percent plans exist – percentage of critical incident types for which pre-planned responses exist
o Time mission impacted – length of time a mission is negatively affected after an attack
Q24)
Q25)
Trends viewed in an upward or downward tendency when looking for data patterns are called:
1. Cyclical component
2. Time series
3. Irregular component or noise
4. All of the answers
Your answer is 2
Explanation
ANSWER [Time series]. Looking for data patterns involve:
o Time series – trends are viewed in an upward or downward tendency, e.g. number of privacy breaches over
time
o Cyclical component – weekly, monthly or yearly data describing any regular fluctuations, e.g. number of
privacy breaches in the month after you rollout your new data protection training, and then every three months
to see if the number steadily increases as distance from training increases
o Irregular component or noise – what is left over when the other components have been accounted for
Q26)
What is the formula for the privacy program return on investment (ROI)?
1. (Risks – Costs) / Costs
2. (Benefits – Costs) / Costs
3. Threat x Vulnerability x Expected loss
4. Threat x Expected Loss / Costs
Your answer is 2
Explanation
ANSWER [(Benefits – Costs) / Costs].
ROI = (Benefits – Costs) / Costs
o Privacy ROI defines metrics to measure the effectiveness of investments to protect:
• Physical assets
• Personnel assets
• IT assets
• Operational management assets
Q27)
Which of the following is the correct definition of the acronym SMART in privacy program management?
1. Specific/Simple, Manageable, Actionable, Results-Oriented, Timely
2. Specific/Simple, Measurable, Actionable, Results-Oriented, Timely
3. Specific/Simple, Manageable, Achievable, Results-Oriented, Timely
4. Specific/Simple,Measurable, Achievable, Realistic, Timely
Your answer is 2
Explanation
ANSWER [Specific/Simple, Manageable, Actionable, Results-Oriented, Timely]
Q28)
The following statements are descriptive of the privacy maturity model except which statement?
1. It provides a standardised reference for companies to assess the level of maturity of their privacy
programs
2. It provides methods by which organisations can measure progress against established benchmarks and
measurements
3. It provides the means to report the overall status for the ROI to the organisation as well as benchmarks to
determine next steps to achieve a higher level of maturity
4. It provides a process to assess the maturity of the privacy professional and the level of competence
Your answer is 4
Explanation
ANSWER [It provides a process to assess the maturity of the privacy professional and the level of
competence].
• Maturity models are recognised methods by which organisations can measure progress against established
benchmarks and measurements • A maturity model provides a standardised reference for companies to assess
the level of maturity of their privacy programs
o Becoming compliant is a journey, and progress along the way strengthens the organisation,
whether or not the organisation has achieved all the requirements
o In certain cases, such as security-focused maturity models, not every organisation or every
security application needs to be at the maximum for the organisation to achieve an acceptable
level of security
o Creation of values or benefits may be possible if they achieve a higher maturity level
• Assessing the maturity of the privacy program provides the means to report the overall status for the ROI to
the organisation as well as benchmarks to determine next steps to achieve a higher level of maturity • An initial
assessment can identify strengths and reveal weaknesses and gaps in your program, e.g.
o Deficiencies in technical controls
o Lack of training for employees
o Privacy requirements have not been fully integrated throughout all areas of the organisation
• When a baseline assessment has been established your organisation can then decide at which level of
maturity it ultimately wants or needs to operate
Q30)
Q31)
Q32)
Q34)
Q35)
What is the step after forming an oversight committee in the AICPA/CICA Privacy Maturity Model?
1. Assemble a team to assess maturity model.
2. Identify a sponsor
3. Identify desired maturity level for benchmarking
4. Meet and assess status
Your answer is 3
Explanation
ANSWER [Assemble a team to assess maturity model]. The AICPA/CICA Privacy Maturity Model provides a
structure to assist and identify where to start and what to document, along with key start-up activities that
include:
• Identifying a project sponsor
• Forming an oversight committee
• Assembling a team to perform the initial assessmentof the maturity level
• Providing status reports and the opportunity to meet and assess overall progress
• Providing a means to ensure that identifiable risk and compliance issues are escalated
• Ensuring the project sponsor and senior management are aware of all findings
• Identifying the desired maturity level for benchmarking purposes
• Assessing the maturity of the program provides the means to report the overall status
for the program to the organization, as well as benchmarks to determine next steps to
achieve a higher level of maturity
Q36)
Q38)
What is NOT part of what is done to mitigate risks of third party vendors and data processors?
1. review contract language
2. Vet and monitor vendors
3. using questionnaires, assessments and checklists to review vendors
4. Talk to vendors and conduct an audit of their business practices
Your answer is 1
Explanation
ANSWER [Talk to vendors and conduct an audit of their business practices]. Organizations should carefully
vet vendors prior to selection and continue to monitor and audit them through the life of the contract to ensure
proper practices. Contract language should be written to call out privacy protections and regulatory
requirements within the statement of work and mapped to service agreements. Privacy/security questionnaires,
privacy impact assessments and other checklists can be used to assess the vendor risk and should include
consideration for the vendor’s privacy and information security policies and access controls, where the
personal information will be held along with who has access to it.
Q39)
What are MNCs required to pay attention to in the areas of privacy of their employees
1. They are required to meet local regulations and privacy expectations of their employees in all countries in
which they operate
2. They need only meet the regulations of their holding company
3. They are required to meet local customs and laws of the countries they sell their products or services
4. They are required to follow their privacy policies and practices
Your answer is 2
Explanation
ANSWER [They are required to meet local regulations and privacy expectations of their employees in all
countries in which they operate]. Multinational organizations are required to meet local regulations and the
privacy expectations of their employees in all countries in which they operate. Specifically, cross border data
transfers should be monitored to regulate the export of personal data to ensure regulatory compliance and data
privacy.
Q40)
Q41)
What is NOT a potential problem when technical risks and controls are not well understood?
1. Failure to achieve consensus
2. Lack of unified response
3. Insufficient plans for communicating
4. Disagreement on who does the risk assessment
Your answer is 1
Explanation
ANSWER [Disagreement on who does the risk assessment]. Business continuity and disaster recovery
planning is sometimes pursued by the IT group and can be considered a high-cost insurance policy that is
never used; thus privacy professionals should understand the key role played by this crucial function and how
it impacts the organization. What problems may arise when technical risks and controls are not well
understood? Lack of unified incident response across the organization, failure to achieve consensus on
standardized recovery processes, incomplete or nonexistent risk assessments, assumptions and objectives,
insufficient communication plans to coordinate recovery/continuity efforts and inability to recover are all
potential issues when technical risks and controls are not well understood.
Q42)
Q43)
Which of the following statements about the Data Life-cycle Management is incorrect?
1. It provides a holistic approach to the processes, roles, controls and measures necessary to organise and
maintain the data
2. It is a policy-based approach to manage flow of information through a life-cycle from creation to
disposal
3. It is considered a mitigation that is aimed at lowering the risk of data breaches by reducing the volume and
type of data stored
4. It is mainly about understanding how data is collected, used, stored, and disclosed pertaining to an
organisation's business activities
Your answer is 2
Explanation
ANSWER [It is mainly about understanding how data is collected, used, stored, and disclosed pertaining to an
organisation's business activities]. It is much more than an inventory analysis.
The following defines DLM.
• Data life cycle management is a policy-based approach to manage flow of information through a life-cycle
from creation to disposal
• DLM provides a holistic approach to the processes, roles, controls and measures necessary to organise and
maintain the data
• DLM can also be considered a mitigation that is aimed at lowering the risk of data breaches by reducing the
volume and type of data stored
Q44)
Q45)
Q46)
Once the risk management framework is determined, information security provides management, technical and
operational controls to achieve which of the following?
1. Provide a means as to who collect, uses and discloses personal data
2. Reduce probable damage, loss, modification or unauthorised data access
3. Enable a way to assess, protect, sustain and respond
4. Perform gap analysis and privacy audit management
Your answer is 2
Explanation
ANSWER [Reduce probable damage, loss, modification or unauthorised data access].
Once the risk management framework is determined, information security provides management, technical and
operational controls to reduce probable damage, loss, modification or unauthorised data access.
Q47)
The following statements are true about digital forensics except which statement?
1. It is used as a means to reconstruct events related to security incidents
2. The investigative process has four phases - Prepare, Acquire, Analyze, & Report
3. It requires a digital knowledge base for it to be effective
4. It is a tool for proactive privacy management
Your answer is 1
Explanation
ANSWER [It is a tool for proactive privacy management]. Not true. It is more of a reactive tool when a
privacy incident or data breach occurs.
Digital Forensics includes the following:
• Knowledge and understanding of digital investigation and analysis techniques used for acquiring, validating
and analysing electronic data to reconstruct events related to security incidents
• Requires building a digital knowledge base
• Investigative process has four phases:
• Prepare
• Acquire
• Analyse
• Report
Q48)
Q49)
What is the difference between a Privacy Audit vs a Privacy Impact Assessment (PIA)?
1. A privacy audit looks at whether policies are being followed while PIA looks at privacy risks within a
business activity
2. A PIA must be conducted first followed by a privacy audit
3. A privacy audit looks at privacy risks within a business activity while PIA looks at whether policies are
being followed
4. Both terms can be used interchangeably
Your answer is 1
Explanation
ANSWER [A privacy audit looks at whether policies are being followed while PIA looks at privacy risks
within a business activity].
Privacy Impact Assessment
Methodology or process for assessing the privacy-related risks associated with business activities that involve
processing of personal data, e.g.
o Projects
o Initiatives
o Systems
o Business processes
o Services
o Products
As a form of risk assessment, the PIA assesses existing controls and also suggests or provides remedial actions or
mitigations necessary to avoid or reduce/minimise those risks
Privacy Audit
Purpose of privacy audit is to determine the degree to which systems, operations, processes and people comply
with privacy policies and practices – Do the privacy operations do what they were designed to do, and are data
privacy controls correctly managed?
Q50)
Privacy Impact Assessment is a legal requirement in which country?
1. All EU countries
2. UK and Canada
3. USA
4. All of the above
Your answer is 1
Explanation
ANSWER [UK and Canada].
• In some regions, PIAs are based on legal requirements
o In UK, Canada, etc, PIAs are based on legal requirements
o PIAs may also be performed pursuant to sector-specific regulations or requirements
o In Australia, the PIA is considered as a fundamental component of broader risk management processes
Q51)
Q52)
Which is an example of monitoring threats through internal vulnerabilities?
1. Outsourcing of operations to vendors
2. Physical monitoring of building access, visitors and data centre activity
3. Outsource information to a cloud computing provider
4. Protection information contained in mobile devices
Your answer is 2
Explanation
ANSWER [Physical monitoring of building access, visitors and data centre activity]
Examples of monitoring threats posed by internal vulnerabilities:
o Physical monitoring of building access, visitors and data centre activity
o Data access and authentication
o Lack of awareness/training so that people do not know how they are to handle personal information
o Insider threat from current or former employee, contractor or other business partner:
• “Low-tech” attacks such as modifying or stealing confidential or sensitive information for personal gain
• Theft of trade secrets or customer information to be used for business advantage or to give to a foreign
government or organisation
• Technically sophisticated crimes that sabotage the organisation’s data, systems or network
Q53)
Q54)
Q55)
Q56)
When auditing compliance with privacy policies and standards, which of the following measures is not
relevant or applicable?
1. Training and awareness attendance
2. Information system logs
3. Complaints received
4. Number of management sign-offs
Your answer is 4
Explanation
ANSWER [Number of management sign-offs.]
• The audit measures how closely the organisation’s practices align with its legal obligations and stated
practices and may rely on:
o Subjective information
• Employee interviews/questionnaires
• Complaints received
o Objective standards
• Information system logs
• Training and awareness attendance
• Test scores
Q57)
Q58)
Q59)
What is NOT a reason for updating and changing privacy policies and requirements?
1. Changing regulatory environment
2. Development of new products and services
3. Responding to changes in business environment
4. Every time there is a change in CEO or senior management
Your answer is 4
Explanation
ANSWER [Every time there is a change in CEO or senior management]
• Reasons for updating and changing privacy policies and requirements:
o Identifying opportunities for continuous improvement
o Changing regulatory environment
o Responding to changes in business environment
o Development of new products and services
Q60)
Which of the following statements between responding to general questions and complaints handling is
incorrect?
1. There should be an escalation process to ensure the proper handling of sensitive issues, including possible
engagement of key executives if the situation warrants
2. There should be a centralised intake process by which complaints are routed to the privacy team as quickly
as possible
3. The reporting and the complaint process respecting data privacy may intersect with an ethics reporting and
complaint process
4. Both processes should be identical as long as they relate to privacy matters
Your answer is 4
Explanation
ANSWER [Both processes should be identical as long as they relate to privacy matters]
Complaint handling requires more formality than just responding to questions and inquiries
o Centralised intake process by which complaints are routed to the privacy team as quickly as possible
o Escalation process to ensure the proper handling of sensitive issues, including possible engagement of key
executives if the situation warrants
o Create and document procedures that track the intake, management and resolution of the complaint
Occasionally, the reporting and the complaint process respecting data privacy may intersect with an ethics
reporting and complaint process, e.g.
o An incident may involve the use or misuse of personal information by the supervisor and the complainant is
the employee
o People managing the compliance hotline must be trained to recognise a data privacy issue and to
immediately connect with the chief privacy officer or the privacy team
Q62)
Q63)
When it comes to providing access to individuals' personal data when requested, which one of the following is
correct?
1. The organisation should ensure that adequate verification takes place before access to data is provided
2. The organisation should immediately provide access to whatever personal data if its in its care through any
medium of communication
3. The personnel in charge of providing access can discretionally give reasons for providing or denying
access
4. The personnel in charge should first consult the privacy team who will advice accordingly
Your answer is 4
Explanation
ANSWER [The organisation should ensure that adequate verification takes place before access to data is
provided]
Organisations should have written procedure for responding to access requests
o Ensures that adequate verification takes place before access to data is provided
o Ensures that the organisation is consistent in its reasoning for providing or denying access
Q64)
What should the primary focus be when it comes to governing a privacy incident or data breach?
1. Determining the root cause of the incident so as to rectify any issues
2. Harm prevention and/or minimisation as a priority
3. Reporting to the law enforcement authorise as soon as possible
4. Conducting proper investigations and post-mortem reviews
Your answer is 4
Explanation
ANSWER [Harm prevention and/or minimisation as a priority]
It is about preventing Harm
• Fundamental principle that governs a privacy incident is to allow an affected person the opportunity to
protect himself from identity theft or other harm (e.g. financial loss, reputation damage, embarrassment)
• Primary focus when managing any privacy incident is harm prevention and/or minimisation
Q65)
The following are ways in which an organisation can demonstrate accountability as it relates to privacy
management except:
1. Demonstrating effective compliance using privacy controls
2. Implementing appropriate privacy controls
3. Third-party or internal self-attestation audit activity
4. Immediately notifying all parties affected should there be any privacy incident
Your answer is 3
Explanation
ANSWER [Immediately notifying all parties affected should there be any privacy incident]
• Privacy accountability in an organisation may be demonstrated through:
o Implementing appropriate privacy controls
o Demonstrating effective compliance using these controls
o Documenting risk mitigation
• Organisation may demonstrate accountability through:
o Validation by an external regulator
o Third-party or internal self-attestation audit activity
Q66)
Upon investigation by a regulator in the event of a major data breach, which one is NOT likely evidence of
accountability?
1. Dedicated privacy team with breach protocols
2. Existence of privacy awareness program
3. Archived internal messages & actions communicating regulatory requirements to staff
4. Full co-operation with the investigators when contacted by regulators
Your answer is 3
Explanation
ANSWER [Full co-operation with the investigators when contacted by regulators]
• Accountability to a regulator usually occurs following a significant event that is poorly handled
o Investigation by regulators will be in the form of “who knew what and when” and a demonstration that the
organisation takes privacy seriously, e.g.
• Existence of privacy awareness program
• Dedicated privacy team
• Breach protocols
• Appropriate command media-enforcing regulatory requirements
Q67)
In the event of a data breach, who should get in touch with the responsible data protection authorities or
regulators to discuss the incident and assure them that the breach is being handled?
1. The privacy team
2. The public relations team
3. CEO
4. Team leader of the incident response team
Your answer is 3
Explanation
ANSWER [CEO]
President, CEO
• Role in incident-response planning
o Through actions taken (or not) and training funded (or not), employees can discern the value their leaders
place on preventing breaches
o Once data is compromised and the shortcomings of an organisation’s security practices become public, it is
the top executive who will ultimately bear the blame
• Role during a data breach
o Promptly allocate funds and manpower needed to resolve the breach – this is one of the first and most critical
steps taken by the top executive
o Publicly comment on the breach’s cause or status – accuracy, authenticity and transparency are absolutely
essential
o Get in touch with the responsible data protection authorities or regulators to discuss the incident and assure
them that the breach is being handled from the top management
Q68)
In incident response planning, which of the roles and recommended actions are not relevant in terms of
ensuring organisation readiness?
1. HR to address topics such as employee data-handling, security awareness training and/or incident
recognition and response
2. Legal to provide guidance on legal precedents and requirements for handling data and reporting a breach
3. Information Security Team to provide technical expertise and authority in monitoring access, inventory,
storage and destruction of data
4. Customer Service Team to proactively dedicate a hotline to handle any reports or complaints relating to a
privacy incident
Your answer is 3
Explanation
ANSWER [Customer Service Team to proactively dedicate a hotline to handle any reports or complaints
relating to a privacy incident]
Customer Care
• Role in incident-response planning
o Be aware of social engineering at call centres as criminals may call to probe and test how security procedures
are applied and how often they are enforced
o Recognise unusual employee or caller behaviours, or notice trends in certain types of calls
o Equip and prepare call centre staff, should they be enlisted for response support
• Role during a data breach
o Handle breach-related call traffic as customer care reps are trained to remain calm when confronted and to
diffuse potentially volatile encounters before they escalate
Q69)
Which of the following breach notification statements is a recommended action to take if there are no legal
requirements?
1. Organisations should consider whether notification will assist in preventing or limiting harm - or whether it
could simply result in unnecessary distress
2. Organisation should always notify affected customers as best practice even if not required by law
3. Organisation should consider notifying regulators as best practice even if not required by law
4. If there is no need for a breach notification, then reporting to law enforcement authorities is required
Your answer is 1
Explanation
ANSWER [Organisations should consider whether notification will assist in preventing or limiting harm - or
whether it could simply result in unnecessary distress]
If there is no legal requirements for breach notification, organisations should consider whether notification will
assist in preventing or limiting harm - or whether it could simply result in unnecessary distress.
Q70)
According to Ponemon Institute study, while a large majority of respondents were unable to determine the root
cause, which one was the next highest that was cited by those who could?
1. Negligent insider
2. Outsourcing data to third party
3. Systems glitch
4. Failure to shred confidential documents
Your answer is 1
Explanation
ANSWER [Negligent insider]
• How breaches occur (Ponemon Institute study of 584 IT professionals):
o 44% unable to determine root cause of breach
o Remaining respondents cited the following root causes of breach:
• Negligent insider – 34%
• Outsourcing data to third party – 19%
• Malicious insider – 16%
• Systems glitch – 11%
• Cyber attack – 7%
• Failure to shred confidential documents – 6%
Q71)
The EU General Data Protection Regulation will replace the Data Protection Directive 95/46/EC and now have
the following key changes. 1)Increased fines of up to 5% global turnover/100mil Euros. 2)Data breaches
reported without delay 3)Data Protection officers appointed where data processed >5000 records. 4)Data
Protection Impact Assessments Article 33 conducted annually in consultation with DPA/supervisory authority.
5)Privacy by Design and by Default requires that data protection is designed into the development of business
process for products and services. etc. What is the approach the new regulation has for addressing issues of
data protection?
1. Openness
2. Proactive and preventative
3. Data Quality
4. Collection limitation
Your answer is 2
Explanation
ANSWER [Proactive and preventative]. The GDPR requires that Privacy by design and default is required.
Proactive, not Reactive; Preventative, not Remedial. Anticipate and prevent privacy invasive events before
they happen, rather than waiting for privacy risks to materialize.
Privacy as the Default Setting. No action is required by individuals to maintain their privacy; it is built into the
system by default.
This concept has been introduced in the European Commission’s draft regulation to reform data protection.
Privacy Embedded into Design. Privacy is an essential component of the core functionality being designed and
delivered.
The FTC has adopted this principle in its proposed consumer privacy framework, calling for companies to
promote consumer privacy throughout the organization and at every stage of product development.
Full Functionality—Positive-Sum, not Zero-Sum. Seeks to accommodate all legitimate interests and
objectives, rather than making unnecessary trade-offs.
End-to-End Security—Full Life Cycle Protection. Strong security measures are essential to privacy, from start
to finish of the life cycle of data.
Visibility and Transparency. Component parts and operations remain visible and transparent, to users and
providers. Essential to establishing accountability and trust.
Respect for User Privacy. Keeping the interests of the individual uppermost by offering such measures as
strong privacy defaults, appropriate notice, and empowering user-friendly options.
Openness, data quality , collection limitation are principles under the OECD guidelines.
Q72)
Scenario 1. You have been headhunted into ABC Ltd to head the privacy program. The company has no
privacy program in place. You are the Data Protection Officer brought into ABC Ltd to build a privacy
program. Management now supports the program. You have worked hard to get them to set up a privacy
committee. The staff are trained and the privacy framework has been communicated to all staff. Based on
Scenario 1, At which phase of the operational life cycle are you?
1. Assess
2. Protect
3. Sustain
4. Respond
Your answer is 1
Explanation
ANSWER [Sustain] involves Monitoring, Auditing and Communicating of an organization's privacy program.
Since controls are implemented and operational, the privacy program is monitored. 1st party and 2nd party
audits have taken place to evaluate the effectiveness of the program and improvements made. Training and
communicating to the staff has taken place.
Q73)
Scenario 1. You have been headhunted into ABC Ltd to head the privacy program. The company has no
privacy program in place. You are the Data Protection Officer brought into ABC Ltd to build a privacy
program. Management now supports the program. You have worked hard to get them to set up a privacy
committee. The staff are trained and the privacy framework has been communicated to all staff. Based on
Scenario 1, Which phase of the operational life cycle do you look at next?
1. Assess
2. Protect
3. Sustain
4. Respond
Your answer is 3
Explanation
ANSWER [Respond]. When the sustain phase of the privacy operational life cycle is reached. the next phase to
look at is respond. It includes the respond principles of information requests, legal compliance, incident-
response planning and incident handling.
The “respond” phase of the privacy operational life cycle aims to reduce organizational risk and bolster
compliance to regulations. An organization needs to be prepared to respond to its internal and external
stakeholders—including regulators.
Q74)
The sales director has implemented a new BYOD policy for the sales team. Unfortunately no Privacy Impact
assessments were done. As the DPO, what should you do?
1. Develop a business case
2. Meet the sales director to understand his objectives
3. Conduct a gap analysis
4. Review the current program
Your answer is 3
Explanation
ANSWER [Meet the sales director to understand his objectives].
1.2.1 Stakeholders and Internal Partnerships
First step is to conduct informal one-on-one conversations with executives who have accountability for
information management and/or security, risk, compliance or legal decisions
Internal partners, such as HR, legal, security, marketing, risk management and IT, should also be included
Out of these communications, identify which executive can serve as program sponsor or champion for privacy
program
Someone who understands the importance of privacy and will act as an advocate
Has experience with the organisation, the respect of colleagues, and access to or ownership of budget
Best practices for developing internal partnerships:
Become aware of how others treat and view personal information
Understand the use of data in a business context
Assist with building privacy requirements into their ongoing projects to help reduce risk
Offer to help staff meet their objectives while offering solutions to reduce risk of personal information
exposure
Invite staff to be a part of the privacy advocate group to further privacy best practices
Q75)
As the company is involved in making consumer products, it needs to adhere to FTC principles. The FTC
holds the dual mission of protecting consumers and promoting competition. Which principle in privacy does
the FTC follow with regards to consumers privacy?
1. Minimalism
2. Privacy embedded into design
3. Authenticity and accuracy of records
4. Retrievability
Your answer is 2
Explanation
ANSWER [Privacy embedded into design]. Privacy Embedded into Design. Privacy is an essential component
of the core functionality being designed and delivered. The FTC has adopted this principle in its proposed
consumer privacy framework, calling for companies to promote consumer privacy throughout the organization
and at every stage of product development. The other answers are part of the Data Life Cycle principles.
Q76)
As the appointed DPO, how do you build awareness with customers regarding your privacy ?
1. Provide training
2. communicate the changes
3. Branding campaigns of your commitment to security
4. Privacy policy
Your answer is 1
Explanation
ANSWER [Branding campaigns of your commitment to security]. Externally - External awareness is directed
toward building consumer confidence in your brand by creating awareness of your corporation’s commitment
to security or to fulfill a legal requirement. and through your Privacy notice. Internally - Build an awareness
program internally through inter-departmental cooperation to work toward privacy protection through the
process of looking at the various awareness programs in place throughout the organization by 1)Communicate
changes 2)Provide training
Q77)
Q78)
Q79)
Q80)
Q82)
Q83)
Q84)
Q85)
Privacy metrics are used in the analysis and reporting of which of the following areas.
1. Privacy program maturity level
2. Business resiliency metrics
3. Resource utilization
4. All of the answers
Your answer is 1
Explanation
ANSWER [All of the answers]. Metrics must be described in
and used with clear language and easy-to-understand terms; otherwise they may not
represent similar value throughout an organization. For example, generic privacy metrics
should be developed to enable analyses of the following processes:
• Collection (notice)
• Responses to data subject inquiries
• Use
• Retention
• Disclosure to third parties
• Incidents (breaches, complaints, inquiries)
• Employee training
• Privacy Impact Assessments (PIAs)
• Privacy risk indicators
• Percent of organization functions represented by governance mechanisms
Use of that data for analysis and reporting includes:
• Trending
• Privacy program return on investment (ROI)
• Business resiliency metrics
• Privacy program maturity level
• Resource utilization
The selection of the proper metrics is difficult, and special consideration must be
used during the process for selection, use and updates. More metrics do not necessarily
translate into more value. The old adage “You can never have enough” is incorrect
regarding using metrics; data collection, storage and analysis are expensive business
functions and are thus more costly when collecting unnecessary data or an extreme
number of metrics that provide no value.
Q86)
Q87)