CIPM 2

Q1)
What is NOT included in privacy vision and mission statements?
1. The value the organization places on privacy.
2. Desired sales and marketing objectives.
3. Strategies to drive the tactics used to achieve the intended outcomes
4. Clarification of roles and responsibilities

Q2)

Who should be involved in drafting the mission and vision statement?

1. Stakeholders involved in ensuring information security
2. The management team
3. CEO and CIO
4. Finance and HR departments

Q3)

What is the first step in establishing a privacy program?

1. Developing a privacy strategy
2. Defining the program's scope and charter
3. Structuring a privacy team
4. Mapping a data inventory

Q4)

Which one is NOT a consideration in developing a privacy strategy?

1. Develop a data-governance strategy for personal information privacy strategy
2. Defining the Identify stakeholders and internal partnerships
3. Create a Privacy Mission Statement
4. Leverage key functions
Your answer is 4
Explanation
ANSWER [Create a Privacy Mission Statement].

Q5)

What is meant by "framework" in the context of privacy program management?

1. It describes best practices of the industry
2. It an implementation roadmap that provides the structure or checklists
3. It is a structure for supporting for the compliance to regulations
4. It is a structure to perform gap analysis
Your answer is 3
Explanation
ANSWER [It an implementation roadmap that provides the structure or checklists]. • Privacy program
framework – an implementation roadmap that provides the structure or checklists (documented privacy
procedures and processes) to guide the privacy professional through privacy management and prompts them
for the details to determine all privacy-relevant decisions for the organisation

Q6)

What are exceptions to areas in establishing a privacy program?

1. Cultures and Language
2. Laws
3. Customers' feedback
4. Business Methods
Your answer is 3
Explanation
ANSWER [Customers' feedback]. It is important to remember that the creation of a privacy program presents
challenges around the globe. Regardless of geographic location, an organization must comply with laws,
cultures, languages and business methods relevant to its objectives and the objectives of its stakeholders.

Q7)

In defining program scope and Charter, what must you pay attention to?
1. Monitoring of regulatory activities and multiple jurisdictions
2. writing vision statement
3. your business flow
4. Stakeholders training
Your answer is 2
Explanation
ANSWER [Monitoring of regulatory activities and multiple jurisdictions ]. Companies that span the globe will
need to develop a global privacy strategy relevant to markets, cultures and geographical locations. Generally
speaking, the privacy organization must understand the global perspective in order to meet legal, cultural and
personal expectations, customize privacy approaches from both global and local perspectives, be aware of
privacy challenges that include translations of laws and regulations, enforcement activities and processes, and
monitor all legal compliance factors for both local and global markets.
For example: Your organization may provide health services and be subject to regulations governing the
handling of personal health information. You may also handle financial transactions and therefore be subject to
financial reporting regulations. This example showcases the need for active monitoring of regulatory activities
in multiple jurisdictions.

Q8)

What are EXCEPTIONS to some things management can do to ensure the organization succeeds in the
establishment of a successful privacy program?
1. Support Initiatives
2. Approve funding for resources and technologies
3. Hold employees accountable
4. Secure business contact data and respect customer choices
Your answer is 1
Explanation
ANSWER [Secure business contact data and respect customer choices] . A successful privacy program
requires that management approve funding to resource and equip your privacy team, fund important privacy
enhancing resources and technologies by ensuring privacy requirements are part of every project during budget
discussions, support privacy initiatives such as training and awareness by actively participating in these
initiatives, and hold employees accountable for following privacy policies including notifying direct reports of
the results of enforcement actions

Q9)

The following statements about technical controls as part of the data governance strategy are correct except
which statement?
1. All security controls can be applied across legislations as they have the same categories and solutions
2. Most legislations do not enumerate the types of specific controls that must be implemented
3. Technical controls deployed in one jurisdiction may typically satisfy another jurisdiction
4. When implementing technical controls, be aware of local requirements and prohibitions
Your answer is 2
Explanation
ANSWER: [All security controls can be applied across legislations as they have the same categories and
solutions].
Not true. They are similar but NOT the same across legislations.Technical security controls are part of the data
governance strategy
o Most legislations do not enumerate the types of specific controls that must be implemented
o Most security controls have similar categories and solutions – those deployed in one jurisdiction may
typically satisfy another jurisdiction
However, be aware of local requirements and/or local prohibitions
• China does not permit the use of encryption
• Most EU countries limit the use of DLP technology because they interpret it to be employee monitoring

Q10)

Which is an example of a rationalised approach to a data governance strategy from a geographical perspective?
1. Allow each individual functions and regions to each implement their own solutions
2. Implementing a solution that materially addresses the various requirements of the majority of laws and
regulations
3. Implementation solutions at the HQ level and for each region to adopt based on their laws and
regulations
4. Use the country with the strictest laws and regulations as a guideline for the rest to follow
Your answer is 2
Explanation
ANSWER [Implementing a solution that materially addresses the various requirements of the majority of laws
and regulations].
By “rationalising” the various privacy legal requirements, this means
1) implementing a solution that materially addresses the various requirements of the majority of laws and
regulations, e.g. notice, choice, consent, purpose limitation, data retention limitation, individual rights to
access, correction and deletion of data, obligation to safeguard data
2) addressing those requirements that fall outside the common solution to see whether there is risk in leaving
them out, or the effort to include them is trivial
3) Use customisation (if necessary) to meet local requirements in granting access to individuals to access their
personal data and the timeframes for providing the data to them

Q11)

What is the hybrid model in data governance?

1. Centralised team issues policies & directors to rest of organisation; local entities fulfil /support policies
through their own privacy manager
2. One team or person (Chief Privacy Officer/office) responsible for all privacy affairs
3. Decision-making authority is delegated down to the lowest levels in the organisation
4. All of the above
Your answer is 1
Explanation
ANSWER [Centralised team issues policies & directors to rest of organisation; local entities fulfil /support
policies through their own privacy manager].
Definition of the Hybrid Model
o When a large organisation assigns a main individual (or organisation) responsibility for privacy-related
affairs and for issuing policies and directives to the rest of the organisation
o Local entities fulfil and support the policies and directives from the central governing body
o In large multinationals, each region may have a privacy manager who reports to local management and/or the
chief privacy officer at the global level

Q12)

What is the first step in developing privacy program framework?

1. Develop a business case
2. Perform a gap analysis
3. Review and monitor.
4. Communicate the framework
Your answer is 1
Explanation
ANSWER [Develop a business case]. First, we must develop a business case. The business case is the starting
point for assessing the needs of the privacy organization. It defines the individual program needs and the ways
to meet specific business goals. This allows for the understanding of the role of privacy in the context of
business requirements and identification of business benefits and risks. This should be completed at a high
level and can be done when establishing a new privacy program or when evaluating a privacy program that is
currently in place. Following the development of the business case, a gap analysis is performed. We will
review the gap analysis in more detail in unit 2A. The third step in developing the privacy program framework
is reviewing and monitoring the program. This step will be covered in Unit 2C,as will the final step,
communicate the framework.

Q13)

Which one of the following is an example found in a data inventory analysis?

1. All of the answers
2. International transfers
3. The nature of a repository of privacy-related information
4. Owner of the repository
Your answer is 2
Explanation
ANSWER [All of the answers]. The elements involved in a data inventory are:
o The nature of a repository of privacy-related information
o Owner of the repository
o Location of the repository
o Volume of information in the repository
o Format of the information
o Use of the information
o Types of privacy-related information in the repository
o Where the data is stored
o Where the data is accessed
o International transfers

Q14)

Which of the following best describes CobiT?

1. It is a privacy programming language
2. It provides a reference model for aligning business needs under one “umbrella” of control
3. It is a tool used in information security
4. it is an example of privacy enhancing technologies (PET)
Your answer is 2
Explanation
ANSWER [It provides a reference model for aligning business needs under one “umbrella” of control].
It is used in privacy and audit management
• Control Objectives for Information and Related Technology (CobiT) provides a reference model for aligning
business needs under one “umbrella” of control.
It is a standardized audit framework, reference model for good controls that allows business needs to be
aligned under one umbrella

Q15)

What is the next step after developing a business case a privacy program framework?
1. Develop a business case
2. Perform a gap analysis
3. Do an inventory analysis
4. Communicate the framework
Your answer is 2
Explanation
ANSWER [Perform a gap analysis]. First, we must develop a business case. The business case is the starting
point for assessing the needs of the privacy organization. It defines the individual program needs and the ways
to meet specific business goals. This allows for the understanding of the role of privacy in the context of
business requirements and identification of business benefits and risks. This should be completed at a high
level and can be done when establishing a new privacy program or when evaluating a privacy program that is
currently in place. Following the development of the business case, a gap analysis is performed. We will
review the gap analysis in more detail in unit 2A. The third step in developing the privacy program framework
is reviewing and monitoring the program. This step will be covered in Unit 2C,as will the final step,
communicate the framework.

Q16)

What is meant by "establish the base line" when defining the privacy for the organisation?
1. Define the privacy mission statement
2. Gather information on the organisation’s current compliance policies related to privacy, regulations,
standards and security
3. Perform a gap analysis
4. Create a privacy framework
Your answer is 3
Explanation
ANSWER. Establish the current baseline means gather information on the organisation’s current compliance
policies related to privacy, regulations, standards and security that include:
o Collection limitation
o Data quality
o Purpose specification
o Use limitation
o Security safeguards
o Openness
o Individual participation
o Accountability
This is after you identify the term privacy/personal data/personal information for the organisation and use the
privacy definition as the starting point.

Q17)

All of the following are technical and physical controls that ISO 27002 address in a security policy except:
1. Personnel security
2. Asset classification and control regulations, standards and security
3. implementation of an information security system
4. System development and maintenance
Your answer is 2
Explanation
ANSWER: [implementation of an information security system]. Implementation of an information security
system is included in ISO 27001. ISO 27002 is aligned to security policies that address both technical and
physical controls:
o Security organisation
o Asset classification and control
o Personnel security
o Physical and environmental security
o Communications and operations management
o Access control
o System development and maintenance
o Business continuity management
o Compliance

Q18)

What is an exception about the privacy life cycle?

1. it includes Assess, protect, sustain and respond
2. It is continuous model.
3. There is no definite entry or exit point
4. Cost must be taken into consideration
Your answer is 4
Explanation
ANSWER [Cost must be taken into consideration]. Now that we have reviewed the concept of privacy
program governance models we can move to the understanding of the privacy operational life cycle. As
indicated by the circular diagram, the privacy operational life cycle is not a one-time effort. Instead, it focuses
on continuous improvement prompting privacy professionals to assess, protect, sustain, and respond to data
privacy and the many management aspects necessary to protect that data. As with all life cycle models, there is
no particular entry point or exit point but instead a continuous cycle of improvement events related to the
privacy program operational management.

Q19)

What is an exception to key points of a privacy life cycle?

1. it includes Assess, protect, sustain and respond
2. It is continuous model.
3. There is no definite entry or exit point
4. Cost must be taken into consideration
Your answer is 2
Explanation
ANSWER [Cost must be taken into consideration]. As indicated by the circular diagram, the privacy
operational life cycle is not a one-time effort. Instead, it focuses on continuous improvement prompting
privacy professionals to assess, protect, sustain, and respond to data privacy and the many management aspects
necessary to protect that data. As with all life cycle models, there is no particular entry point or exit point but
instead a continuous cycle of improvement events related to the privacy program operational management.

Q20)

What is the correct process of the metric life cycle?

1. Select privacy metric, identify intended audience, collect data, analyse data & provide feedback respond
2. Identify intended audience, select privacy metric, collect data, analyse data & provide feedback
3. Collect data, select privacy metric, identify intended audience, analyse data & provide feedback respond
4. Identify intended audience, collect data, select privacy metric, analyse data & provide feedback
You did not answer this question.
Explanation
ANSWER [Identify intended audience, select privacy metric, collect data, analyse data & provide feedback].
What is the metric life cycle?
o Identification of the intended audience – who will use the data?
o Definition of data sources – who is the data owner and how is that data accessed?
o Selection of privacy metrics – what metrics to use based on the audience, reporting resources and final
selection of the best metric?
o Collection and refinement of systems/application collection points – where will the data come from to
finalise the metric collection report? When will the data be collected? Why is that data important?
o Analyse the data/metrics to provide value to the organisation and provide a feedback quality mechanism

Q21)

HIPAA security officials would be considered what kind of intended audience for metrics?
1. Secondary Audience
2. Primary Audience
3. Tertiary Audience
4. Stakeholders
Your answer is 2
Explanation
ANSWER [Secondary Audience]. It would be classified as secondary audience
The Intended Audience for Metrics
• Primary audience
o Legal and privacy officers
o Senior leadership, chief information officer (CIO)
o Chief security officer (CSO)
o Program manager (PM)
o Information system owner (ISO)
o Information security officer (ISO)
o Other considered users and managers
• Secondary audience
o Chief financial officer (CFO)
o Training organisations
o Human resources (HR)
o Inspectors-general (IG)
o HIPAA security officials
• Tertiary audience
o External watchdog groups
o Sponsors
o Stockholders

Q22)

Who should be involved in selection and management of any metric?

1. Privacy professional
2. Functional managers
3. Senior management
4. Stakeholders at all levels
Your answer is 3
Explanation
ANSWER [Stakeholders at all levels] should be involved in the selection and management of any metric to
ensure buy-in and a sense of ownership, otherwise metrics may be seen as negative, costly and adding no value

Q23)
The following are examples of privacy metrics except:
1. Training
2. Recovered data
3. Incident recovery time
4. Compliance to privacy guidelines
Your answer is 2
Explanation
ANSWER [Compliance to privacy guidelines].
This is not a metric.Examples of metrics are:
o Recovered data – quality of restored/recovered/reconstituted data
o Data lost percent – percentage of data irrevocably lost
o Data lost records – number of records lost
o Training – percentage of information system security and privacy personnel that have received training
o Average incident time – average length of time between cyber and privacy incidents
o Incident recovery time – average length of time to recover from incidents
o Systems compliance – percentage of systems in compliance with organisationally mandated configuration
guidance
o Number of privacy incidents – percentage of privacy incidents reported within required timeframe per
applicable incident category
o Average time between incidents – average length of time between cyber and privacy incidents
o Average time to recover – average length of time for the organisation to recover from damage caused by a
privacy incident
o Percent plans exist – percentage of critical incident types for which pre-planned responses exist
o Time mission impacted – length of time a mission is negatively affected after an attack

Q24)

All of the following statements relate to business resilience except:

1. It is the ability to rapidly adapt and respond to business disruptions
2. It involves metrics associated with data privacy, system outages and other factors as defined by the
business case and organisational objectives
3. It is the ability to maintain continuous business operations despite a disaster
4. It involves the continuous improvement towards optimisation of the given process
Your answer is 1
Explanation
ANSWER [It involves the continuous improvement towards optimisation of the given process]. This defines
the "Optimised" level in the privacy maturity model.
o Business resilience is the ability to rapidly adapt and respond to business disruptions and maintain
continuous business operations, be a more trusted partner, and enable growth (IBM)
o Measured through metrics associated with data privacy, system outages and other factors as defined by the
business case and organisational objectives

Q25)

Trends viewed in an upward or downward tendency when looking for data patterns are called:
1. Cyclical component
2. Time series
3. Irregular component or noise
4. All of the answers
Your answer is 2
Explanation
ANSWER [Time series]. Looking for data patterns involve:
o Time series – trends are viewed in an upward or downward tendency, e.g. number of privacy breaches over
time
o Cyclical component – weekly, monthly or yearly data describing any regular fluctuations, e.g. number of
privacy breaches in the month after you rollout your new data protection training, and then every three months
to see if the number steadily increases as distance from training increases
o Irregular component or noise – what is left over when the other components have been accounted for

Q26)

What is the formula for the privacy program return on investment (ROI)?
1. (Risks – Costs) / Costs
2. (Benefits – Costs) / Costs
3. Threat x Vulnerability x Expected loss
4. Threat x Expected Loss / Costs
Your answer is 2
Explanation
ANSWER [(Benefits – Costs) / Costs].
ROI = (Benefits – Costs) / Costs
o Privacy ROI defines metrics to measure the effectiveness of investments to protect:
• Physical assets
• Personnel assets
• IT assets
• Operational management assets

Q27)

Which of the following is the correct definition of the acronym SMART in privacy program management?
1. Specific/Simple, Manageable, Actionable, Results-Oriented, Timely
2. Specific/Simple, Measurable, Actionable, Results-Oriented, Timely
3. Specific/Simple, Manageable, Achievable, Results-Oriented, Timely
4. Specific/Simple,Measurable, Achievable, Realistic, Timely
Your answer is 2
Explanation
ANSWER [Specific/Simple, Manageable, Actionable, Results-Oriented, Timely]

Q28)

The following statements in the privacy operational life cycle is correct?

1. Assess is to Evaluate
2. Respond means to improve
3. Protect is to improve
4. Sustain means to support
Your answer is 3
Explanation
ANSWER:[Protect is to improve]
Measure (Assess)
Improve (Protect)
Evaluate (Sustain)
Support (Respond)
Q29)

The following statements are descriptive of the privacy maturity model except which statement?
1. It provides a standardised reference for companies to assess the level of maturity of their privacy
programs
2. It provides methods by which organisations can measure progress against established benchmarks and
measurements
3. It provides the means to report the overall status for the ROI to the organisation as well as benchmarks to
determine next steps to achieve a higher level of maturity
4. It provides a process to assess the maturity of the privacy professional and the level of competence
Your answer is 4
Explanation
ANSWER [It provides a process to assess the maturity of the privacy professional and the level of
competence].
• Maturity models are recognised methods by which organisations can measure progress against established
benchmarks and measurements • A maturity model provides a standardised reference for companies to assess
the level of maturity of their privacy programs
o Becoming compliant is a journey, and progress along the way strengthens the organisation,
whether or not the organisation has achieved all the requirements
o In certain cases, such as security-focused maturity models, not every organisation or every
security application needs to be at the maximum for the organisation to achieve an acceptable
level of security
o Creation of values or benefits may be possible if they achieve a higher maturity level
• Assessing the maturity of the privacy program provides the means to report the overall status for the ROI to
the organisation as well as benchmarks to determine next steps to achieve a higher level of maturity • An initial
assessment can identify strengths and reveal weaknesses and gaps in your program, e.g.
o Deficiencies in technical controls
o Lack of training for employees
o Privacy requirements have not been fully integrated throughout all areas of the organisation
• When a baseline assessment has been established your organisation can then decide at which level of
maturity it ultimately wants or needs to operate

Q30)

Which is NOT descriptive of an Adhoc privacy maturity model?

1. Incomplete
2. Informal
3. Inconsistently applied
4. Reliable to some extent
Your answer is 2
Explanation
ANSWER [Reliable to some extent]. Ad hoc levels, procedures and processes are generally informal,
incomplete and inconsistently applied.

Q31)

What is not descriptive of the Repeatable Model?

1. Processes not fully documented
2. Procedures are present
3. Procedures do not cover all relevant aspects
4. The model can be repeated
Your answer is 4
Explanation
ANSWER [The model can be repeated]. At the repeatable level, Procedures or processes exist; however, they
are not fully documented and do not cover all relevant aspects

Q32)

What is descriptive of the defined model?

1. Processes are informal
2. Procedures inconsistently applied
3. Procedures and processes are fully documented and cover all relevant aspects
4. Documentation are fully documented and applied to some aspects
Your answer is 1
Explanation
ANSWER [Procedures and processes are fully documented and cover all relevant aspects]. As we move to the
defined level Procedures and processes are fully documented and implemented and cover all relevant aspects
Q33)

What is descriptive of the managed model?

1. Reviews are conducted to assess effectiveness or controls in place
2. Procedures inconsistently applied
3. Processes are informal
4. Procedures and processes are fully documented and cover all relevant aspects
Your answer is 2
Explanation
ANSWER [Reviews are conducted to assess effectiveness or controls in place]. The managed level indicates
reviews are conducted to assess the effectiveness of the controls in place

Q34)

What is NOT descriptive of the Optimized model

1. Continuous improvement is sought toward optimization of process
2. Regular feedback and review conducted
3. Procedures and processes are fully documented and cover all relevant aspects
4. There is one champion for the privacy model
Your answer is 3
Explanation
ANSWER [There is one champion for the privacy model]. At the optimized level regular review and feedback
are used to ensure continuous improvement towards optimization of the given process

Q35)

What is the step after forming an oversight committee in the AICPA/CICA Privacy Maturity Model?
1. Assemble a team to assess maturity model.
2. Identify a sponsor
3. Identify desired maturity level for benchmarking
4. Meet and assess status
Your answer is 3
Explanation
ANSWER [Assemble a team to assess maturity model]. The AICPA/CICA Privacy Maturity Model provides a
structure to assist and identify where to start and what to document, along with key start-up activities that
include:
• Identifying a project sponsor
• Forming an oversight committee
• Assembling a team to perform the initial assessmentof the maturity level
• Providing status reports and the opportunity to meet and assess overall progress
• Providing a means to ensure that identifiable risk and compliance issues are escalated
• Ensuring the project sponsor and senior management are aware of all findings
• Identifying the desired maturity level for benchmarking purposes
• Assessing the maturity of the program provides the means to report the overall status
for the program to the organization, as well as benchmarks to determine next steps to
achieve a higher level of maturity

Q36)

The following are foundational principles relating to privacy by design except:

1. Privacy as the Default Setting & Embedded into Design
2. Proactive, not Reactive that respects User Privacy
3. Full Functionality with End to End Security
4. Provides Technical and Physical Controls
Your answer is 3
Explanation
ANSWER [Provides Technical and Physical Controls].
What does Privacy by Design Encompass?
P- Proactive not reactive
D- Privacy by Default - no need to do anything
E- Embedded- in core functionality
F - Full functionality - no unnecessary trade-offs
E- End to End Security - full life cycle protection
VT - Visibility / Transparency -
R - respect for privacy - appropriate notices, user friendly options
Q37)

Which is not descriptive or examples of the Privacy by Design Concept?

1. It dictates that privacy and data protection are embedded throughout the entire lifecycle of technologies,
from the early design stage to their deployment, use and ultimate disposal
2. It refers to the philosophy and approach of embedding privacy into the design of technology, business
practices and physical design
3. The Federal Trade Commission and IBM are examples of companies which have implemented privacy by
design principles
4. It determines the degree to which systems, operations, processes and people comply with privacy policies
and practices
Your answer is 4
Explanation
ANSWER [It determines the degree to which systems, operations, processes and people comply with privacy
policies and practices].
The wrong answer refers to the purpose of a privacy audit.
Privacy by Design (PbD)
• PbD refers to the philosophy and approach of embedding privacy into the design of
technology, business practices and physical design
• PbD framework dictates that privacy and data protection are embedded throughout the entire
lifecycle of technologies, from the early design stage to their deployment, use and ultimate
disposal
o Areas where the FTC is active in promoting privacy by design:
• Do not track
• Mobile
• Data brokers
• Large platform providers
• Promoting enforceable self-regulatory codes
o IBM Corporation – developed a web-based Privacy Self-Assessment Tool that may be applied to any process
or IT application within the organisation

Q38)

What is NOT part of what is done to mitigate risks of third party vendors and data processors?
1. review contract language
2. Vet and monitor vendors
3. using questionnaires, assessments and checklists to review vendors
4. Talk to vendors and conduct an audit of their business practices
Your answer is 1
Explanation
ANSWER [Talk to vendors and conduct an audit of their business practices]. Organizations should carefully
vet vendors prior to selection and continue to monitor and audit them through the life of the contract to ensure
proper practices. Contract language should be written to call out privacy protections and regulatory
requirements within the statement of work and mapped to service agreements. Privacy/security questionnaires,
privacy impact assessments and other checklists can be used to assess the vendor risk and should include
consideration for the vendor’s privacy and information security policies and access controls, where the
personal information will be held along with who has access to it.

Q39)

What are MNCs required to pay attention to in the areas of privacy of their employees
1. They are required to meet local regulations and privacy expectations of their employees in all countries in
which they operate
2. They need only meet the regulations of their holding company
3. They are required to meet local customs and laws of the countries they sell their products or services
4. They are required to follow their privacy policies and practices
Your answer is 2
Explanation
ANSWER [They are required to meet local regulations and privacy expectations of their employees in all
countries in which they operate]. Multinational organizations are required to meet local regulations and the
privacy expectations of their employees in all countries in which they operate. Specifically, cross border data
transfers should be monitored to regulate the export of personal data to ensure regulatory compliance and data
privacy.

Q40)

What are not employee privacy considerations for the HR department?

1. Compliance with workplace safety
2. Investigating fraud and criminal activities
3. Handling and protection of trade secrets
4. Ensuring proper resolution of employees conflicts
Your answer is 3
Explanation
ANSWER [Ensuring proper resolution of employees conflicts]. Employee privacy considerations are also top
of mind for the human resource function and can include; investigations of fraud and criminal activities;
handling of organization trade secrets for the protection of that information; prevention of discrimination,
sexual harassment and other human rights concerns; compliance with workplace safety; and system integrity
with compliance of security and privacy practices.

Q41)

What is NOT a potential problem when technical risks and controls are not well understood?
1. Failure to achieve consensus
2. Lack of unified response
3. Insufficient plans for communicating
4. Disagreement on who does the risk assessment
Your answer is 1
Explanation
ANSWER [Disagreement on who does the risk assessment]. Business continuity and disaster recovery
planning is sometimes pursued by the IT group and can be considered a high-cost insurance policy that is
never used; thus privacy professionals should understand the key role played by this crucial function and how
it impacts the organization. What problems may arise when technical risks and controls are not well
understood? Lack of unified incident response across the organization, failure to achieve consensus on
standardized recovery processes, incomplete or nonexistent risk assessments, assumptions and objectives,
insufficient communication plans to coordinate recovery/continuity efforts and inability to recover are all
potential issues when technical risks and controls are not well understood.

Q42)

What is not a key area Internal Audit responsible for?

1. Focus on value-add activities beyond financial controls
2. Ensure an independent perspective
3. Use of enterprise risk management (ERM) processes
4. Identification of risk factors after they have happened
Your answer is 2
Explanation
ANSWER [Identification of risk factors after they have happened] . This group is responsible for many
positive contributions including:
• The focus on value-add activities beyond financial controls.
• The use of enterprise risk management (ERM) processes making risk a priority.
• The hiring of auditors and risk managers with different skill sets (e.g. HR, IT, IA).
• The proactive identification of risk factors before they become incidents.
• The ensuring of an independent perspective using audit committees and third parties on the governance, risk
management, and control processes, and
• The identification and use of best practices for recommendations to improve controls, performance, and
reporting throughout the entire organization

Q43)

Which of the following statements about the Data Life-cycle Management is incorrect?
1. It provides a holistic approach to the processes, roles, controls and measures necessary to organise and
maintain the data
2. It is a policy-based approach to manage flow of information through a life-cycle from creation to
disposal
3. It is considered a mitigation that is aimed at lowering the risk of data breaches by reducing the volume and
type of data stored
4. It is mainly about understanding how data is collected, used, stored, and disclosed pertaining to an
organisation's business activities
Your answer is 2
Explanation
ANSWER [It is mainly about understanding how data is collected, used, stored, and disclosed pertaining to an
organisation's business activities]. It is much more than an inventory analysis.
The following defines DLM.
• Data life cycle management is a policy-based approach to manage flow of information through a life-cycle
from creation to disposal
• DLM provides a holistic approach to the processes, roles, controls and measures necessary to organise and
maintain the data
• DLM can also be considered a mitigation that is aimed at lowering the risk of data breaches by reducing the
volume and type of data stored

Q44)

"Minimalism" is one of the principles found in which privacy model or process?

1. Privacy Maturity Model
2. Data Life Cycle Management
3. Privacy By Design
4. Privacy Impact Assessment
Your answer is 4
Explanation
ANSWER [Data Life Cycle Management]

Q45)

What are the objectives of information security?

1. Confidentiality, Integrity & Authorisation
2. Confidentiality, Integrity & Availability
3. Confidentiality, Integrity & Access
4. Availability, Accountability, Assurance
Your answer is 2
Explanation
ANSWER [Confidentiality, Integrity & Availability]
What are the objectives of information security?
It includes the following: Confidentiality, Integrity & Availability as data as stored, transmitted or used.
Accountability & assurance (that all 4 objectives are achieved)

Q46)

Once the risk management framework is determined, information security provides management, technical and
operational controls to achieve which of the following?
1. Provide a means as to who collect, uses and discloses personal data
2. Reduce probable damage, loss, modification or unauthorised data access
3. Enable a way to assess, protect, sustain and respond
4. Perform gap analysis and privacy audit management
Your answer is 2
Explanation
ANSWER [Reduce probable damage, loss, modification or unauthorised data access].
Once the risk management framework is determined, information security provides management, technical and
operational controls to reduce probable damage, loss, modification or unauthorised data access.

Q47)

The following statements are true about digital forensics except which statement?
1. It is used as a means to reconstruct events related to security incidents
2. The investigative process has four phases - Prepare, Acquire, Analyze, & Report
3. It requires a digital knowledge base for it to be effective
4. It is a tool for proactive privacy management
Your answer is 1
Explanation
ANSWER [It is a tool for proactive privacy management]. Not true. It is more of a reactive tool when a
privacy incident or data breach occurs.
Digital Forensics includes the following:
• Knowledge and understanding of digital investigation and analysis techniques used for acquiring, validating
and analysing electronic data to reconstruct events related to security incidents
• Requires building a digital knowledge base
• Investigative process has four phases:
• Prepare
• Acquire
• Analyse
• Report

Q48)

What is a Privacy Threshold Assessment?

1. It is a tool to determine if a PIA should be conducted
2. It determines the threshold of a privacy breach
3. it is an assessment tool to determine information security
4. It assesses the organisation's ability to respond to risks and threats
Your answer is 1
Explanation
ANSWER [It is a tool to determine if a PIA should be conducted].
It is a tool used to determine whether a privacy impact assessment (PIA) should be conducted as a proactive
approach to privacy assessment.

Q49)

What is the difference between a Privacy Audit vs a Privacy Impact Assessment (PIA)?
1. A privacy audit looks at whether policies are being followed while PIA looks at privacy risks within a
business activity
2. A PIA must be conducted first followed by a privacy audit
3. A privacy audit looks at privacy risks within a business activity while PIA looks at whether policies are
being followed
4. Both terms can be used interchangeably
Your answer is 1
Explanation
ANSWER [A privacy audit looks at whether policies are being followed while PIA looks at privacy risks
within a business activity].
Privacy Impact Assessment
 Methodology or process for assessing the privacy-related risks associated with business activities that involve
processing of personal data, e.g.
o Projects
o Initiatives
o Systems
o Business processes
o Services
o Products
 As a form of risk assessment, the PIA assesses existing controls and also suggests or provides remedial actions or
mitigations necessary to avoid or reduce/minimise those risks
Privacy Audit
 Purpose of privacy audit is to determine the degree to which systems, operations, processes and people comply
with privacy policies and practices – Do the privacy operations do what they were designed to do, and are data
privacy controls correctly managed?

Q50)
Privacy Impact Assessment is a legal requirement in which country?
1. All EU countries
2. UK and Canada
3. USA
4. All of the above
Your answer is 1
Explanation
ANSWER [UK and Canada].
• In some regions, PIAs are based on legal requirements
o In UK, Canada, etc, PIAs are based on legal requirements
o PIAs may also be performed pursuant to sector-specific regulations or requirements
o In Australia, the PIA is considered as a fundamental component of broader risk management processes

Q51)

The following are outcomes of "monitoring" in privacy management except:

1. Awareness & transparency
2. Compliance
3. Credibility & Validity
4. Justify business case
Your answer is 2
Explanation
ANSWER [Justify business case].
• Typical outcomes to practical and consistent monitoring programs include organisational:
o Compliance
o Awareness
o Transparency
o Creditability
o Validity

Q52)
Which is an example of monitoring threats through internal vulnerabilities?
1. Outsourcing of operations to vendors
2. Physical monitoring of building access, visitors and data centre activity
3. Outsource information to a cloud computing provider
4. Protection information contained in mobile devices
Your answer is 2
Explanation
ANSWER [Physical monitoring of building access, visitors and data centre activity]
Examples of monitoring threats posed by internal vulnerabilities:
o Physical monitoring of building access, visitors and data centre activity
o Data access and authentication
o Lack of awareness/training so that people do not know how they are to handle personal information
o Insider threat from current or former employee, contractor or other business partner:
• “Low-tech” attacks such as modifying or stealing confidential or sensitive information for personal gain
• Theft of trade secrets or customer information to be used for business advantage or to give to a foreign
government or organisation
• Technically sophisticated crimes that sabotage the organisation’s data, systems or network

Q53)

A privacy audit is best done for the following reasons:

1. After a security or privacy incident
2. As requested to meet regulatory requirements, industry standards or internal business objectives
3. When there is a business function deterioration
4. All of the answers
Your answer is 2
Explanation
ANSWER [All of the answers].
• When to conduct an audit:
o Regularly scheduled basis
o Ad hoc
o As requested to meet regulatory requirements, industry standards or internal business objectives
o After a security or privacy incident, or business function deterioration, based on several factors:
• Unclear, dated or changing policies
• Normal change management activities such as system updates and maintenance
• User errors or accidents
• Hackers or security events
• Providing employees with insufficient training or use of the system
• Changes in the business such as new categories of customers or operations
• Triggered events such as VIP request, government request or media reports
o Other non-deterioration factors that may drive the need for audit:
• Indications of an insider threat
• Staffing, cutbacks and changes to priorities
• New subcontractors or third parties
• Unusual changes such as higher numbers of privacy breaches, complaints or incidents
• New portfolio or industry base

Q54)

The following are examples of privacy audits except:

1. Supplier Audit
2. Self Certification
3. Independent external assessment
4. Incident response evaluation
Your answer is 1
Explanation
ANSWER [Incident response evaluation].
There are three types of audit categories
o First-party/internal audits
• Performed with employees
• A form of self-evaluation in which the organisation takes responsibility for monitoring and
reviewing itself to assure:
• Continuous compliance
• Proactive privacy management
 • Use of best practices
• Self-certification is a form of internal audit that does not exempt an organisation from
fulfilling obligations under applicable laws or regulations, e.g. US-EU Safe Harbour
Framework
• Audit workplan:
• Identify areas to be audited
• Notify those offices of the plans
• Perform meetings and reviews
• Provide all communications
• Draft reports and presentations
• Lead all management communications
• Close all audit matters
• Formalise reports and final meetings
• Perform follow-ups
o Second-party audits
• Audits for existing suppliers or subcontractors – typically used in EU but not US
• Commonly known as Supplier Audits
o Third-party/external audits
• Independent outside sources such as data protection commissioner, government officials or
independent external assessment by subcontractors

Q55)

Which is NOT a reason why you use an external privacy auditor?

1. When management is not concerned about confidentiality
2. Lend credibility to an internal audit program
3. When expert recommendations are needed
4. When there is a very tight deadline
Your answer is 1
Explanation
ANSWER [When there is a very tight deadline].
• Advantages of using external auditors:
• Identify weaknesses of internal controls
• Lend credibility to internal audit program
o Provide a level of unbiased, expert recommendations
• Disadvantages of using external auditors:
• Cost/budget
• Time or schedule
• Learning curve about the organisation
• Confidentiality

Q56)

When auditing compliance with privacy policies and standards, which of the following measures is not
relevant or applicable?
1. Training and awareness attendance
2. Information system logs
3. Complaints received
4. Number of management sign-offs
Your answer is 4
Explanation
ANSWER [Number of management sign-offs.]
• The audit measures how closely the organisation’s practices align with its legal obligations and stated
practices and may rely on:
o Subjective information
• Employee interviews/questionnaires
• Complaints received
o Objective standards
• Information system logs
• Training and awareness attendance
• Test scores

Q57)

Putting up privacy notices and reminders is an example of which of the following?

1. Awareness Activity
2. Education Effort
3. Breach Notification
4. All of the answers
Your answer is 1
Explanation
ANSWER [Awareness Activity].
it is important to note that education and awareness are not one in the same.
Education allows for communication and socialization of the privacy policy and supporting processes that may
be recorded in the employee records while an organization’s privacy awareness program reinforces the privacy
message.

Q58)

What is the commonality between a Privacy Notice & a Privacy Policy?

1. Technically, they are the same documents and have identical contents
2. Both are about educating its audiences & maintaining organisational accountability
3. They involve privacy messages to the same audiences
4. Both are about educating the consumer or customer
Your answer is 3
Explanation
ANSWER [Both are about educating its audiences & maintaining organisational accountability].
• Two primary types of privacy policy documents:
o Privacy policy – internal document addressed to employees
o Privacy notice – external communication of privacy policy to customers about how their personal data is
handled
• Every organisation is held accountable for what it says it will do and will not do with personal information

Q59)

What is NOT a reason for updating and changing privacy policies and requirements?
1. Changing regulatory environment
2. Development of new products and services
3. Responding to changes in business environment
4. Every time there is a change in CEO or senior management
Your answer is 4
Explanation
ANSWER [Every time there is a change in CEO or senior management]
• Reasons for updating and changing privacy policies and requirements:
o Identifying opportunities for continuous improvement
o Changing regulatory environment
o Responding to changes in business environment
o Development of new products and services

Q60)

As a rule, who should answer and manage every privacy question?

1. Customer service
2. A designated privacy professional
3. Any trained resource or personnel
4. The privacy team
Your answer is 4
Explanation
ANSWER [Any trained resource or personnel]
• In managing privacy questions, it should first be trained resource or personnel who are the first tiers.
if first-tier privacy resources do not have the answers or do not feel equipped to adequately respond to the
issues presented, then the privacy team or the chief privacy officer should be consulted
o These first-tier responders should be strongly supported by the privacy team and the chief privacy officer
with information material, FAQs and direct personal interaction
o Channels for asking and answering questions should not be too strict or formal
• As long as local privacy resources and the privacy team are communicating with one another to ensure
consistency, coverage and timely responsiveness
o When first-tier responders do not have the answers, they must promptly involve the privacy team to have
insight into the types and quantities of inquiries
Q61)

Which of the following statements between responding to general questions and complaints handling is
incorrect?
1. There should be an escalation process to ensure the proper handling of sensitive issues, including possible
engagement of key executives if the situation warrants
2. There should be a centralised intake process by which complaints are routed to the privacy team as quickly
as possible
3. The reporting and the complaint process respecting data privacy may intersect with an ethics reporting and
complaint process
4. Both processes should be identical as long as they relate to privacy matters
Your answer is 4
Explanation
ANSWER [Both processes should be identical as long as they relate to privacy matters]
 Complaint handling requires more formality than just responding to questions and inquiries
o Centralised intake process by which complaints are routed to the privacy team as quickly as possible
o Escalation process to ensure the proper handling of sensitive issues, including possible engagement of key
executives if the situation warrants
o Create and document procedures that track the intake, management and resolution of the complaint
 Occasionally, the reporting and the complaint process respecting data privacy may intersect with an ethics
reporting and complaint process, e.g.
o An incident may involve the use or misuse of personal information by the supervisor and the complainant is
the employee
o People managing the compliance hotline must be trained to recognise a data privacy issue and to
immediately connect with the chief privacy officer or the privacy team

Q62)

Data integrity is more often compromised by all of the following except:

1. Systemic errors
2. Negligent staff
3. Untrained staff
4. External hackers
Your answer is 4
Explanation
ANSWER [External hackers]
Data integrity issues are often caused by:
• Due to human failure
o Process to resolve and handle these types of data integrity issues
o Strong training and awareness to educate employees on importance of proper and accurate handling of
personal data
• Due to systemic error

Q63)

When it comes to providing access to individuals' personal data when requested, which one of the following is
correct?
1. The organisation should ensure that adequate verification takes place before access to data is provided
2. The organisation should immediately provide access to whatever personal data if its in its care through any
medium of communication
3. The personnel in charge of providing access can discretionally give reasons for providing or denying
access
4. The personnel in charge should first consult the privacy team who will advice accordingly
Your answer is 4
Explanation
ANSWER [The organisation should ensure that adequate verification takes place before access to data is
provided]
Organisations should have written procedure for responding to access requests
o Ensures that adequate verification takes place before access to data is provided
o Ensures that the organisation is consistent in its reasoning for providing or denying access

Q64)

What should the primary focus be when it comes to governing a privacy incident or data breach?
1. Determining the root cause of the incident so as to rectify any issues
2. Harm prevention and/or minimisation as a priority
3. Reporting to the law enforcement authorise as soon as possible
4. Conducting proper investigations and post-mortem reviews
Your answer is 4
Explanation
ANSWER [Harm prevention and/or minimisation as a priority]
It is about preventing Harm
• Fundamental principle that governs a privacy incident is to allow an affected person the opportunity to
protect himself from identity theft or other harm (e.g. financial loss, reputation damage, embarrassment)
• Primary focus when managing any privacy incident is harm prevention and/or minimisation

Q65)

The following are ways in which an organisation can demonstrate accountability as it relates to privacy
management except:
1. Demonstrating effective compliance using privacy controls
2. Implementing appropriate privacy controls
3. Third-party or internal self-attestation audit activity
4. Immediately notifying all parties affected should there be any privacy incident
Your answer is 3
Explanation
ANSWER [Immediately notifying all parties affected should there be any privacy incident]
• Privacy accountability in an organisation may be demonstrated through:
o Implementing appropriate privacy controls
o Demonstrating effective compliance using these controls
o Documenting risk mitigation
• Organisation may demonstrate accountability through:
o Validation by an external regulator
o Third-party or internal self-attestation audit activity

Q66)

Upon investigation by a regulator in the event of a major data breach, which one is NOT likely evidence of
accountability?
1. Dedicated privacy team with breach protocols
2. Existence of privacy awareness program
3. Archived internal messages & actions communicating regulatory requirements to staff
4. Full co-operation with the investigators when contacted by regulators
Your answer is 3
Explanation
ANSWER [Full co-operation with the investigators when contacted by regulators]
• Accountability to a regulator usually occurs following a significant event that is poorly handled
o Investigation by regulators will be in the form of “who knew what and when” and a demonstration that the
organisation takes privacy seriously, e.g.
• Existence of privacy awareness program
• Dedicated privacy team
• Breach protocols
• Appropriate command media-enforcing regulatory requirements

Q67)

In the event of a data breach, who should get in touch with the responsible data protection authorities or
regulators to discuss the incident and assure them that the breach is being handled?
1. The privacy team
2. The public relations team
3. CEO
4. Team leader of the incident response team
Your answer is 3
Explanation
ANSWER [CEO]
President, CEO
• Role in incident-response planning
o Through actions taken (or not) and training funded (or not), employees can discern the value their leaders
place on preventing breaches
o Once data is compromised and the shortcomings of an organisation’s security practices become public, it is
the top executive who will ultimately bear the blame
• Role during a data breach
o Promptly allocate funds and manpower needed to resolve the breach – this is one of the first and most critical
steps taken by the top executive
o Publicly comment on the breach’s cause or status – accuracy, authenticity and transparency are absolutely
essential
o Get in touch with the responsible data protection authorities or regulators to discuss the incident and assure
them that the breach is being handled from the top management
Q68)

In incident response planning, which of the roles and recommended actions are not relevant in terms of
ensuring organisation readiness?
1. HR to address topics such as employee data-handling, security awareness training and/or incident
recognition and response
2. Legal to provide guidance on legal precedents and requirements for handling data and reporting a breach
3. Information Security Team to provide technical expertise and authority in monitoring access, inventory,
storage and destruction of data
4. Customer Service Team to proactively dedicate a hotline to handle any reports or complaints relating to a
privacy incident
Your answer is 3
Explanation
ANSWER [Customer Service Team to proactively dedicate a hotline to handle any reports or complaints
relating to a privacy incident]
Customer Care
• Role in incident-response planning
o Be aware of social engineering at call centres as criminals may call to probe and test how security procedures
are applied and how often they are enforced
o Recognise unusual employee or caller behaviours, or notice trends in certain types of calls
o Equip and prepare call centre staff, should they be enlisted for response support
• Role during a data breach
o Handle breach-related call traffic as customer care reps are trained to remain calm when confronted and to
diffuse potentially volatile encounters before they escalate

Q69)

Which of the following breach notification statements is a recommended action to take if there are no legal
requirements?
1. Organisations should consider whether notification will assist in preventing or limiting harm - or whether it
could simply result in unnecessary distress
2. Organisation should always notify affected customers as best practice even if not required by law
3. Organisation should consider notifying regulators as best practice even if not required by law
4. If there is no need for a breach notification, then reporting to law enforcement authorities is required
Your answer is 1
Explanation
ANSWER [Organisations should consider whether notification will assist in preventing or limiting harm - or
whether it could simply result in unnecessary distress]
If there is no legal requirements for breach notification, organisations should consider whether notification will
assist in preventing or limiting harm - or whether it could simply result in unnecessary distress.

Q70)

According to Ponemon Institute study, while a large majority of respondents were unable to determine the root
cause, which one was the next highest that was cited by those who could?
1. Negligent insider
2. Outsourcing data to third party
3. Systems glitch
4. Failure to shred confidential documents
Your answer is 1
Explanation
ANSWER [Negligent insider]
• How breaches occur (Ponemon Institute study of 584 IT professionals):
o 44% unable to determine root cause of breach
o Remaining respondents cited the following root causes of breach:
• Negligent insider – 34%
• Outsourcing data to third party – 19%
• Malicious insider – 16%
• Systems glitch – 11%
• Cyber attack – 7%
• Failure to shred confidential documents – 6%

Q71)

The EU General Data Protection Regulation will replace the Data Protection Directive 95/46/EC and now have
the following key changes. 1)Increased fines of up to 5% global turnover/100mil Euros. 2)Data breaches
reported without delay 3)Data Protection officers appointed where data processed >5000 records. 4)Data
Protection Impact Assessments Article 33 conducted annually in consultation with DPA/supervisory authority.
5)Privacy by Design and by Default requires that data protection is designed into the development of business
process for products and services. etc. What is the approach the new regulation has for addressing issues of
data protection?
1. Openness
2. Proactive and preventative
3. Data Quality
4. Collection limitation
Your answer is 2
Explanation
ANSWER [Proactive and preventative]. The GDPR requires that Privacy by design and default is required.
Proactive, not Reactive; Preventative, not Remedial. Anticipate and prevent privacy invasive events before
they happen, rather than waiting for privacy risks to materialize.
Privacy as the Default Setting. No action is required by individuals to maintain their privacy; it is built into the
system by default.
This concept has been introduced in the European Commission’s draft regulation to reform data protection.
Privacy Embedded into Design. Privacy is an essential component of the core functionality being designed and
delivered.
The FTC has adopted this principle in its proposed consumer privacy framework, calling for companies to
promote consumer privacy throughout the organization and at every stage of product development.
Full Functionality—Positive-Sum, not Zero-Sum. Seeks to accommodate all legitimate interests and
objectives, rather than making unnecessary trade-offs.
End-to-End Security—Full Life Cycle Protection. Strong security measures are essential to privacy, from start
to finish of the life cycle of data.
Visibility and Transparency. Component parts and operations remain visible and transparent, to users and
providers. Essential to establishing accountability and trust.
Respect for User Privacy. Keeping the interests of the individual uppermost by offering such measures as
strong privacy defaults, appropriate notice, and empowering user-friendly options.
Openness, data quality , collection limitation are principles under the OECD guidelines.

Q72)

Scenario 1. You have been headhunted into ABC Ltd to head the privacy program. The company has no
privacy program in place. You are the Data Protection Officer brought into ABC Ltd to build a privacy
program. Management now supports the program. You have worked hard to get them to set up a privacy
committee. The staff are trained and the privacy framework has been communicated to all staff. Based on
Scenario 1, At which phase of the operational life cycle are you?
1. Assess
2. Protect
3. Sustain
4. Respond
Your answer is 1
Explanation
ANSWER [Sustain] involves Monitoring, Auditing and Communicating of an organization's privacy program.
Since controls are implemented and operational, the privacy program is monitored. 1st party and 2nd party
audits have taken place to evaluate the effectiveness of the program and improvements made. Training and
communicating to the staff has taken place.

Q73)

Scenario 1. You have been headhunted into ABC Ltd to head the privacy program. The company has no
privacy program in place. You are the Data Protection Officer brought into ABC Ltd to build a privacy
program. Management now supports the program. You have worked hard to get them to set up a privacy
committee. The staff are trained and the privacy framework has been communicated to all staff. Based on
Scenario 1, Which phase of the operational life cycle do you look at next?
1. Assess
2. Protect
3. Sustain
4. Respond
Your answer is 3
Explanation
ANSWER [Respond]. When the sustain phase of the privacy operational life cycle is reached. the next phase to
look at is respond. It includes the respond principles of information requests, legal compliance, incident-
response planning and incident handling.
The “respond” phase of the privacy operational life cycle aims to reduce organizational risk and bolster
compliance to regulations. An organization needs to be prepared to respond to its internal and external
stakeholders—including regulators.

Q74)

The sales director has implemented a new BYOD policy for the sales team. Unfortunately no Privacy Impact
assessments were done. As the DPO, what should you do?
1. Develop a business case
2. Meet the sales director to understand his objectives
3. Conduct a gap analysis
4. Review the current program
Your answer is 3
Explanation
ANSWER [Meet the sales director to understand his objectives].
1.2.1 Stakeholders and Internal Partnerships
First step is to conduct informal one-on-one conversations with executives who have accountability for
information management and/or security, risk, compliance or legal decisions
Internal partners, such as HR, legal, security, marketing, risk management and IT, should also be included
Out of these communications, identify which executive can serve as program sponsor or champion for privacy
program
Someone who understands the importance of privacy and will act as an advocate
Has experience with the organisation, the respect of colleagues, and access to or ownership of budget
Best practices for developing internal partnerships:
Become aware of how others treat and view personal information
Understand the use of data in a business context
Assist with building privacy requirements into their ongoing projects to help reduce risk
Offer to help staff meet their objectives while offering solutions to reduce risk of personal information
exposure
Invite staff to be a part of the privacy advocate group to further privacy best practices

Q75)

As the company is involved in making consumer products, it needs to adhere to FTC principles. The FTC
holds the dual mission of protecting consumers and promoting competition. Which principle in privacy does
the FTC follow with regards to consumers privacy?
1. Minimalism
2. Privacy embedded into design
3. Authenticity and accuracy of records
4. Retrievability
Your answer is 2
Explanation
ANSWER [Privacy embedded into design]. Privacy Embedded into Design. Privacy is an essential component
of the core functionality being designed and delivered. The FTC has adopted this principle in its proposed
consumer privacy framework, calling for companies to promote consumer privacy throughout the organization
and at every stage of product development. The other answers are part of the Data Life Cycle principles.

Q76)

As the appointed DPO, how do you build awareness with customers regarding your privacy ?
1. Provide training
2. communicate the changes
3. Branding campaigns of your commitment to security
4. Privacy policy
Your answer is 1
Explanation
ANSWER [Branding campaigns of your commitment to security]. Externally - External awareness is directed
toward building consumer confidence in your brand by creating awareness of your corporation’s commitment
to security or to fulfill a legal requirement. and through your Privacy notice. Internally - Build an awareness
program internally through inter-departmental cooperation to work toward privacy protection through the
process of looking at the various awareness programs in place throughout the organization by 1)Communicate
changes 2)Provide training

Q77)

Which of the following is an exception of primary audience of metrics?

1. Information security officer
2. Program managers
3. Human Resource
4. Senior leadership
Your answer is 3
Explanation
ANSWER [Human Resource]. HR does not have privacy as its primary task. The primary audience may
include:
Legal and privacy officers, Senior leadership; chief information officer (CIO), Chief security officer (CSO),
Program managers (PM), Information system owner (ISO), Information security officer (ISO), Others
considered users and managers
The secondary audience includes those who may not have privacy as a primary task, such as:
Chief financial officer (CFO), Training organizations, Human resources (HR), Inspectors general (IG), HIPAA
security officials,
Tertiary audiences may be considered, based on the organization’s specific or unique requirements, such as:
External watch dog groups, Sponsors, Stockholders.

Q78)

Which reason or purpose is an exception when conducting a Privacy Impact Assessment?

1. As a privacy threshold analysis tool (PTA)
2. As mandated by industry, organization policy or compliance to laws and regulations.
3. As a reactive risk management tool
4. When determining the feasibility of a business strategy
Your answer is 4
Explanation
ANSWER [As a privacy threshold analysis tool (PTA)].
The privacy professional will determine where and when analyses and assessments should be completed as
mandated by industry, organization policy or compliance to laws and regulations. Sometimes the need to
perform such assessments arises from a data breach or other event and is a reactive risk management tool.
Other times, the organisation may need to assess privacy risks as a part of determining the feasibility of a
business strategy or overall organizational goal—a more proactive approach. One tool used to determine
whether a PIA should be conducted is called a privacy threshold analysis (PTA).

Q79)

Which is an exception of PCI DSS requirements?

1. Develop and maintain secure systems and applications.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Restrict access to cardholder data by business need to know.
4. Allow access to cardholder data only by roles
Your answer is 3
Explanation
ANSWER [Allow access to cardholder data only by roles].
The following are requirements of PCI DSS.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security.

Q80)

What is not an exception of privacy enhancing technologies?

1. It is the use of newer or unregulated technology, such as social networking and the Internet web cookie
policy, for eGov 2.0.
2. An extension to technical controls for improving the quality of information and privacy choice control
mechanisms available
3. It is setting strong security measures are essential to privacy, from start to finish of the life cycle of data.
4. Sharepoint, eRooms and network folders.
Your answer is 1
Explanation
ANSWER [An extension to technical controls for improving the quality of information and privacy choice
control mechanisms available]. Privacy-Enhancing Technologies (PETs) could be considered a technical
control, but instead they should be thought of as an extension to technical controls for improving the quality of
information and privacy choice control mechanisms available. As an example, the U.S. government has
required agencies to offer machine-readable privacy policies using the Platform for Privacy Preferences (P3P)
system.
"It is the use of newer or unregulated technology, such as social networking and the Internet web cookie
policy, for eGov 2.0." is part of Information technology cutting edge or innovation solutions, which is part of
the considerations to monitoring compliance with established privacy policies.(pg 128)
"It is setting strong security measures are essential to privacy, from start to finish of the life cycle of data." is
one of Privacy by Design principles.(pg 121)
"Sharepoint, eRooms and network folders." are examples of Monitoring collaborative technologies (pg 131)
Q81)

Which of the following are considerations as part of a metrics template?

1. Threshold for satisfactory rating
2. Unique identifiers
3. Implementation evidence
4. All of the answers
Your answer is 4
Explanation
ANSWER [All of the answers]. (p71)
Metric Name/ID- States the unique identifier that uses an organization-specific naming convention or
candirectly reference another source.
Target-Threshold for a satisfactory rating for the measure.
Implementation Evidence - Implementation evidence is used to compute the measure, validate that the activity
is performed and identify probable causes of unsatisfactory results for a specific measure

Q82)

What is the purpose of ROI or ROI metric?

1. To measure the effectiveness of investments to protect investments
2. As an indicator used to measure the gain/loss (or “value”) of a project in relation to its cost
3. to address the specific risk that control or feature is supposed to mitigate
4. All of the answers
Your answer is 4
Explanation
ANSWER [All of the answers]

Q83)

Which of the following statements is true of audits?

1. The audit measures how closely the organization’s practices align with its legal obligations and stated
practices
2. Audits evaluate the organization to verify and prove that the organization is in compliance with the stated
privacy policies and standards.
3. Audits provide corrective action as necessary when gaps are found.
4. All of the answers
Your answer is 4
Explanation
ANSWER [All of the answers].
Audits evaluate the organization to verify and prove that the
organization is in compliance with the stated privacy policies and standards and to
provide corrective action as necessary when gaps are found.
The audit measures how closely the organization’s practices align with its legal
obligations and stated practices and may rely on subjective information, such as
employee interviews/questionnaires and complaints received, or objective standards,
such as information system logs or training and awareness attendance and test scores.

Q84)

What is an exception of objective standards of audits?

1. Complaints received
2. Information system logs
3. Training and awareness attendance
4. Test scores
Your answer is 4
Explanation
ANSWER [Complaints received]. The audit measures how closely the organization’s practices align with its
legal obligations and stated practices and may rely on subjective information, such as employee
interviews/questionnaires and complaints received, or objective standards, such as information system logs or
training and awareness attendance and test scores. Privacy Program management, 142

Q85)

Privacy metrics are used in the analysis and reporting of which of the following areas.
1. Privacy program maturity level
2. Business resiliency metrics
3. Resource utilization
4. All of the answers
Your answer is 1
Explanation
ANSWER [All of the answers]. Metrics must be described in
and used with clear language and easy-to-understand terms; otherwise they may not
represent similar value throughout an organization. For example, generic privacy metrics
should be developed to enable analyses of the following processes:
• Collection (notice)
• Responses to data subject inquiries
• Use
• Retention
• Disclosure to third parties
• Incidents (breaches, complaints, inquiries)
• Employee training
• Privacy Impact Assessments (PIAs)
• Privacy risk indicators
• Percent of organization functions represented by governance mechanisms
Use of that data for analysis and reporting includes:
• Trending
• Privacy program return on investment (ROI)
• Business resiliency metrics
• Privacy program maturity level
• Resource utilization
The selection of the proper metrics is difficult, and special consideration must be
used during the process for selection, use and updates. More metrics do not necessarily
translate into more value. The old adage “You can never have enough” is incorrect
regarding using metrics; data collection, storage and analysis are expensive business
functions and are thus more costly when collecting unnecessary data or an extreme
number of metrics that provide no value.
Q86)

What is not an example of privacy enhancing technologies?

1. Enterprise Privacy Authorization Language (EPAL)
2. Platform for Privacy Preferences (P3P)
3. Extensible Access Control Markup Language (XACML) 1.0
4. Extensible Markup Language (XML)
Your answer is 4
Explanation
ANSWER [Extensible Markup Language (XML)]

Q87)

Which is not an exception of benefit of contributions of internal audit to privacy efforts?

1. Prepare an incident response plan
2. Use enterprise risk management (ERM) processes making risk a priority
3. Plan for business continuity and disaster recovery (BCDR)
4. Consider the various technical, administrative and physical controls
Your answer is 2
Explanation
ANSWER [Use enterprise risk management (ERM) processes making risk a priority]