- Expert Verified, Online, Free.

 Custom View Settings

Question #251 Topic 1

All of the following are environmental controls EXCEPT?

A. Fire alarm.

B. Leak detection.

C. Motion sensors.

D. Uninterruptable power supply.

Correct Answer: D

Community vote distribution

C (100%)

Question #252 Topic 1

Which of the following is an example of Privacy by Design (PhD)?

A. When HR develops a training program for employees to become certified in privacy policy.

B. When IT uses privacy considerations to inform the development of new networking software.

C. When a labor union insists that the details of employers' data protection methods be documented in a new contract.

D. When a company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.

Correct Answer: B

Question #253 Topic 1

What is the key privacy objective in undertaking an evaluation of technical controls?

A. To identify and mitigate privacy risks associated with technical systems and data processing activities.

B. To evaluate and mitigate third party risk associated with service provider relationships.

C. To determine if the current privacy framework is adequate for the company's needs.

D. To review and evaluate gaps in targeted internal privacy awareness training.

Correct Answer: A
Question #254 Topic 1

The purpose of a data flow map is to help an organization do all of the following EXCEPT?

A. Determine unidentified opportunities for information collection.

B. Assist compliance with privacy-related laws and regulations.

C. Identify any gaps in its ability to protect information.

D. Recognize who in the organization has access to what information.

Correct Answer: A

Question #255 Topic 1

Which of the following is NOT recommended for effective Identity Access Management?

A. User responsibility.

B. Demographics.

C. Biometrics.

D. Credentials.

Correct Answer: B

Question #256 Topic 1

Which of the following is NOT a main technical data control area?

A. Obfuscation.

B. Tokenization.

C. Access controls.

D. Data minimization.

Correct Answer: D

Question #257 Topic 1

Which of the following is a physical control that can limit privacy risk?

A. Keypad or biometric access.

B. User access reviews.

C. Encryption.

D. Tokenization.

Correct Answer: A
Question #258 Topic 1

SCENARIO -

Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his

second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's

privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company.

Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small

consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the

consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card

Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls

into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with

the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could

not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with

purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to

enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it

became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also

wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he

knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager.

Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management

(CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk

had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that

none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened

the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant

to develop a remediation plan.

All of the key phases of an audit have occurred in the scenario EXCEPT?

A. Prepare

B. Audit

C. Report

D. Follow-up

Correct Answer: D
Question #259 Topic 1

Under the General Data Protection Regulation (GDPR), what are the obligations of a processor that engages a sub-processor?

A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.

B. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.

C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its

obligations in relation to the personal data concerned.

D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are

equivalent to those that apply to the processor. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #260 Topic 1

When conducting due diligence during an acquisition, what should a privacy professional avoid?

A. Discussing with the acquired company the type and scope of their data processing.

B. Allowing legal in both companies to handle the privacy laws and compliance.

C. Planning for impacts on the data processing operations post-acquisition.

D. Benchmarking the two companies’ privacy policies against one another.

Correct Answer: B
Question #261 Topic 1

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that

mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the

“reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data

mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams

involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's

little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and

your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email,

sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security

teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to

existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials

to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development

environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle

Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what

project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to

measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and

measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place

addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the

resources for such monitoring.

Having completed the gap assessment, you and your partner need to first undertake a thorough review of?

A. Data life cycle.

B. Security policies.

C. System development life cycle.

D. Privacy Impact Assessment (PIA).

Correct Answer: A
Question #262 Topic 1

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that

mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the

“reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data

mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams

involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's

little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and

your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email,

sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security

teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to

existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials

to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development

environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle

Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what

project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to

measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and

measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place

addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the

resources for such monitoring.

What aspect of the data management life cycle will still be unaddressed if you cannot find the resources to become compliant?

A. Auditability.

B. Enforcement.

C. Retrievability.

D. Access management.

Correct Answer: B
Question #263 Topic 1

Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?

A. Assessing data.

B. Protecting personal data.

C. Sustaining program performance.

D. Responding to requests and incidents.

Correct Answer: B

Question #264 Topic 1

Under the GDPR, when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply,

which right can the data subject exercise?

A. Right to withdraw consent.

B. Right to data portability.

C. Right to restriction.

D. Right to erasure.

Correct Answer: C

Question #265 Topic 1

Under the European Data Protection Board, which Processing operation would require a Data Protection Impact Assessment (DPIA)?

A. An online newspaper using its subscriber list to email a daily newsletter.

B. A healthcare clinic that processes personal data of its patients in its billing system.

C. A hospital processing patient’s generic and health data in its hospital information system.

D. An online store displaying advertisements based on items viewed or purchased on its own website.

Correct Answer: C

Question #266 Topic 1

Under Article 35 of the GDPR, a data controller must take a risk-based approach to determine whether to complete?

A. Privacy program review.

B. Privacy threshold assessment.

C. Transfer Impact Assessment (TIA).

D. Data Protection Impact Assessment (DPIA).

Correct Answer: D
Question #267 Topic 1

As the Data Protection Officer (DPO) for the growing company, Vision 7165, what would be the most cost effective way to monitor changes in laws

and regulations?

A. Engage an external lawyer.

B. Hire a well-known external law firm.

C. Attend workshops and interact with other professionals.

D. Subscribe to mailing lists that report on regulatory changes.

Correct Answer: D

Question #268 Topic 1

After an incident, all of the following are potential objectives for improvements to the way an organization handles breach management, EXCEPT?

A. Contacting regulators.

B. Reviewing lessons learned.

C. Ensuring appropriate privacy/security funding.

D. Getting commitment from stakeholders related to any process updates.

Correct Answer: A

Question #269 Topic 1

Your company provides a SaaS tool for B2B services and does not interact with individual consumers. A client's current employee reaches out with

a right to delete request, what is the most appropriate response?

A. Forward the request to the contact on file for the client asking them how they would like you to proceed.

B. Redirect the individual back to their employer to understand their rights and how this might impact access to company tools.

C. Process the request assuming that the individual understands the implications to their organization if their information is deleted.

D. Explain you are unable to process the request because business contact information and associated data is not covered under privacy

rights laws.

Correct Answer: B

Question #270 Topic 1

In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?

A. Evaluate the qualifications of a third-party processor before any data is transferred to that processor.

B. Set a time-limit as to how long the personal data may be stored by the organization.

C. Challenge the authenticity of the personal data and have it corrected if needed.

D. Obtain a guarantee of prompt notification in instances involving unauthorized access of the data.

Correct Answer: C
Question #271 Topic 1

Your marketing team wants to know why they need a check box for their SMS opt-in. You explain it is part of the consumer's right to?

A. Request correction.

B. Raise complaints.

C. Have access.

D. Be informed.

Correct Answer: D

Question #272 Topic 1

Which of the following information is NOT required to be provided by the data controller when complying with GDPR "right to access"

requirements?

A. The data subject request process.

B. The purpose of personal data processing.

C. The name of the Data Protection Officer (DPO).

D. The type of organizations with whom personal data was shared.

Correct Answer: A

Question #273 Topic 1

You're managing the internal privacy mailbox and are notified that a sales team member recently sent emails to their clients that included an excel

spreadsheet of their client data. They just realized that the spreadsheet only hid the data of other clients and was not deleted. How do you

respond?

A. Confirm they have deleted the spreadsheet and requested all clients to do the same. Most Voted

B. Ask what type of data was included on the spreadsheet and trigger an incident notice.

C. Ask them to send you the spreadsheet and advise them to notify the clients' cyber security team.

D. Confirm how many people received the spreadsheet and advise the employee to keep this issue to themselves.

Correct Answer: B

Community vote distribution

A (100%)
 Question #274 Topic 1

When a data breach incident has occurred, the first priority is to determine?

A. Who caused the breach.

B. How the breach occurred.

C. How to contain the breach.

D. When the breach occurred.

Correct Answer: C

Question #275 Topic 1

An online retailer detects an incident involving customer shopping history but no keys have been compromised. The Privacy Office is most

concerned when it also involves?

A. Internal unique personal identifiers.

B. Plain text personal identifiers.

C. Hashed mobile identifiers.

D. No personal identifiers.

Correct Answer: B

 Previous Questions

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple

registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

Start Learning for free