CIPM Exam Dumps - Certified Information Privacy Manager (CIPM)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
Next
Last >>

Question # 17

In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?

If a company created a credit-scoring platform five years ago.

If a health-care professional or lawyer processed personal data from a patient's file.

If a social media company created a new product compiling personal data to generate user profiles.

If an after-school club processed children's data to determine which children might have food allergies.

Full Access

Question # 18

Which statement is FALSE regarding the use of technical security controls?

Technical security controls are part of a data governance strategy.

Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.

Most privacy legislation lists the types of technical security controls that must be implemented.

A person with security knowledge should be involved with the deployment of technical security controls.

Full Access

Question # 19

What is the main purpose of a privacy program audit?

To mitigate the effects of a privacy breach.

To justify a privacy department budget increase.

To make decisions on privacy staff roles and responsibilities.

To ensure the adequacy of data protection procedures.

Full Access

Question # 20

While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee with the same name at a different company. Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?

Notification to data subjects.

Containment of impact of breach.

Remediation offers to data subjects.

Notification to the Information Commissioner's Office (ICO).

Full Access

Question # 21

SCENARIO

Please use the following to answer the next QUESTION:

Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert."

Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts."

The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A "cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!"

What would be the best kind of audit to recommend for Gadgo?

A supplier audit.

An internal audit.

A third-party audit.

A self-certification.

Full Access

Question # 22

SCENARIO

Please use the following to answer the next QUESTION:

Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Spaceâ€™s practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.

Pennyâ€™s colleague in Marketing is excited by the new sales and the companyâ€™s plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her â€œI heard someone in the breakroom talking about some new privacy laws but I really donâ€™t think it affects us. Weâ€™re just a small company. I mean we just sell accessories online, so whatâ€™s the real risk?â€ He has also told her that he works with a number of small companies that help him get projects completed in a hurry. â€œWeâ€™ve got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just donâ€™t have.â€

In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Pennyâ€™s colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team â€œdidnâ€™t know what to do or who should do what. We hadnâ€™t been trained on it but weâ€™re a small team though, so it worked out OK in the end.â€ Penny is concerned that these issues will compromise Ace Spaceâ€™s privacy and data protection.

Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data â€œshake upâ€. Her mission is to cultivate a strong privacy culture within the company.

Penny has a meeting with Ace Spaceâ€™s CEO today and has been asked to give her first impressions and an overview of her next steps.

What information will be LEAST crucial from a privacy perspective in Pennyâ€™s review of vendor contracts?

Audit rights

Liability for a data breach

Pricing for data security protections

The data a vendor will have access to

Full Access

Answer:

Explanation:

The information that will be least crucial from a privacy perspective in Pennyâ€™s review of vendor contracts is the pricing for data security protections Â©. This is because the pricing for data security protections is a business decision that does not directly affect the privacy rights and obligations of Ace Space and its customers. The pricing for data security protections may be relevant for budgeting and negotiating purposes, but it does not determine the level or adequacy of data security measures that the vendor must provide to protect personal data.

The other options are more crucial from a privacy perspective in Pennyâ€™s review of vendor contracts. Audit rights (A) are important to ensure that Ace Space can monitor and verify the vendorâ€™s compliance with the contract terms and the applicable privacy laws and regulations. Audit rights allow Ace Space to access the vendorâ€™s records, systems, policies and procedures related to personal data processing and to conduct inspections or assessments as needed. Liability for a data breach (B) is important to allocate the responsibility and consequences of a data breach involving personal data that the vendor processes on behalf of Ace Space. Liability for a data breach may include indemnification, compensation, notification, remediation and termination clauses that protect Ace Spaceâ€™s interests and obligations in the event of a data breach. The data a vendor will have access to (D) is important to define the scope, purpose, duration and conditions of the personal data processing that the vendor will perform for Ace Space. The data a vendor will have access to may include the categories, types, sources, recipients and retention periods of personal data that the vendor will collect, store, use or share on behalf of Ace Space.

References:

CIPM Body of Knowledge Domain II: Privacy Program Operational Life Cycle - Task 3: Implement privacy program components - Subtask 3: Establish third-party processor management program
CIPM Study Guide - Chapter 4: Privacy Program Operational Life Cycle - Section 4.3: Third-Party Processor Management

Question # 23

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

Which is the best way to ensure that data on personal equipment is protected?

User risk training.

Biometric security.

Encryption of the data.

Frequent data backups.

Full Access

Question # 24

Formosa International operates in 20 different countries including the United States and France. What organizational approach would make complying with a number of different regulations easier?

Data mapping.

Fair Information Practices.

Rationalizing requirements.

Decentralized privacy management.

Full Access