• support@dumpspool.com
SPECIAL LIMITED TIME DISCOUNT OFFER. USE DISCOUNT CODE TO GET 20% OFF DP2021

PDF Only

$35.00 Free Updates Upto 90 Days

  • CIPM Dumps PDF
  • 180 Questions
  • Updated On July 04, 2024

PDF + Test Engine

$60.00 Free Updates Upto 90 Days

  • CIPM Question Answers
  • 180 Questions
  • Updated On July 04, 2024

Test Engine

$50.00 Free Updates Upto 90 Days

  • CIPM Practice Questions
  • 180 Questions
  • Updated On July 04, 2024
Check Our Free IAPP CIPM Online Test Engine Demo.

How to pass IAPP CIPM exam with the help of dumps?

DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest IAPP CIPM Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.

How Do I Know IAPP CIPM Dumps are Worth it?

Did we mention our latest CIPM Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.

You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just IAPP Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!

IT Students Are Using our Certified Information Privacy Manager (CIPM) Dumps Worldwide!

It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified Information Privacy Manager (CIPM) Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.

How to Get CIPM Real Exam Dumps?

Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CIPM exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!

Frequently Asked Questions

IAPP CIPM Sample Question Answers

Question # 1

SCENARIOPlease use the following to answer the next QUESTION:Martin Briseño is the director of human resources at the Canyon City location of the U.S.hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-jobmentoring model to a standardized training program for employees who were progressingfrom line positions into supervisory positions. He developed a curriculum comprising aseries of lessons, scenarios, and assessments, which was delivered in-person to smallgroups. Interest in the training increased, leading Briseño to work with corporate HRspecialists and software engineers to offer the program in an online format. The onlineprogram saved the cost of a trainer and allowed participants to work through the material attheir own pace.Upon hearing about the success of Briseño’s program, Pacific Suites corporate VicePresident Maryanne Silva-Hayes expanded the training and offered it company-wide.Employees who completed the program received certification as a Pacific Suites HospitalitySupervisor. By 2001, the program had grown to provide industry-wide training. Personnelat hotels across the country could sign up and pay to take the course online. As theprogram became increasingly profitable, Pacific Suites developed an offshoot business,Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing avariety of online courses and course progressions providing a number of professionalcertifications in the hospitality industry.By setting up a user account with PHT, course participants could access an informationlibrary, sign up for courses, and take end-of-course certification tests. When a user openeda new account, all information was saved by default, including the user’s name, date ofbirth, contact information, credit card information, employer, and job title. The registrationpage offered an opt-out choice that users could click to not have their credit card numberssaved. Once a user name and password were established, users could return to checktheir course status, review and reprint their certifications, and sign up and pay for newcourses. Between 2002 and 2008, PHT issued more than 700,000 professionalcertifications.PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increasedcompetition from e- learning providers. By 2011, Pacific Suites was out of the onlinecertification business and PHT was dissolved. The training program’s systems and recordsremained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and SilvaHayes moved on to work for other companies, and there was no plan for handling thearchived data after the program ended. After PHT was dissolved, Pacific Suites executivesturned their attention to crucial day-to-day operations. They planned to deal with the PHTmaterials once resources allowed.In 2012, the Pacific Suites computer network was hacked. Malware installed on the onlinereservation system exposed the credit card information of hundreds of hotel guests. Whiletargeting the financial data on the reservation site, hackers also discovered the archivedtraining course data and registration accounts of Pacific Hospitality Training’s customers.The result of the hack was the exfiltration of the credit card numbers of recent hotel guestsand the exfiltration of the PHT database with all its contents.A Pacific Suites systems analyst discovered the information security breach in a routinescan of activity reports. Pacific Suites quickly notified credit card companies and recenthotel guests of the breach, attempting to prevent serious harm. Technical securityengineers faced a challenge in dealing with the PHT data.PHT course administrators and the IT engineers did not have a system for tracking,cataloguing, and storing information. Pacific Suites has procedures in place for data accessand storage, but those procedures were not implemented when PHT was formed. Whenthe PHT database was acquired by Pacific Suites, it had no owner or oversight. By the timetechnical security engineers determined what private information was compromised, atleast 8,000 credit card holders were potential victims of fraudulent activity.How was Pacific Suites responsible for protecting the sensitive information of its offshoot,PHT?

A. As the parent company, it should have transferred personnel to oversee the secure handling of PHT’s data. 
B. As the parent company, it should have performed an assessment of PHT’s infrastructure and confirmed complete separation of the two networks. 
C. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system. 
D. As the parent company, it should have replaced PHT’s electronic files with hard-copy documents stored securely on site. 

Question # 2

What are you doing if you succumb to "overgeneralization" when analyzing data frommetrics?

A. Using data that is too broad to capture specific meanings. 
B. Possessing too many types of data to perform a valid analysis. 
C. Using limited data in an attempt to support broad conclusions. 
D. Trying to use several measurements to gauge one aspect of a program. 

Question # 3

How do privacy audits differ from privacy assessments?

A. They are non-binding. 
B. They are evidence-based. 
C. They are based on standards. 
D. They are conducted by external parties. 

Question # 4

What is the main reason to begin with 3-5 key metrics during the program developmentprocess?

A. To avoid undue financial costs. 
B. To keep the focus on the main organizational objectives. 
C. To minimize selective data use. 
D. To keep the process limited to as few people as possible. 

Question # 5

SCENARIOPlease use the following to answer the next QUESTION:It's just what you were afraid of. Without consulting you, the information technology directorat your organization launched a new initiative to encourage employees to use personaldevices for conducting business. The initiative made purchasing a new, high-specificationlaptop computer an attractive option, with discounted laptops paid for as a payrolldeduction spread over a year of paychecks. The organization is also paying the salestaxes. It's a great deal, and after a month, more than half the organization's employeeshave signed on and acquired new laptops. Walking through the facility, you see themhappily customizing and comparing notes on their new computers, and at the end of theday, most take their laptops with them, potentially carrying personal data to their homes orother unknown locations. It's enough to give you data- protection nightmares, and you'vepointed out to the information technology Director and many others in the organization thepotential hazards of this new practice, including the inevitability of eventual data loss ortheft.Today you have in your office a representative of the organization's marketing departmentwho shares with you, reluctantly, a story with potentially serious consequences. The nightbefore, straight from work, with laptop in hand, he went to the Bull and Horn Pub to playbilliards with his friends. A fine night of sport and socializing began, with the laptop "safely"tucked on a bench, beneath his jacket. Later that night, when it was time to depart, heretrieved the jacket, but the laptop was gone. It was not beneath the bench or on anotherbench nearby. The waitstaff had not seen it. His friends were not playing a joke on him.After a sleepless night, he confirmed it this morning, stopping by the pub to talk to thecleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks atyou, embarrassed and upset.You ask him if the laptop contains any personal data from clients, and, sadly, he nods hishead, yes. He believes it contains files on about 100 clients, including names, addressesand governmental identification numbers. He sighs and places his head in his hands indespair.What should you do first to ascertain additional information about the loss of data?

A. Interview the person reporting the incident following a standard protocol. 
B. Call the police to investigate even if you are unsure a crime occurred. 
C. Investigate the background of the person reporting the incident. 
D. Check company records of the latest backups to see what data may be recoverable. 

Question # 6

Which is NOT an influence on the privacy environment external to an organization?

A. Management team priorities. 
B. Regulations. 
C. Consumer demand. 
D. Technological advances. 

Question # 7

SCENARIOPlease use the following to answer the next QUESTION:Manasa is a product manager at Omnipresent Omnimedia, where she is responsible forleading the development of the company's flagship product, the Handy Helper. The HandyHelper is an application that can be used in the home to manage family calendars, doonline shopping, and schedule doctor appointments. After having had a successful launchin the United States, the Handy Helper is about to be made available for purchaseworldwide.The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly"product suitable for the whole family, including children, but does not provide any furtherdetail or privacy notice. In order to use the application, a family creates a single account,and the primary user has access to all information about the other users. Upon start up, theprimary user must check a box consenting to receive marketing emails from OmnipresentOmnimedia and selected marketing partners in order to be able to use the application.Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreementwith a European distributor of Handy Helper when he fielded many Questions about theproduct from the distributor. Sanjay needed to look more closely at the product in order tobe able to answer the Questions as he was not involved in the product developmentprocess.In speaking with the product team, he learned that the Handy Helper collected and storedall of a user's sensitive medical information for the medical appointment scheduler. In fact,all of the user's information is stored by Handy Helper for the additional purpose of creatingadditional products and to analyze usage of the product. This data is all stored in the cloudand is encrypted both during transmission and at rest.Consistent with the CEO's philosophy that great new product ideas can come from anyone,all Omnipresent Omnimedia employees have access to user data under a program calledEureka. Omnipresent Omnimedia is hoping that at some point in the future, the data willreveal insights that could be used to create a fully automated application that runs onartificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-termgoal.What step in the system development process did Manasa skip?

A. Obtain express written consent from users of the Handy Helper regarding marketing. 
B. Work with Sanjay to review any necessary privacy requirements to be built into the product. 
C. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework. 
D. Build the artificial intelligence feature so that users would not have to input sensitiveinformation into the Handy Helper. 

Question # 8

SCENARIOPlease use the following to answer the next QUESTION:Amira is thrilled about the sudden expansion of NatGen. As the joint Chief ExecutiveOfficer (CEO) with her long-time business partner Sadie, Amira has watched the companygrow into a major competitor in the green energy market. The current line of productsincludes wind turbines, solar energy panels, and equipment for geothermal systems. Atalented team of developers means that NatGen's line of products will only continue togrow.With the expansion, Amira and Sadie have received advice from new senior staff membersbrought on to help manage the company's growth. One recent suggestion has been tocombine the legal and security functions of the company to ensure observance of privacylaws and the company's own privacy policy. This sounds overly complicated to Amira, whowants departments to be able to use, collect, store, and dispose of customer data in waysthat will best suit their needs. She does not want administrative oversight and complexstructuring to get in the way of people doing innovative work.Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed whatSadie believes is an unnecessarily long timetable for designing a new privacy program.She has assured him that NatGen will use the best possible equipment for electronicstorage of customer and employee data. She simply needs a list of equipment and anestimate of its cost. But the CIO insists that many issues are necessary to consider beforethe company gets to that stage.Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOswant to entrust the monitoring of employee policy compliance to low-level managers. Amiraand Sadie believe these managers can adjust the company privacy policy according towhat works best for their particular departments. NatGen's CEOs know that flexibleinterpretations of the privacy policy in the name of promoting green energy would be highlyunlikely to raise any concerns with their customer base, as long as the data is always usedin course of normal business activities.Perhaps what has been most perplexing to Sadie and Amira has been the CIO'srecommendation to institute a privacy compliance hotline. Sadie and Amira have relentedon this point, but they hope to compromise by allowing employees to take turns handlingreports of privacy policy violations. The implementation will be easybecause the employees need no special preparation. They will simply have to documentany concerns they hear.Sadie and Amira are aware that it will be challenging to stay true to their principles andguard against corporate culture strangling creativity and employee morale. They hope thatall senior staff will see the benefit of trying a unique approach.Based on the scenario, what additional change will increase the effectiveness of theprivacy compliance hotline?

A. Outsourcing the hotline. 
B. A system for staff education. 
C. Strict communication channels. 
D. An ethics complaint department. 

Question # 9

SCENARIOPlease use the following to answer the next QUESTION:Martin Briseño is the director of human resources at the Canyon City location of the U.S.hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-jobmentoring model to a standardized training program for employees who were progressingfrom line positions into supervisory positions. He developed a curriculum comprising aseries of lessons, scenarios, and assessments, which was delivered in-person to smallgroups. Interest in the training increased, leading Briseño to work with corporate HRspecialists and software engineers to offer the program in an online format. The onlineprogram saved the cost of a trainer and allowed participants to work through the material attheir own pace.Upon hearing about the success of Briseño’s program, Pacific Suites corporate VicePresident Maryanne Silva-Hayes expanded the training and offered it company-wide.Employees who completed the program received certification as a Pacific Suites HospitalitySupervisor. By 2001, the program had grown to provide industry-wide training. Personnelat hotels across the country could sign up and pay to take the course online. As theprogram became increasingly profitable, Pacific Suites developed an offshoot business,Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing avariety of online courses and course progressions providing a number of professionalcertifications in the hospitality industry.By setting up a user account with PHT, course participants could access an informationlibrary, sign up for courses, and take end-of-course certification tests. When a user openeda new account, all information was saved by default, including the user’s name, date ofbirth, contact information, credit card information, employer, and job title. The registrationpage offered an opt-out choice that users could click to not have their credit card numberssaved. Once a user name and password were established, users could return to checktheir course status, review and reprint their certifications, and sign up and pay for newcourses. Between 2002 and 2008, PHT issued more than 700,000 professionalcertifications.PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increasedcompetition from e- learning providers. By 2011, Pacific Suites was out of the onlinecertification business and PHT was dissolved. The training program’s systems and recordsremained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and SilvaHayes moved on to work for other companies, and there was no plan for handling thearchived data after the program ended. After PHT was dissolved, Pacific Suites executivesturned their attention to crucial day-to-day operations. They planned to deal with the PHTmaterials once resources allowed.In 2012, the Pacific Suites computer network was hacked. Malware installed on the onlinereservation system exposed the credit card information of hundreds of hotel guests. Whiletargeting the financial data on the reservation site, hackers also discovered the archivedtraining course data and registration accounts of Pacific Hospitality Training’s customers.The result of the hack was the exfiltration of the credit card numbers of recent hotel guestsand the exfiltration of the PHT database with all its contents.A Pacific Suites systems analyst discovered the information security breach in a routinescan of activity reports. Pacific Suites quickly notified credit card companies and recenthotel guests of the breach, attempting to prevent serious harm. Technical securityengineers faced a challenge in dealing with the PHT data.PHT course administrators and the IT engineers did not have a system for tracking,cataloguing, and storing information. Pacific Suites has procedures in place for data accessand storage, but those procedures were not implemented when PHT was formed. Whenthe PHT database was acquired by Pacific Suites, it had no owner or oversight. By the timetechnical security engineers determined what private information was compromised, atleast 8,000 credit card holders were potential victims of fraudulent activity.In the Information Technology engineers had originally set the default for customer creditcard information to “Do Not Save,” this action would have been in line with what concept?

A. Use limitation 
B. Privacy by Design 
C. Harm minimization 
D. Reactive risk management 

Question # 10

What should be the first major goal of a company developing a new privacy program?

A. To survey potential funding sources for privacy team resources. 
B. To schedule conversations with executives of affected departments. 
C. To identify potential third-party processors of the organization's information. 
D. To create Data Lifecycle Management policies and procedures to limit data collection. 

Question # 11

What is the main purpose in notifying data subjects of a data breach?

A. To avoid financial penalties and legal liability 
B. To enable regulators to understand trends and developments that may shape the law 
C. To ensure organizations have accountability for the sufficiency of their security measures 
D. To allow individuals to take any actions required to protect themselves from possible consequences 

Question # 12

In regards to the collection of personal data conducted by an organization, what must thedata subject be allowed to do?

A. Evaluate the qualifications of a third-party processor before any data is transferred tothat processor. 
B. Obtain a guarantee of prompt notification in instances involving unauthorized access ofthe data. 
C. Set a time-limit as to how long the personal data may be stored by the organization. 
D. Challenge the authenticity of the personal data and have it corrected if needed. 

Question # 13

SCENARIOPlease use the following to answer the next QUESTION:You lead the privacy office for a company that handles information from individuals living inseveral countriesthroughout Europe and the Americas. You begin that morning’s privacy review when acontracts officer sends you a message asking for a phone call. The message lacks clarityand detail, but you presume that data was lost.When you contact the contracts officer, he tells you that he received a letter in the mailfrom a vendor stating that the vendor improperly shared information about your customers.He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to thevendor to transcribe it into a database, but the vendor forgot to encrypt the database aspromised in the contract. As a result, the vendor has lost control of the data.The vendor is extremely apologetic and offers to take responsibility for sending out thenotifications. They tell you they set aside 2000 stamped postcards because that shouldreduce the time it takes to get the notice in the mail. One side is limited to their logo, but theother side is blank and they will accept whatever you want to write. You put their offer onhold and begin to develop the text around the space constraints. You are content to let thevendor’s logo be associated with the notification.The notification explains that your company recently hired a vendor to store informationabout their most recent experience at St. Sebastian Hospital’s Clinic for InfectiousDiseases. The vendor did not encrypt the information and no longer has control of it. All2000 affected individuals are invited to sign-up for email notifications about theirinformation. They simply need to go to your company’s website and watch a quickadvertisement, then provide their name, email address, and month and year of birth.You email the incident-response council for their buy-in before 9 a.m. If anything goeswrong in this situation, you want to diffuse the blame across your colleagues. Over the nexteight hours, everyone emails their comments back and forth. The consultant who leads theincident-response team notes that it is his first day with the company, but he has been inother industries for 45 years and will do his best. One of the three lawyers on the councilcauses the conversation to veer off course, but it eventually gets back on track. At the endof the day, they vote to proceed with the notification you wrote and use the vendor’spostcards.Shortly after the vendor mails the postcards, you learn the data was on a server that wasstolen, and make the decision to have your company offer credit monitoring services. Aquick internet search finds a credit monitoring company with a convincing name: CreditUnder Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000people, but develops a proposal in about a day which says CRUDLOK will:1.Send an enrollment invitation to everyone the day after the contract is signed.2.Enroll someone with just their first name and the last-4 of their national identifier.3.Monitor each enrollee’s credit for two years from the date of enrollment.4.Send a monthly email with their credit rating and offers for credit-related services atmarket rates.5.Charge your company 20% of the cost of any credit restoration.You execute the contract and the enrollment invitations are emailed to the 2000 individuals.Three days later you sit down and document all that went well and all that could have gonebetter. You put it in a file to reference the next time an incident occurs.Which of the following was done CORRECTLY during the above incident?

A. The process by which affected individuals sign up for email notifications 
B. Your assessment of which credit monitoring company you should hire 
C. The speed at which you sat down to reflect and document the incident 
D. Finding a vendor who will offer the affected individuals additional services 

Question # 14

Under which circumstances would people who work in human resources be considered asecondary audience for privacy metrics?

A. They do not receive training on privacy issues 
B. They do not interface with the financial office 
C. They do not have privacy policy as their main task 
D. They do not have frequent interactions with the public 

Question # 15

SCENARIOPlease use the following to answer the next QUESTION:You lead the privacy office for a company that handles information from individuals living inseveral countries throughout Europe and the Americas. You begin that morning’s privacyreview when a contracts officer sends you a message asking for a phone call. Themessage lacks clarity and detail, but you presume that data was lost.When you contact the contracts officer, he tells you that he received a letter in the mailfrom a vendor stating that the vendor improperly shared information about your customers. He called the vendorand confirmed that your company recently surveyed exactly 2000 individuals about theirmost recent healthcare experience and sent those surveys to the vendor to transcribe itinto a database, but the vendor forgot to encrypt the database as promised in the contract.As a result, the vendor has lost control of the data.The vendor is extremely apologetic and offers to take responsibility for sending out thenotifications. They tell you they set aside 2000 stamped postcards because that shouldreduce the time it takes to get the notice in the mail. One side is limited to their logo, but theother side is blank and they will accept whatever you want to write. You put their offer onhold and begin to develop the text around the space constraints. You are content to let thevendor’s logo be associated with the notification.The notification explains that your company recently hired a vendor to store informationabout their most recent experience at St. Sebastian Hospital’s Clinic for InfectiousDiseases. The vendor did not encrypt the information and no longer has control of it. All2000 affected individuals are invited to sign-up for email notifications about theirinformation. They simply need to go to your company’s website and watch a quickadvertisement, then provide their name, email address, and month and year of birth.You email the incident-response council for their buy-in before 9 a.m. If anything goeswrong in this situation, you want to diffuse the blame across your colleagues. Over the nexteight hours, everyone emails their comments back and forth. The consultant who leads theincident-response team notes that it is his first day with the company, but he has been inother industries for 45 years and will do his best. One of the three lawyers on the councilcauses the conversation to veer off course, but it eventually gets back on track. At the endof the day, they vote to proceed with the notification you wrote and use the vendor’spostcards.Shortly after the vendor mails the postcards, you learn the data was on a server that wasstolen, and make the decision to have your company offer credit monitoring services. Aquick internet search finds a credit monitoring company with a convincing name: CreditUnder Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000people, but develops a proposal in about a day which says CRUDLOK will:1.Send an enrollment invitation to everyone the day after the contract is signed.2.Enroll someone with just their first name and the last-4 of their national identifier.3.Monitor each enrollee’s credit for two years from the date of enrollment.4.Send a monthly email with their credit rating and offers for credit-related services atmarket rates.5.Charge your company 20% of the cost of any credit restoration.You execute the contract and the enrollment invitations are emailed to the 2000 individuals.Three days later you sit down and document all that went well and all that could have gonebetter. You put it in a file to reference the next time an incident occurs.Regarding the credit monitoring, which of the following would be the greatest concern?

A. The vendor’s representative does not have enough experience 
B. Signing a contract with CRUDLOK which lasts longer than one year 
C. The company did not collect enough identifiers to monitor one’s credit 
D. You are going to notify affected individuals via a letter followed by an email 

Question # 16

Which of the following is NOT typically a function of a Privacy Officer?

A. Managing an organization's information security infrastructure. 
B. Serving as an interdepartmental liaison for privacy concerns. 
C. Monitoring an organization's compliance with privacy laws. 
D. Responding to information access requests from the public. 

Question # 17

SCENARIOPlease use the following to answer the next QUESTION:Amira is thrilled about the sudden expansion of NatGen. As the joint Chief ExecutiveOfficer (CEO) with her long-time business partner Sadie, Amira has watched the companygrow into a major competitor in the green energy market. The current line of productsincludes wind turbines, solar energy panels, and equipment for geothermal systems. Atalented team of developers means that NatGen's line of products will only continue togrow.With the expansion, Amira and Sadie have received advice from new senior staff membersbrought on to help manage the company's growth. One recent suggestion has been tocombine the legal and security functions of the company to ensure observance of privacylaws and the company's own privacy policy. This sounds overly complicated to Amira, whowants departments to be able to use, collect, store, and dispose of customer data in waysthat will best suit their needs. She does not want administrative oversight and complexstructuring to get in the way of people doing innovative work.Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed whatSadie believes is an unnecessarily long timetable for designing a new privacy program.She has assured him that NatGen will use the best possible equipment for electronicstorage of customer and employee data. She simply needs a list of equipment and anestimate of its cost. But the CIO insists that many issues are necessary to consider beforethe company gets to that stage.Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOswant to entrust the monitoring of employee policy compliance to low-level managers. Amiraand Sadie believe these managers can adjust the company privacy policy according towhat works best for their particular departments. NatGen's CEOs know that flexibleinterpretations of the privacy policy in the name of promoting green energy would be highlyunlikely to raise any concerns with their customer base, as long as the data is always usedin course of normal business activities.Perhaps what has been most perplexing to Sadie and Amira has been the CIO'srecommendation to institute aprivacy compliance hotline. Sadie and Amira have relented on this point, but they hope tocompromise by allowing employees to take turns handling reports of privacy policyviolations. The implementation will be easy because the employees need no specialpreparation. They will simply have to document any concerns they hear.Sadie and Amira are aware that it will be challenging to stay true to their principles andguard against corporate culture strangling creativity and employee morale. They hope thatall senior staff will see the benefit of trying a unique approach.If Amira and Sadie's ideas about adherence to the company's privacy policy go unchecked,the Federal Communications Commission (FCC) could potentially take action againstNatGen for what?

A. Deceptive practices. 
B. Failing to institute the hotline. 
C. Failure to notify of processing. 
D. Negligence in consistent training.

Question # 18

Which of the following best describes proper compliance for an international organizationusing Binding Corporate Rules (BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data isexported. 
B. All employees are subject to the rules in their entirety, regardless of where the work istaking place. 
C. All employees must follow the privacy regulations of the jurisdictions where the currentscope of their work is established. 
D. Employees who control personal data must complete a rigorous certification procedure,as they are exempt from legal enforcement. 

Question # 19

SCENARIOPlease use the following to answer the next QUESTION:Ben works in the IT department of IgNight, Inc., a company that designs lighting solutionsfor its clients. Although IgNight's customer base consists primarily of offices in the US,some individuals have been so impressed by the unique aesthetic and energy-savingdesign of the light fixtures that they have requested IgNight's installations in their homesacross the globe.One Sunday morning, while using his work laptop to purchase tickets for an upcomingmusic festival, Ben happens to notice some unusual user activity on company files. From acursory review, all the data still appears to be where it is meant to be but he can't shake offthe feeling that something is not right. He knows that it is a possibility that this could be acolleague performing unscheduled maintenance, but he recalls an email from hiscompany's security team reminding employees to be on alert for attacks from a knowngroup of malicious actors specifically targeting the industry.Ben is a diligent employee and wants to make sure that he protects the company but hedoes not want to bother his hard-working colleagues on the weekend. He is going todiscuss the matter with this manager first thing in the morning but wants to be prepared sohe can demonstrate his knowledge in this area and plead his case for a promotion.If this were a data breach, how is it likely to be categorized?

A. Availability Breach. 
B. Authenticity Breach. 
C. Confidentiality Breach. 
D. Integrity Breach. 

Question # 20

SCENARIOPlease use the following to answer the next QUESTION:As they company’s new chief executive officer, Thomas Goddard wants to be known as aleader in data protection. Goddard recently served as the chief financial officer ofHoopy.com, a pioneer in online video viewing with millions of users around the world.Unfortunately, Hoopy is infamous within privacy protection circles for its ethicallyquestionable practices, including unauthorized sales of personal data to marketers. Hoopyalso was the target of credit card data theft that made headlines around the world, as atleast two million credit card numbers were thought to have been pilfered despite thecompany’s claims that “appropriate” data protection safeguards were in place. The scandalaffected the company’s business as competitors were quick to market an increased level ofprotection while offering similar entertainment and media content. Within three weeks afterthe scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard’s mentor, was forcedto step down.Goddard, however, seems to have landed on his feet, securing the CEO position at yourcompany, Medialite, which is just emerging from its start-up phase. He sold the company’sboard and investors on his vision of Medialite building its brand partly on the basis ofindustry-leading data protection standards and procedures. He may have been a key partof a lapsed or even rogue organization in matters of privacy but now he claims to bereformed and a true believer in privacy protection. In his first week on the job, he calls youinto his office and explains that your primary work responsibility is to bring his vision forprivacy to life. But you also detect some reservations. “We want Medialite to haveabsolutely the highest standards,” he says. “In fact, I want us to be able to say that we arethe clear industry leader in privacy and data protection. However, I also need to be aresponsible steward of the company’s finances. So, while I want the best solutions acrossthe board, they also need to be cost effective.”You are told to report back in a week’s time with your recommendations. Charged with thisambiguous mission, you depart the executive suite, already considering your next steps.You are charged with making sure that privacy safeguards are in place for new productsand initiatives. What is the best way to do this?

A. Hold a meeting with stakeholders to create an interdepartmental protocol for newinitiatives 
B. Institute Privacy by Design principles and practices across the organization 
C. Develop a plan for introducing privacy protections into the product development stage 
D. Conduct a gap analysis after deployment of new products, then mend any gaps that arerevealed 

Question # 21

SCENARIOPlease use the following to answer the next QUESTION:You lead the privacy office for a company that handles information from individuals living inseveral countries throughout Europe and the Americas. You begin that morning’s privacyreview when a contracts officer sends you a message asking for a phone call. Themessage lacks clarity and detail, but you presume that data was lost.When you contact the contracts officer, he tells you that he received a letter in the mailfrom a vendor stating that the vendor improperly shared information about your customers.He called the vendor and confirmed that your company recently surveyed exactly 2000individuals about their most recent healthcare experience and sent those surveys to thevendor to transcribe it into a database, but the vendor forgot to encrypt the database aspromised in the contract. As a result, the vendor has lost control of the data. The vendor is extremely apologetic and offers to take responsibility for sending out thenotifications. They tell you they set aside 2000 stamped postcards because that shouldreduce the time it takes to get the notice in the mail. One side is limited to their logo, but theother side is blank and they will accept whatever you want to write. You put their offer onhold and begin to develop the text around the space constraints. You are content to let thevendor’s logo be associated with the notification.The notification explains that your company recently hired a vendor to store informationabout their most recent experience at St. Sebastian Hospital’s Clinic for InfectiousDiseases. The vendor did not encrypt the information and no longer has control of it. All2000 affected individuals are invited to sign-up for email notifications about theirinformation. They simply need to go to your company’s website and watch a quickadvertisement, then provide their name, email address, and month and year of birth.You email the incident-response council for their buy-in before 9 a.m. If anything goeswrong in this situation, you want to diffuse the blame across your colleagues. Over the nexteight hours, everyone emails their comments back and forth. The consultant who leads theincident-response team notes that it is his first day with the company, but he has been inother industries for 45 years and will do his best. One of the three lawyers on the councilcauses the conversation to veer off course, but it eventually gets back on track. At the endof the day, they vote to proceed with the notification you wrote and use the vendor’spostcards.Shortly after the vendor mails the postcards, you learn the data was on a server that wasstolen, and make the decision to have your company offer credit monitoring services. Aquick internet search finds a credit monitoring company with a convincing name: CreditUnder Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000people, but develops a proposal in about a day which says CRUDLOK will:1.Send an enrollment invitation to everyone the day after the contract is signed.2.Enroll someone with just their first name and the last-4 of their national identifier.3.Monitor each enrollee’s credit for two years from the date of enrollment.4.Send a monthly email with their credit rating and offers for credit-related services atmarket rates.5.Charge your company 20% of the cost of any credit restoration.You execute the contract and the enrollment invitations are emailed to the 2000 individuals.Three days later you sit down and document all that went well and all that could have gonebetter. You put it in a file to reference the next time an incident occurs. What is the most concerning limitation of the incident-response council?

A. You convened it to diffuse blame 
B. The council has an overabundance of attorneys 
C. It takes eight hours of emails to come to a decision 
D. The leader just joined the company as a consultant 

Question # 22

SCENARIOPlease use the following to answer the next QUESTION:Martin Briseño is the director of human resources at the Canyon City location of the U.S.hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-jobmentoring model to a standardized training program for employees who were progressingfrom line positions into supervisory positions. He developed a curriculum comprising aseries of lessons, scenarios, and assessments, which was delivered in-person to smallgroups. Interest in the training increased, leading Briseño to work with corporate HRspecialists and software engineers to offer the program in an online format. The onlineprogram saved the cost of a trainer and allowed participants to work through the material attheir own pace.Upon hearing about the success of Briseño’s program, Pacific Suites corporate VicePresident Maryanne Silva-Hayes expanded the training and offered it company-wide.Employees who completed the program received certification as a Pacific Suites HospitalitySupervisor. By 2001, the program had grown to provideindustry-wide training. Personnel at hotels across the country could sign up and pay to takethe course online. As the program became increasingly profitable, Pacific Suites developedan offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT wasdeveloping and marketing a variety of online courses and course progressions providing anumber of professional certifications in the hospitality industry.By setting up a user account with PHT, course participants could access an informationlibrary, sign up for courses, and take end-of-course certification tests. When a user openeda new account, all information was saved by default, including the user’s name, date ofbirth, contact information, credit card information, employer, and job title. The registrationpage offered an opt-out choice that users could click to not have their credit card numberssaved. Once a user name and password were established, users could return to checktheir course status, review and reprint their certifications, and sign up and pay for newcourses. Between 2002 and 2008, PHT issued more than 700,000 professionalcertifications.PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increasedcompetition from e- learning providers. By 2011, Pacific Suites was out of the onlinecertification business and PHT was dissolved. The training program’s systems and recordsremained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and SilvaHayes moved on to work for other companies, and there was no plan for handling thearchived data after the program ended. After PHT was dissolved, Pacific Suites executivesturned their attention to crucial day-to-day operations. They planned to deal with the PHTmaterials once resources allowed.In 2012, the Pacific Suites computer network was hacked. Malware installed on the onlinereservation system exposed the credit card information of hundreds of hotel guests. Whiletargeting the financial data on the reservation site, hackers also discovered the archivedtraining course data and registration accounts of Pacific Hospitality Training’s customers.The result of the hack was the exfiltration of the credit card numbers of recent hotel guestsand the exfiltration of the PHT database with all its contents.A Pacific Suites systems analyst discovered the information security breach in a routinescan of activity reports. Pacific Suites quickly notified credit card companies and recenthotel guests of the breach, attempting to prevent serious harm. Technical securityengineers faced a challenge in dealing with the PHT data.PHT course administrators and the IT engineers did not have a system for tracking,cataloguing, and storing information. Pacific Suites has procedures in place for data accessand storage, but those procedures were not implemented when PHT was formed. Whenthe PHT database was acquired by Pacific Suites, it had no owner or oversight. By the timetechnical security engineers determined what private information was compromised, atleast 8,000 credit card holders were potential victims of fraudulent activity.What must Pacific Suite’s primary focus be as it manages this security breach?

A. Minimizing the amount of harm to the affected individuals 
B. Investigating the cause and assigning responsibility 
C. Determining whether the affected individuals should be notified 
D. Maintaining operations and preventing publicity 

Question # 23

SCENARIOPlease use the following to answer the next QUESTION:Amira is thrilled about the sudden expansion of NatGen. As the joint Chief ExecutiveOfficer (CEO) with her long-time business partner Sadie, Amira has watched the companygrow into a major competitor in the green energy market. The current line of productsincludes wind turbines, solar energy panels, and equipment for geothermal systems. Atalented team of developers means that NatGen's line of products will only continue togrow.With the expansion, Amira and Sadie have received advice from new senior staff membersbrought on to help manage the company's growth. One recent suggestion has been tocombine the legal and security functions of the company to ensure observance of privacylaws and the company's own privacy policy. This sounds overly complicated to Amira, whowants departments to be able to use, collect, store, and dispose of customer data in waysthat will best suit their needs. She does not want administrative oversight and complexstructuring to get in the way of people doing innovative work.Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed whatSadie believes is an unnecessarily long timetable for designing a new privacy program.She has assured him that NatGen will use the best possible equipment for electronicstorage of customer and employee data. She simply needs a list of equipment and anestimate of its cost. But the CIO insists that many issues are necessary to consider beforethe company gets to that stage.Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOswant to entrust the monitoring of employee policy compliance to low-level managers. Amiraand Sadie believe these managers can adjust the company privacy policy according towhat works best for their particular departments. NatGen's CEOs know that flexibleinterpretations of the privacy policy in the name of promoting green energy would be highlyunlikely to raise any concerns with their customer base, as long as the data is always usedin course of normal business activities.Perhaps what has been most perplexing to Sadie and Amira has been the CIO'srecommendation to institute aprivacy compliance hotline. Sadie and Amira have relented on this point, but they hope tocompromise by allowing employees to take turns handling reports of privacy policyviolations. The implementation will be easy because the employees need no specialpreparation. They will simply have to document any concerns they hear.Sadie and Amira are aware that it will be challenging to stay true to their principles andguard against corporate culture strangling creativity and employee morale. They hope thatall senior staff will see the benefit of trying a unique approach.What is the most likely reason the Chief Information Officer (CIO) believes that generatinga list of needed IT equipment is NOT adequate?

A. The company needs to have policies and procedures in place to guide the purchasing decisions. 
B. The privacy notice for customers and the Business Continuity Plan (BCP) still need to be reviewed. 
C. Staff members across departments need time to review technical information concerning any new databases. 
D. Senior staff members need to first commit to adopting a minimum number of PrivacyEnhancing Technologies (PETs). 

Question # 24

SCENARIOPlease use the following to answer the next QUESTION:Henry Home Furnishings has built high-end furniture for nearly forty years. However, thenew owner, Anton, has found some degree of disorganization after touring the companyheadquarters. His uncle Henry had always focused on production – not data processing –and Anton is concerned. In several storage rooms, he has found paper files, disks, and oldcomputers that appear to contain the personal data of current and former employees andcustomers. Anton knows that a single break-in could irrevocably damage the company'srelationship with its loyal customers. He intends to set a goal of guaranteed zero loss ofpersonal information.To this end, Anton originally planned to place restrictions on who was admitted to thephysical premises of the company. However, Kenneth – his uncle's vice president andlongtime confidante – wants to hold off on Anton's idea in favor of converting any paperrecords held at the company to electronic storage. Kenneth believes this process wouldonly take one or two years. Anton likes this idea; he envisions a password- protectedsystem that only he and Kenneth can access.Anton also plans to divest the company of most of its subsidiaries. Not only will this makehis job easier, but it will simplify the management of the stored data. The heads ofsubsidiaries like the art gallery and kitchenware store down the street will be responsiblefor their own information management. Then, any unneeded subsidiary data still in Anton'spossession can be destroyed within the next few years.After learning of a recent security incident, Anton realizes that another crucial step will benotifying customers. Kenneth insists that two lost hard drives in Question are not cause forconcern; all of the data was encrypted and not sensitive in nature. Anton does not want totake any chances, however. He intends on sending notice letters to all employees andcustomers to be safe.Anton must also check for compliance with all legislative, regulatory, and marketrequirements related to privacy protection. Kenneth oversaw the development of thecompany's online presence about ten years ago, but Anton is not confident about hisunderstanding of recent online marketing laws. Anton is assigning another trustedemployee with a law background the task of the compliance assessment. After a thoroughanalysis, Anton knows the company should be safe for another five years, at which time hecan order another check.Documentation of this analysis will show auditors due diligence.Anton has started down a long road toward improved management of the company, but heknows the effort is worth it. Anton wants his uncle's legacy to continue for many years tocome.To improve the facility's system of data security, Anton should consider following throughwith the plan for which of the following?

A. Customer communication. 
B. Employee access to electronic storage. 
C. Employee advisement regarding legal matters. 
D. Controlled access at the company headquarters. 

Question # 25

Which of the following controls does the PCI DSS framework NOT require?

A. Implement strong asset control protocols. 
B. Implement strong access control measures. 
C. Maintain an information security policy. 
D. Maintain a vulnerability management program. 

Question # 26

SCENARIOPlease use the following to answer the next QUESTION:For 15 years, Albert has worked at Treasure Box – a mail order company in the UnitedStates (U.S.) that used to sell decorative candles around the world, but has recentlydecided to limit its shipments to customers in the 48 contiguous states. Despite his years ofexperience, Albert is often overlooked for managerial positions. His frustration about notbeing promoted, coupled with his recent interest in issues of privacy protection, havemotivated Albert to be an agent of positive change.He will soon interview for a newly advertised position, and during the interview, Albert planson making executives aware of lapses in the company’s privacy program. He feels certainhe will be rewarded with a promotion for preventing negative consequences resulting fromthe company’s outdated policies and procedures.For example, Albert has learned about the AICPA (American Institute of Certified PublicAccountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model(PMM). Albert thinks the model is a useful way to measure Treasure Box’s ability to protectpersonal data. Albert has noticed that Treasure Box fails to meet the requirements of thehighest level of maturity of this model; at his interview, Albert will pledge to assist thecompany with meeting this level in order to provide customers with the most rigoroussecurity available.Albert does want to show a positive outlook during his interview. He intends to praise thecompany’s commitment to the security of customer and employee personal data againstexternal threats. However, Albert worries about the high turnover rate within the company,particularly in the area of direct phone marketing. He sees many unfamiliar faces every daywho are hired to do the marketing, and he often hears complaints in the lunch roomregarding long hours and low pay, as well as what seems to be flagrant disregard forcompany procedures. In addition, Treasure Box has had two recent security incidents. The company hasresponded to the incidents with internal audits and updates to security safeguards.However, profits still seem to be affected and anecdotal evidence indicates that manypeople still harbor mistrust. Albert wants to help the company recover. He knows there is atleast one incident the public in unaware of, although Albert does not know the details. Hebelieves the company’s insistence on keeping the incident a secret could be a furtherdetriment to its reputation. One further way that Albert wants to help Treasure Box regainits stature is by creating a toll-free number for customers, as well as a more efficientprocedure for responding to customer concerns by postal mail.In addition to his suggestions for improvement, Albert believes that his knowledge of thecompany’s recent business maneuvers will also impress the interviewers. For example,Albert is aware of the company’s intention to acquire a medical supply company in thecoming weeks.With his forward thinking, Albert hopes to convince the managers who will be interviewinghim that he is right for the job.Based on Albert’s observations regarding recent security incidents, which of the followingshould he suggest as a priority for Treasure Box?

A. Appointing an internal ombudsman to address employee complaints regarding hoursand pay. 
B. Using a third-party auditor to address privacy protection issues not recognized by theprior internal audits. 
C. Working with the Human Resources department to make screening procedures forpotential employees more rigorous. 
D. Evaluating the company’s ability to handle personal health information if the plan toacquire the medical supply company goes forward 

Question # 27

SCENARIOPlease use the following to answer the next QUESTION:Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executivesso anxious. Last week, a data processing firm used by the company reported that itssystem may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful,the scare has prompted several Nationwide Grill executives to Question the company'sprivacy program at today's meeting.Alice, a vice president, said that the incident could have opened the door to lawsuits,potentially damagingNationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried toassure her that even if there had been an actual breach, the chances of a successful suitagainst the company were slim. But Alice remained unconvinced.Spencer – a former CEO and currently a senior advisor – said that he had always warnedagainst the use of contractors for data processing. At the very least, he argued, they shouldbe held contractually liable for telling customers about any security incidents. In his view,Nationwide Grill should not be forced to soil the company name for a problem it did notcause.One of the business development (BD) executives, Haley, then spoke, imploring everyoneto see reason. "Breaches can happen, despite organizations' best efforts," she remarked."Reasonable preparedness is key." She reminded everyone of the incident seven yearsago when the large grocery chain Tinkerton's had its financial information compromisedafter a large order of Nationwide Grill frozen dinners. As a long-time BD executive with asolid understanding of Tinkerton's's corporate culture, built up through many years ofcultivating relationships, Haley was able to successfully manage the company's incidentresponse.Spencer replied that acting with reason means allowing security to be handled by thesecurity functions within the company – not BD staff. In a similar way, he said, HumanResources (HR) needs to do a better job training employees to prevent incidents. Hepointed out that Nationwide Grill employees are overwhelmed with posters, emails, andmemos from both HR and the ethics department related to the company's privacy program.Both the volume and the duplication of information means that it is often ignored altogether.Spencer said, "The company needs to dedicate itself to its privacy program and set regularin-person trainings for all staff once a month."Alice responded that the suggestion, while well-meaning, is not practical. With manylocations, local HR departments need to have flexibility with their training schedules.Silently, Natalia agreed.What is the most realistic step the organization can take to help diminish liability in the event of another incident?

A. Requiring the vendor to perform periodic internal audits. 
B. Specifying mandatory data protection practices in vendor contracts. 
C. Keeping the majority of processing activities within the organization. 
D. Obtaining customer consent for any third-party processing of personal data. 

Question # 28

SCENARIOPlease use the following to answer the next QUESTION:Richard McAdams recently graduated law school and decided to return to the small town ofLexington, Virginia to help run his aging grandfather's law practice. The elder McAdamsdesired a limited, lighter role in thepractice, with the hope that his grandson would eventually take over when he fully retires.In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrativeassistant, and a part-time IT specialist who handles all of their basic networking needs. Heplans to hire more employees once Richard gets settled and assesses the office'sstrategies for growth.Immediately upon arrival, Richard was amazed at the amount of work that needed to donein order to modernize the office, mostly in regard to the handling of clients' personal data.His first goal is to digitize all the records kept in file cabinets, as many of the documentscontain personally identifiable financial and medical data. Also, Richard has noticed themassive amount of copying by the administrative assistant throughout the day, a practicethat not only adds daily to the number of files in the file cabinets, but may create securityissues unless a formal policy is firmly in place Richard is also concerned with the overuseof the communal copier/ printer located in plain view of clients who frequent the building.Yet another area of concern is the use of the same fax machine by all of the employees.Richard hopes to reduce its use dramatically in order to ensure that personal data receivesthe utmost security and protection, and eventually move toward a strict Internet faxingpolicy by the year's end.Richard expressed his concerns to his grandfather, who agreed, that updating datastorage, data security, and an overall approach to increasing the protection of personaldata in all facets is necessary Mr. McAdams granted him the freedom and authority to doso. Now Richard is not only beginning a career as an attorney, but also functioning as theprivacy officer of the small firm. Richard plans to meet with the IT employee the followingday, to get insight into how the office computer system is currently set-up and managed.Richard needs to closely monitor the vendor in charge of creating the firm's databasemainly because of what?

A. The vendor will be required to report any privacy violations to the appropriate authorities. 
B. The vendor may not be aware of the privacy implications involved in the project. 
C. The vendor may not be forthcoming about the vulnerabilities of the database. 
D. The vendor will be in direct contact with all of the law firm's personal data. 

Question # 29

SCENARIOPlease use the following to answer the next QUESTION:Penny has recently joined Ace Space, a company that sells homeware accessories online,as its new privacy officer. The company is based in California but thanks to some greatpublicity from a social media influencer last year, the company has received an influx ofsales from the EU and has set up a regional office in Ireland to support this expansion. Tobecome familiar with Ace Space’s practices and assess what her privacy priorities will be,Penny has set up meetings with a number of colleagues to hear about the work that theyhave been doing and their compliance efforts.Penny’s colleague in Marketing is excited by the new sales and the company’s plans, but isalso concerned that Penny may curtail some of the growth opportunities he has planned.He tells her “I heard someone in the breakroom talking about some new privacy laws but Ireally don’t think it affects us. We’re just a small company. I mean we just sell accessoriesonline, so what’s the real risk?” He has also told her that he works with a number of smallcompanies that help him get projects completed in a hurry. “We’ve got to meet ourdeadlines otherwise we lose money. I just sign the contracts and get Jim in finance to pushthrough the payment. Reviewing the contracts takes time that we just don’t have.”In her meeting with a member of the IT team, Penny has learned that although Ace Spacehas taken a number of precautions to protect its website from malicious activity, it has nottaken the same level of care of its physical files or internal infrastructure. Penny’s colleaguein IT has told her that a former employee lost an encrypted USB key with financial data onit when he left. The company nearly lost access to their customer database last year afterthey fell victim to a phishing attack. Penny is told by her IT colleague that the IT team“didn’t know what to do or who should do what. We hadn’t been trained on it but we’re asmall team though, so it worked out OK in the end.” Penny is concerned that these issueswill compromise Ace Space’s privacy and data protection.Penny is aware that the company has solid plans to grow its international sales and will beworking closely with the CEO to give the organization a data “shake up”. Her mission is tocultivate a strong privacy culture within the company.Penny has a meeting with Ace Space’s CEO today and has been asked to give her firstimpressions and an overview of her next steps.To help Penny and her CEO with their objectives, what would be the most helpful approachto address her IT concerns?

A. Roll out an encryption policy 
B. Undertake a tabletop exercise 
C. Ensure inventory of IT assets is maintained 
D. Host a town hall discussion for all IT employees 

Question # 30

SCENARIOPlease use the following to answer the next QUESTION:Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used thesame vendor to operate all aspects of an online store for several years. As a smallnonprofit, the Society cannot afford the higher-priced options, but you have been relativelysatisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been someissues. Twice, people who purchased items from the store have had their credit cardinformation used fraudulently subsequent to transactions on your site, but in neither casedid the investigation reveal with certainty that the Society’s store had been hacked. Thethefts could have been employee-related.Just as disconcerting was an incident where the organization discovered that SCS had soldinformation it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, pointsout, it took only a phone call from you to clarify expectations and the “misunderstanding”has not occurred again.As an information-technology program manager with the Society, the role of the privacyprofessional is only one of many you play. In all matters, however, you must consider thefinancial bottom line. While these problems with privacy protection have been significant,the additional revenues of sales of items such as shirts and coffee cups from the storehave been significant. The Society’s operating budget is slim, and all sources of revenueare essential.Now a new challenge has arisen. Jason called to say that starting in two weeks, thecustomer data from the store would now be stored on a data cloud. “The good news,” hesays, “is that we have found a low-cost provider in Finland, where the data would also beheld. So, while there may be a small charge to pass through to you, it won’t be exorbitant,especially considering the advantages of a cloud.”Lately, you have been hearing about cloud computing and you know it’s fast becoming thenew paradigm for various applications. However, you have heard mixed reviews about thepotential impacts on privacy protection. You begin to research and discover that a numberof the leading cloud service providers have signed a letter of intent to work together onshared conventions and technologies for privacy protection. You make a note to find out ifJason’s Finnish provider is signing on.What is the best way for your vendor to be clear about the Society’s breach notificationexpectations?

A. Include notification provisions in the vendor contract 
B. Arrange regular telephone check-ins reviewing expectations 
C. Send a memorandum of understanding on breach notification 
D. Email the regulations that require breach notifications 

Question # 31

Which of the documents below assists the Privacy Manager in identifying and respondingto a request from an individual about what personal information the organization holdsabout then with whom the information is shared?

A. Risk register 
B. Privacy policy 
C. Records retention schedule 
D. Personal information inventory 

Question # 32

How are individual program needs and specific organizational goals identified in privacyframework development?

A. By employing metrics to align privacy protection with objectives. 
B. Through conversations with the privacy team. 
C. By employing an industry-standard needs analysis. 
D. Through creation of the business case. 

Question # 33

What is one obligation that the General Data Protection Regulation (GDPR) imposes ondata processors?

A. To honor all data access requests from data subjects. 
B. To inform data subjects about the identity and contact details of the controller. 
C. To implement appropriate technical and organizational measures that ensure anappropriate level of security. 
D. To carry out data protection impact assessments in cases where processing is likely toresult in high risk to the rights and freedoms of individuals. 

Question # 34

Which of the following indicates you have developed the right privacy framework for yourorganization?

A. It includes a privacy assessment of each major system. 
B. It improves the consistency of the privacy program. 
C. It works at a different type of organization. 
D. It identifies all key stakeholders by name. 

Question # 35

When building a data privacy program, what is a good starting point to understand thescope of privacy program needs?

A. Perform Data Protection Impact Assessments (DPIAs). 
B. Perform Risk Assessments 
C. Complete a Data Inventory. 
D. Review Audits. 

Question # 36

SCENARIOPlease use the following to answer the next QUESTION:Henry Home Furnishings has built high-end furniture for nearly forty years. However, thenew owner, Anton, has found some degree of disorganization after touring the companyheadquarters. His uncle Henry had always focused on production – not data processing –and Anton is concerned. In several storage rooms, he has found paper files, disks, and oldcomputers that appear to contain the personal data of current and former employees andcustomers. Anton knows that a single break-in could irrevocably damage the company'srelationship with its loyal customers. He intends to set a goal of guaranteed zero loss ofpersonal information.To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth – his uncle's vice president andlongtime confidante – wants to hold off on Anton's idea in favor of converting any paperrecords held at the company to electronic storage. Kenneth believes this process wouldonly take one or two years. Anton likes this idea; he envisions a password- protectedsystem that only he and Kenneth can access.Anton also plans to divest the company of most of its subsidiaries. Not only will this makehis job easier, but it will simplify the management of the stored data. The heads ofsubsidiaries like the art gallery and kitchenware store down the street will be responsiblefor their own information management. Then, any unneeded subsidiary data still in Anton'spossession can be destroyed within the next few years.After learning of a recent security incident, Anton realizes that another crucial step will benotifying customers. Kenneth insists that two lost hard drives in Question are not cause forconcern; all of the data was encrypted and not sensitive in nature. Anton does not want totake any chances, however. He intends on sending notice letters to all employees andcustomers to be safe.Anton must also check for compliance with all legislative, regulatory, and marketrequirements related to privacy protection. Kenneth oversaw the development of thecompany's online presence about ten years ago, but Anton is not confident about hisunderstanding of recent online marketing laws. Anton is assigning another trustedemployee with a law background the task of the compliance assessment. After a thoroughanalysis, Anton knows the company should be safe for another five years, at which time hecan order another check.Documentation of this analysis will show auditors due diligence.Anton has started down a long road toward improved management of the company, but heknows the effort is worth it. Anton wants his uncle's legacy to continue for many years tocome.Which important principle of Data Lifecycle Management (DLM) will most likely becompromised if Anton executes his plan to limit data access to himself and Kenneth?

A. Practicing data minimalism. 
B. Ensuring data retrievability. 
C. Implementing clear policies. 
D. Ensuring adequacy of infrastructure.