An organization decides to outsource its customer personal data analytics to a third party to understand spending habits. Which of the following is the MOST important contractual consideration?

A. Platform architecture used to process the data

B. Terms for continuous monitoring of the vendor

C. Clearly defined data responsibilities of all parties

D. The vendor’s vulnerability management program

Which of the following processes BEST enables an organization to maintain the quality of personal data?

A. Implementing routine automatic validation

B. Maintaining hashes to detect changes in data

C. Encrypting personal data at rest

D. Updating the data quality standard through periodic review

Which of the following is the MOST critical action for an organization prior to tracking user activity in its applications?

A. Providing notification to users of the organization’s privacy policies

B. Establishing a data classification scheme

C. Identifying and validating users’ countries of residence

D. Requesting users to read and accept the organization’s privacy notice

Which of the following is the BEST control to detect potential internal breaches of personal data?

A. Data loss prevention (DLP) systems

B. Classification of data

C. Employee background checks

D. User behavior analytics tools

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?

A. Review self-attestations of compliance provided by vendor management.

B. Obtain independent assessments of the vendors’ data management processes.

C. Perform penetration tests of the vendors’ data security.

D. Compare contract requirements against vendor deliverables.

Which of the following is the PRIMARY reason for an organization to use hash functions when hardening application systems involved in biometric data processing?

A. To ensure technical security measures are effective

B. To prevent possible identity theft

C. To meet the organization’s security baseline

D. To reduce the risk of sensitive data breaches

An organization is designing a new human resources (HR) system. Which of the following should be implemented to BEST enable detection of unauthorized access to personal data?

A. Data loss prevention (DLP) solution

B. Security information and event management (SIEM) solution

C. Vulnerability scanning and management software

D. Web application firewall (WAF)

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?

A. Application design

B. Requirements definition

C. Implementation

D. Testing

Which of the following BEST facilitates an organization’s ability to achieve data privacy-related goals?

A. Implementing a data quality governance process

B. Implementing a detailed system of records process

C. Developing a clear data forensics process

D. Designing a robust data loss prevention (DLP) process

Which method BEST reduces the risk related to sharing of personal data between a software as a service (SaaS) customer and the third party storing it?

A. Data hashing

B. Data encryption

C. Data pseudonymization

D. Data anonymization

A retail company handles payroll accounting for its employees through a Software as a Service (SaaS) provider that uses a data center operator as a subcontractor. Who is responsible for the protection of the employees’ personal data?

A. The SaaS provider

B. The external auditing firm

C. The retail company

D. The data center operator

Which of the following BEST represents privacy threat modeling methodology?

A. Mitigating inherent risks and threats associated with privacy control weaknesses

B. Systematically eliciting and mitigating privacy threats in a software architecture

C. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities

D. Replicating privacy scenarios that reflect representative software usage

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?

A. Data integrity and confidentiality

B. System use requirements

C. Data use limitation

D. Lawfulness and fairness

When using anonymization techniques to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?

A. The key must be kept separate and distinct from the data it protects.

B. The data must be protected by multi-factor authentication.

C. The key must be a combination of alpha and numeric characters.

D. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which of the following techniques mitigates design flaws in the application development process that may contribute to potential leakage of personal data?

A. User acceptance testing (UAT)

B. Patch management

C. Software hardening

D. Web application firewall (WAF)

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?

A. Tokenization

B. Aggregation

C. Anonymization

D. Encryption

Which of the following is MOST important to include when defining an organization’s privacy requirements as part of a privacy program plan?

A. Data classification process

B. Privacy management governance

C. Privacy protection infrastructure

D. Lessons learned documentation

Which of the following is a PRIMARY objective of performing a privacy impact assessment (PIA) prior to onboarding a new Software as a Service (SaaS) provider for a customer relationship management (CRM) system?

A. To identify controls to mitigate data privacy risks

B. To classify personal data according to the data classification scheme

C. To assess the risk associated with personal data usage

D. To determine the service provider’s ability to maintain data protection controls

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

A. Detecting malicious access through endpoints

B. Implementing network traffic filtering on endpoint devices

C. Managing remote access and control

D. Hardening the operating systems of endpoint devices

Which of the following is the BEST way to convert personal information to non-personal information?

A. Encryption

B. Pseudonymization

C. Hashing

D. Anonymization

Which of the following is MOST important when developing an organizational data privacy program?

A. Obtaining approval from process owners

B. Profiling current data use

C. Following an established privacy framework

D. Performing an inventory of all data

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

A. To comply with consumer regulatory requirements

B. To establish privacy breach response procedures

C. To classify personal data

D. To understand privacy risks

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?

A. Data process flow diagrams

B. Data classification

C. Data collection standards

D. Data inventory

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA. What is the BEST way to avoid this situation in the future?

A. Conduct a privacy post-implementation review.

B. Document personal data workflows in the product life cycle.

C. Incorporate privacy checkpoints into the secure development life cycle.

D. Require management approval of changes to system architecture design.

An employee accidentally sends an email with personal data to the wrong person. Which of the following should the employee do FIRST upon becoming aware of the issue?

A. Notify the privacy regulator and the impacted data subjects.

B. Send the recipient another email requesting deletion of the email that was accidentally sent.

C. Document and file the details of what happened in anticipation of further questioning.

D. Report the situation to the data privacy officer as it could be a privacy breach.

Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?

A. Private key exposure

B. Poor patch management

C. Lack of password complexity

D. Out-of-date antivirus signatures

Which of the following BEST facilitates a privacy impact assessment (PIA)?

A. Creating an information flow and repository to identify personal data being collected

B. Providing privacy and awareness training for project managers and system owners

C. Comparing current privacy policies and procedures to industry benchmarks

D. Identifying key systems used for processing and storing personal data

The identification of all data recipients in a privacy notice to website visitors reflects which privacy principle?

A. Accuracy

B. Consent

C. Integrity

D. Transparency

Which of the following should be the PRIMARY consideration when evaluating transaction-based cloud solutions?

A. Service level agreements (SLAs)

B. Joint data protection responsibilities

C. Data protection capabilities

D. Elasticity of the service offerings

Which of the following is the BEST way to explain the difference between data privacy and data security?

A. Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

B. Data privacy protects the data subjects, while data security is about protecting critical assets.

C. Data privacy is about data segmentation, while data security prevents unauthorized access.

D. Data privacy stems from regulatory requirements, while data security focuses on consumer rights.

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

A. Review data flow post migration.

B. Ensure appropriate data classification.

C. Engage an external auditor to review the source data.

D. Check the documentation version history for anomalies.

Which of the following is MOST important to address in a privacy policy with respect to big data repositories of sales information?

A. Overall data management strategy

B. Encryption of data at rest

C. Transparency with customers

D. Retention of archived information

To increase productivity, an organization is planning to implement movement tracking devices in the vehicles of field employees. Which of the following MUST be in place before installing the devices?

A. Bring your own device (BYOD) policy

B. Mobile device management (MDM)

C. Location accuracy mechanisms

D. End user agreements

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?

A. Disable location services.

B. Enable Trojan scanners.

C. Enable antivirus for mobile devices.

D. Disable Bluetooth services.

Which of the following is MOST useful for understanding an organization’s approach towards privacy compliance?

A. Data classifications

B. Data privacy policies

C. Privacy awareness training

D. Privacy audit reports

Which of the following is the BEST course of action to manage privacy risk when a significant vulnerability is identified in the operating system (OS) that supports an organization’s customer relationship management (CRM) system?

A. Apply OS patching to fix the vulnerability immediately.

B. Manage system permissions and access more strictly.

C. Enable comprehensive logging of activities at the OS level.

D. Perform a vulnerability assessment to determine the impact.

Which of the following helps define data retention time is a stream-fed data lake that includes personal data?

A. Information security assessments

B. Privacy impact assessments (PIAs)

C. Data privacy standards

D. Data lake configuration

Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?

A. Conduct an audit.

B. Report performance metrics.

C. Perform a control self-assessment (CSA).

D. Conduct a benchmarking analysis.

What type of personal information can be collected by a mobile application without consent?

A. Full name

B. Geolocation

C. Phone number

D. Accelerometer data

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?

A. Encrypt users’ information so it is inaccessible to the marketing department.

B. Reference the privacy policy to see if the data is truly restricted.

C. Remove users’ information and accounts from the system.

D. Flag users’ email addresses to make sure they do not receive promotional information.

Which of the following should trigger a review of an organization's privacy policy?

A. Backup procedures for customer data are changed.

B. Data loss prevention (DLP) incidents increase.

C. An emerging technology will be implemented.

D. The privacy steering committee adopts a new charter.

Which of the following is the BEST way to ensure third-party providers that process an organization's personal data are addressed as part of the data privacy strategy?

A. Require service level agreements (SLAs) to ensure data integrity while safeguarding confidentiality.

B. Require data dictionaries from service providers that handle the organization’s personal data.

C. Outsource personal data processing to the same third party.

D. Require independent audits of the providers’ data privacy controls.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?

A. Type of data being processed

B. Applicable control frameworks

C. Applicable privacy legislation

D. Available technology platforms

Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?

A. Factory reset

B. Degaussing

C. Cryptographic erasure

D. Data deletion

Which of the following poses the GREATEST privacy risk for client-side application processing?

A. Failure of a firewall protecting the company network

B. An employee loading personal information on a company laptop

C. A remote employee placing communication software on a company server

D. A distributed denial of service attack (DDoS) on the company network

Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?

A. Privacy rights advocate

B. Outside privacy counsel

C. Data protection authorities

D. The organization’s chief privacy officer (CPO)

Which of the following is the BEST indication of a highly effective privacy training program?

A. Members of the workforce understand their roles in protecting data privacy.

B. HR has made privacy training an annual mandate for the organization.

C. Recent audits have no findings or recommendations related to data privacy.

D. No privacy incidents have been reported in the last year.

Which of the following is the MOST effective way to support organizational privacy awareness objectives?

A. Funding in-depth training and awareness education for data privacy staff

B. Implementing an annual training certification process

C. Including mandatory awareness training as part of performance evaluations

D. Customizing awareness training by business unit function

Which of the following BEST supports an organization’s efforts to create and maintain desired privacy protection practices among employees?

A. Skills training programs

B. Awareness campaigns

C. Performance evaluations

D. Code of conduct principles

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?

A. Compartmentalizing resource access

B. Regular testing of system backups

C. Monitoring and reviewing remote access logs

D. Regular physical and remote testing of the incident response plan