Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

A. To comply with consumer regulatory requirements

B. To establish privacy breach response procedures

C. To classify personal data

D. To understand privacy risks

Which of the following deployed at an enterprise level will MOST effectively block malicious tracking of user Internet browsing?

A. Web application firewall (WAF)

B. Website URL blacklisting

C. Domain name system (DNS) sinkhole

D. Desktop antivirus software

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

A. Detecting malicious access through endpoints

B. Implementing network traffic filtering on endpoint devices

C. Managing remote access and control

D. Hardening the operating systems of endpoint devices

Which of the following is MOST important to ensure when developing a business case for the procurement of a new IT system that will process and store personal information?

A. The system architecture is clearly defined.

B. A risk assessment has been completed.

C. Security controls are clearly defined.

D. Data protection requirements are included.

The identification of all data recipients in a privacy notice to website visitors reflects which privacy principle?

A. Accuracy

B. Consent

C. Integrity

D. Transparency

Which of the following BEST prevents users from sending out customers’ personal data without encryption?

A. Data loss prevention (DLP) tools

B. De-identification of data

C. Automatic email blocking

D. User behavior monitoring

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?

A. Disable location services.

B. Enable Trojan scanners.

C. Enable antivirus for mobile devices.

D. Disable Bluetooth services.

Which of the following is a PRIMARY consideration to protect against privacy violations when utilizing artificial intelligence (AI) driven business decisions?

A. De-identifying the data to be analyzed

B. Verifying the data subjects have consented to the processing

C. Defining the intended objectives

D. Ensuring proper data sets are used to train the models

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?

A. Subject matter expertise

B. Type of media

C. Regulatory compliance requirements

D. Location of data

Which of the following should trigger a review of an organization's privacy policy?

A. Backup procedures for customer data are changed.

B. Data loss prevention (DLP) incidents increase.

C. An emerging technology will be implemented.

D. The privacy steering committee adopts a new charter.

An organization wants to change the originally specified purpose of collected personal data. What must be done NEXT?

A. Notify data protection authorities.

B. Obtain consent from data subjects.

C. Update the enterprise data architecture.

D. Revise the privacy notice.

Which of the following is the BEST way to hide sensitive personal data that is in use in a data lake?

A. Data masking

B. Data truncation

C. Data encryption

D. Data minimization

Which of the following is the PRIMARY privacy concern with the use of a data lake containing transaction data, including personal data?

A. The data lake retains all the organization’s data.

B. The data lake supports all operational users.

C. The data lake receives data from all data sources.

D. The data lake supports all types of data structures.

Which of the following is the BEST indication of a highly effective privacy training program?

A. Members of the workforce understand their roles in protecting data privacy.

B. HR has made privacy training an annual mandate for the organization.

C. Recent audits have no findings or recommendations related to data privacy.

D. No privacy incidents have been reported in the last year.

When choosing data sources to be used within a big data architecture, which of the following data attributes MUST be considered to ensure data is not aggregated?

A. Accuracy

B. Granularity

C. Consistency

D. Reliability

A debt collection agency is attempting to locate a debtor and collects information on several people with similar names. During the inquiry, some of these people are discounted. How should the agency decide what data is adequate, relevant, and limited?

A. The agency should keep only the minimum data needed to form a basic record of people removed from the search.

B. The agency should delete all personal data collected after the debtor is found.

C. The agency should keep the data collected but store in an anonymized format.

D. The agency should keep the data collected and mark an indication on the people removed from the search.

A retail company handles payroll accounting for its employees through a Software as a Service (SaaS) provider that uses a data center operator as a subcontractor. Who is responsible for the protection of the employees’ personal data?

A. The SaaS provider

B. The external auditing firm

C. The retail company

D. The data center operator

During which stage of the software development life cycle (SDLC) is it MOST critical to conduct a privacy impact assessment (PIA)?

A. Development

B. Implementation

C. Testing

D. Planning

Which of the following is MOST important to include when defining an organization’s privacy requirements as part of a privacy program plan?

A. Data classification process

B. Privacy management governance

C. Privacy protection infrastructure

D. Lessons learned documentation

Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?

A. Conduct an audit.

B. Report performance metrics.

C. Perform a control self-assessment (CSA).

D. Conduct a benchmarking analysis.

Which of the following is the MOST critical action for an organization prior to tracking user activity in its applications?

A. Providing notification to users of the organization’s privacy policies

B. Establishing a data classification scheme

C. Identifying and validating users’ countries of residence

D. Requesting users to read and accept the organization’s privacy notice

Which of the following is the PRIMARY reason for an organization to use hash functions when hardening application systems involved in biometric data processing?

A. To ensure technical security measures are effective

B. To prevent possible identity theft

C. To meet the organization’s security baseline

D. To reduce the risk of sensitive data breaches

Which of the following describes a user’s “right to be forgotten”?

A. The data is being used to comply with legal obligations or the public interest.

B. The data is no longer required for the purpose originally collected.

C. The individual objects despite legitimate grounds for processing.

D. The individual’s legal residence status has recently changed.

Which of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?

A. Changes to current information architecture

B. Updates to data life cycle policy

C. Business impact due to the changes

D. Modifications to data quality standards

Which of the following would BEST enable an organization to account for unstructured data?

A. Data dictionary

B. Data library

C. Data classification

D. Data flow map

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?

A. Tokenization

B. Aggregation

C. Anonymization

D. Encryption

Which of the following is the BEST control to detect potential internal breaches of personal data?

A. Data loss prevention (DLP) systems

B. Classification of data

C. Employee background checks

D. User behavior analytics tools

In a contract for cloud services, whom should a cloud provider agree to notify in the event of a personal data breach?

A. Its client’s end users

B. Its client’s insurance carrier

C. Its client’s regulatory authority

D. Its client

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?

A. The applicable privacy legislation

B. The quantity of information within the scope of the assessment

C. The systems in which privacy-related data is stored

D. The organizational security risk profile

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?

A. Approving privacy impact assessments (PIAs)

B. Validating the privacy framework

C. Managing privacy notices provided to customers

D. Establishing employee privacy rights and consent

A technology company has just launched a mobile application for tracking health symptoms. This application is built on a mobile device technology stack that allows users to share their location and details of their symptoms. Which of the following is the GREATEST privacy concern with collecting this data via mobile devices?

A. Client-side device ID

B. Data storage requirements

C. Encryption of key data elements

D. Data usage without consent

Which of the following BEST demonstrates that security considerations are embedded in DevOps operations for application development?

A. The compliance team is involved in both pre-implementation and post-implementation stages.

B. Application hardening is performed before rollout of the application.

C. Code review is conducted during the software development life cycle (SDLC).

D. The engineering team has been trained on security and privacy policies.

Which of the following is the MOST important topic to cover in privacy awareness training customized for an organization's IT security staff?

A. Sanctions for misuse of personal information

B. Roles and responsibilities in responding to privacy-related incidents

C. Requirements for usage and distribution of personal information

D. Applicable privacy laws, regulations, and policies

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?

A. Application design

B. Requirements definition

C. Implementation

D. Testing

Which of the following MUST be available to facilitate a robust data breach management response?

A. Lessons learned from prior data breach responses

B. Best practices to obfuscate data for processing and storage

C. An inventory of previously impacted individuals

D. An inventory of affected individuals and systems

Which of the following should be the PRIMARY consideration when evaluating transaction-based cloud solutions?

A. Service level agreements (SLAs)

B. Joint data protection responsibilities

C. Data protection capabilities

D. Elasticity of the service offerings

Which of the following zones within a data lake requires sensitive data to be encrypted or tokenized?

A. Trusted zone

B. Clean zone

C. Raw zone

D. Temporal zone

Which of the following is the MOST important consideration when determining retention periods for personal data?

A. Sectoral best practices for the industry

B. Notice provided to customers during data collection

C. Data classification standards

D. Storage capacity available for retained data

Which of the following is the MOST effective way to support organizational privacy awareness objectives?

A. Funding in-depth training and awareness education for data privacy staff

B. Implementing an annual training certification process

C. Including mandatory awareness training as part of performance evaluations

D. Customizing awareness training by business unit function

Which of the following is the GREATEST benefit of adopting data minimization practices?

A. Storage and encryption costs are reduced.

B. Data retention efficiency is enhanced.

C. The associated threat surface is reduced.

D. Compliance requirements are met.

An employee accidentally sends an email with personal data to the wrong person. Which of the following should the employee do FIRST upon becoming aware of the issue?

A. Notify the privacy regulator and the impacted data subjects.

B. Send the recipient another email requesting deletion of the email that was accidentally sent.

C. Document and file the details of what happened in anticipation of further questioning.

D. Report the situation to the data privacy officer as it could be a privacy breach.

Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?

A. Chief data officer (CDO)

B. Privacy steering committee

C. Information security steering committee

D. Chief privacy officer (CPO)

An organization is designing a new human resources (HR) system. Which of the following should be implemented to BEST enable detection of unauthorized access to personal data?

A. Data loss prevention (DLP) solution

B. Security information and event management (SIEM) solution

C. Vulnerability scanning and management software

D. Web application firewall (WAF)

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

A. Review data flow post migration.

B. Ensure appropriate data classification.

C. Engage an external auditor to review the source data.

D. Check the documentation version history for anomalies.

What is the BEST method for protecting data transmissions to devices in the field?

A. Multi-factor authentication

B. Transport Layer Security (TLS)

C. Application level authentication

D. Hypertext Transfer Protocol Secure (HTTPS)

When using pseudonymization to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?

A. The data must be protected by multi-factor authentication.

B. The identifier must be kept separate and distinct from the data it protects.

C. The key must be a combination of alpha and numeric characters.

D. The data must be stored in locations protected by data loss prevention (DLP) technology.

Before executive leadership approves a new data privacy policy, it is MOST important to ensure:

A. a training program is developed.

B. a privacy committee is established.

C. a distribution methodology is identified.

D. a legal review is conducted.

Which of the following is the MOST important consideration when choosing a method for data destruction?

A. Granularity of data to be destroyed

B. Time required for the chosen method of data destruction

C. Validation and certification of data destruction

D. Level and strength of current data encryption

Which of the following should be done FIRST to establish privacy by design when developing a contact-tracing application?

A. Conduct a privacy impact assessment (PIA).

B. Conduct a development environment review.

C. Identify privacy controls for the application.

D. Identify differential privacy techniques.

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?

A. Encrypt users’ information so it is inaccessible to the marketing department.

B. Reference the privacy policy to see if the data is truly restricted.

C. Remove users’ information and accounts from the system.

D. Flag users’ email addresses to make sure they do not receive promotional information.