Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?

A. Approving privacy impact assessments (PIAs)

B. Validating the privacy framework

C. Managing privacy notices provided to customers

D. Establishing employee privacy rights and consent

Which of the following is MOST important to ensure when reviewing processes associated with the destruction of data?

A. The destruction of data is performed on site.

B. The destruction of data is witnessed.

C. The destruction is performed by a certified provider.

D. The destruction method is approved by the data owner.

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?

A. The organization’s potential legal liabilities related to the data

B. The data recovery capabilities of the storage provider

C. The data security policies and practices of the storage provider

D. Any vulnerabilities identified in the cloud system

Which of the following is the BEST way to manage privacy risk associated with outsourcing to a third party?

A. Utilize a variable sourcing strategy.

B. Review and approve the vendor’s privacy policies.

C. Require specific controls as part of the contract.

D. Perform privacy audits of the vendor.

A retail company handles payroll accounting for its employees through a Software as a Service (SaaS) provider that uses a data center operator as a subcontractor. Who is responsible for the protection of the employees’ personal data?

A. The SaaS provider

B. The external auditing firm

C. The retail company

D. The data center operator

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA. What is the BEST way to avoid this situation in the future?

A. Conduct a privacy post-implementation review.

B. Document personal data workflows in the product life cycle.

C. Incorporate privacy checkpoints into the secure development life cycle.

D. Require management approval of changes to system architecture design.

Which of the following is the BEST way to ensure third-party providers that process an organization's personal data are addressed as part of the data privacy strategy?

A. Require service level agreements (SLAs) to ensure data integrity while safeguarding confidentiality.

B. Require data dictionaries from service providers that handle the organization’s personal data.

C. Outsource personal data processing to the same third party.

D. Require independent audits of the providers’ data privacy controls.

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?

A. Tokenization

B. Aggregation

C. Anonymization

D. Encryption

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

A. Review data flow post migration.

B. Ensure appropriate data classification.

C. Engage an external auditor to review the source data.

D. Check the documentation version history for anomalies.

Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?

A. The organization lacks a hardware disposal policy.

B. Emails are not consistently encrypted when sent internally.

C. Privacy training is carried out by a service provider.

D. The organization’s privacy policy has not been reviewed in over a year.

Which of the following should be the FIRST consideration when selecting a data sanitization method?

A. Risk tolerance

B. Implementation cost

C. Industry standards

D. Storage type

Which of the following is the BEST control to detect potential internal breaches of personal data?

A. Data loss prevention (DLP) systems

B. Classification of data

C. Employee background checks

D. User behavior analytics tools

Which of the following is the BEST course of action to manage privacy risk when a significant vulnerability is identified in the operating system (OS) that supports an organization’s customer relationship management (CRM) system?

A. Apply OS patching to fix the vulnerability immediately.

B. Manage system permissions and access more strictly.

C. Enable comprehensive logging of activities at the OS level.

D. Perform a vulnerability assessment to determine the impact.

Which of the following BEST facilitates a privacy impact assessment (PIA)?

A. Creating an information flow and repository to identify personal data being collected

B. Providing privacy and awareness training for project managers and system owners

C. Comparing current privacy policies and procedures to industry benchmarks

D. Identifying key systems used for processing and storing personal data

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?

A. Identify sensitive unstructured data at the point of creation.

B. Classify sensitive unstructured data.

C. Identify who has access to sensitive unstructured data.

D. Assign an owner to sensitive unstructured data.

Which of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?

A. Changes to current information architecture

B. Updates to data life cycle policy

C. Business impact due to the changes

D. Modifications to data quality standards

When choosing data sources to be used within a big data architecture, which of the following data attributes MUST be considered to ensure data is not aggregated?

A. Accuracy

B. Granularity

C. Consistency

D. Reliability

Which of the following is MOST important to ensure when developing a business case for the procurement of a new IT system that will process and store personal information?

A. The system architecture is clearly defined.

B. A risk assessment has been completed.

C. Security controls are clearly defined.

D. Data protection requirements are included.

Which of the following should FIRST be established before a privacy office starts to develop a data protection and privacy awareness campaign?

A. Detailed documentation of data privacy processes

B. Strategic goals of the organization

C. Contract requirements for independent oversight

D. Business objectives of senior leaders

To ensure effective management of an organization’s data privacy policy, senior leadership MUST define:

A. training and testing requirements for employees handling personal data.

B. roles and responsibilities of the person with oversight.

C. metrics and outcomes recommended by external agencies.

D. the scope and responsibilities of the data owner.

What is the BEST method for protecting data transmissions to devices in the field?

A. Multi-factor authentication

B. Transport Layer Security (TLS)

C. Application level authentication

D. Hypertext Transfer Protocol Secure (HTTPS)

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?

A. Disable location services.

B. Enable Trojan scanners.

C. Enable antivirus for mobile devices.

D. Disable Bluetooth services.

Before executive leadership approves a new data privacy policy, it is MOST important to ensure:

A. a training program is developed.

B. a privacy committee is established.

C. a distribution methodology is identified.

D. a legal review is conducted.

Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?

A. Factory reset

B. Degaussing

C. Cryptographic erasure

D. Data deletion

Within a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?

A. Offline backup availability

B. Recovery time objective (RTO)

C. Recovery point objective (RPO)

D. Online backup frequency

Which of the following BEST demonstrates that security considerations are embedded in DevOps operations for application development?

A. The compliance team is involved in both pre-implementation and post-implementation stages.

B. Application hardening is performed before rollout of the application.

C. Code review is conducted during the software development life cycle (SDLC).

D. The engineering team has been trained on security and privacy policies.

In a contract for cloud services, whom should a cloud provider agree to notify in the event of a personal data breach?

A. Its client’s end users

B. Its client’s insurance carrier

C. Its client’s regulatory authority

D. Its client

Which of the following is the PRIMARY privacy concern with the use of a data lake containing transaction data, including personal data?

A. The data lake retains all the organization’s data.

B. The data lake supports all operational users.

C. The data lake receives data from all data sources.

D. The data lake supports all types of data structures.

Which of the following is the MOST important topic to cover in privacy awareness training customized for an organization's IT security staff?

A. Sanctions for misuse of personal information

B. Roles and responsibilities in responding to privacy-related incidents

C. Requirements for usage and distribution of personal information

D. Applicable privacy laws, regulations, and policies

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?

A. Compartmentalizing resource access

B. Regular testing of system backups

C. Monitoring and reviewing remote access logs

D. Regular physical and remote testing of the incident response plan

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?

A. Data classification labeling

B. Data residing in another country

C. Volume of data stored

D. Privacy training for backup users

Which of the following is the BEST way for an organization to gain visibility into its exposure to privacy-related vulnerabilities?

A. Review historical privacy incidents in the organization.

B. Monitor inbound and outbound communications.

C. Perform an analysis of known threats.

D. Implement a data loss prevention (DLP) solution.

Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?

A. Chief data officer (CDO)

B. Privacy steering committee

C. Information security steering committee

D. Chief privacy officer (CPO)

Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?

A. Conduct an audit.

B. Report performance metrics.

C. Perform a control self-assessment (CSA).

D. Conduct a benchmarking analysis.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?

A. Type of data being processed

B. Applicable control frameworks

C. Applicable privacy legislation

D. Available technology platforms

Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?

A. Possession factor authentication

B. Knowledge-based credential authentication

C. Multi-factor authentication

D. Biometric authentication

Which of the following is the BEST indication of a highly effective privacy training program?

A. Members of the workforce understand their roles in protecting data privacy.

B. HR has made privacy training an annual mandate for the organization.

C. Recent audits have no findings or recommendations related to data privacy.

D. No privacy incidents have been reported in the last year.

Which of the following is the MOST effective remote access model for reducing the likelihood of attacks originating from connecting devices?

A. Remote wide area network (WAN) links

B. Thin client remote desktop protocol (RDP)

C. Site-to-site virtual private network (VPN)

D. Thick client desktop with virtual private network (VPN) connection

A material finding related to the integrity of personal data was discovered during a privacy audit. Which of the following should the IT privacy practitioner do FIRST?

A. Discuss the matter with the board.

B. Determine the impact to data subjects.

C. Draft a corrective plan for management.

D. Update the associated data privacy policy.

Which of the following is the BEST way to convert personal information to non-personal information?

A. Encryption

B. Pseudonymization

C. Hashing

D. Anonymization

Which of the following is MOST important to review before using an application programming interface (API) to help mitigate related privacy risk?

A. Data taxonomy

B. Data classification

C. Data flows

D. Data collection

Which of the following BEST facilitates an organization’s ability to achieve data privacy-related goals?

A. Implementing a data quality governance process

B. Implementing a detailed system of records process

C. Developing a clear data forensics process

D. Designing a robust data loss prevention (DLP) process

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

A. To comply with consumer regulatory requirements

B. To establish privacy breach response procedures

C. To classify personal data

D. To understand privacy risks

Which of the following BEST ensures data confidentiality across databases?

A. Logical data model

B. Data normalization

C. Data catalog vocabulary

D. Data anonymization

Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?

A. Privacy policy

B. Network security standard

C. Multi-factor authentication

D. Virtual private network (VPN)

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?

A. Subject matter expertise

B. Type of media

C. Regulatory compliance requirements

D. Location of data

Which of the following is the MOST important consideration when determining retention periods for personal data?

A. Sectoral best practices for the industry

B. Notice provided to customers during data collection

C. Data classification standards

D. Storage capacity available for retained data

An employee accidentally sends an email with personal data to the wrong person. Which of the following should the employee do FIRST upon becoming aware of the issue?

A. Notify the privacy regulator and the impacted data subjects.

B. Send the recipient another email requesting deletion of the email that was accidentally sent.

C. Document and file the details of what happened in anticipation of further questioning.

D. Report the situation to the data privacy officer as it could be a privacy breach.

Which method BEST reduces the risk related to sharing of personal data between a software as a service (SaaS) customer and the third party storing it?

A. Data hashing

B. Data encryption

C. Data pseudonymization

D. Data anonymization

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?

A. Application design

B. Requirements definition

C. Implementation

D. Testing