Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?

A. Chief data officer (CDO)

B. Privacy steering committee

C. Information security steering committee

D. Chief privacy officer (CPO)

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

A. To comply with consumer regulatory requirements

B. To establish privacy breach response procedures

C. To classify personal data

D. To understand privacy risks

What is the BEST method to protect customers’ personal data that is forwarded to a central system for analysis?

A. Pseudonymization

B. Deletion

C. Encryption

D. Anonymization

Which of the following is the GREATEST benefit of adopting data minimization practices?

A. Storage and encryption costs are reduced.

B. Data retention efficiency is enhanced.

C. The associated threat surface is reduced.

D. Compliance requirements are met.

Which key stakeholder within an organization should be responsible for approving the outcomes of a privacy impact assessment (PIA)?

A. Data custodian

B. Privacy data analyst

C. Data processor

D. Data owner

Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?

A. The organization lacks a hardware disposal policy.

B. Emails are not consistently encrypted when sent internally.

C. Privacy training is carried out by a service provider.

D. The organization’s privacy policy has not been reviewed in over a year.

Which of the following is the BEST indication of a highly effective privacy training program?

A. Members of the workforce understand their roles in protecting data privacy.

B. HR has made privacy training an annual mandate for the organization.

C. Recent audits have no findings or recommendations related to data privacy.

D. No privacy incidents have been reported in the last year.

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?

A. Review self-attestations of compliance provided by vendor management.

B. Obtain independent assessments of the vendors’ data management processes.

C. Perform penetration tests of the vendors’ data security.

D. Compare contract requirements against vendor deliverables.

When using anonymization techniques to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?

A. The key must be kept separate and distinct from the data it protects.

B. The data must be protected by multi-factor authentication.

C. The key must be a combination of alpha and numeric characters.

D. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which of the following is the MOST effective remote access model for reducing the likelihood of attacks originating from connecting devices?

A. Remote wide area network (WAN) links

B. Thin client remote desktop protocol (RDP)

C. Site-to-site virtual private network (VPN)

D. Thick client desktop with virtual private network (VPN) connection

Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?

A. Private key exposure

B. Poor patch management

C. Lack of password complexity

D. Out-of-date antivirus signatures

An organization has a policy requiring the encryption of personal data if transmitted through email. Which of the following is the BEST control to ensure the effectiveness of this policy?

A. Provide periodic user awareness training on data encryption.

B. Implement a data loss prevention (DLP) tool.

C. Conduct regular control self-assessments (CSAs).

D. Enforce annual attestation to policy compliance.

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?

A. Data process flow diagrams

B. Data classification

C. Data collection standards

D. Data inventory

Which of the following is the BEST way to limit the organization’s potential exposure in the event of consumer data loss while maintaining the traceability of the data?

A. Encrypt the data at rest.

B. De-identify the data.

C. Use a unique hashing algorithm.

D. Require a digital signature.

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA. What is the BEST way to avoid this situation in the future?

A. Conduct a privacy post-implementation review.

B. Document personal data workflows in the product life cycle.

C. Incorporate privacy checkpoints into the secure development life cycle.

D. Require management approval of changes to system architecture design.

Which of the following BEST represents privacy threat modeling methodology?

A. Mitigating inherent risks and threats associated with privacy control weaknesses

B. Systematically eliciting and mitigating privacy threats in a software architecture

C. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities

D. Replicating privacy scenarios that reflect representative software usage

Which of the following is the BEST way to protect personal data in the custody of a third party?

A. Have corporate counsel monitor privacy compliance.

B. Require the third party to provide periodic documentation of its privacy management program.

C. Include requirements to comply with the organization’s privacy policies in the contract.

D. Add privacy-related controls to the vendor audit plan.

Which of the following should be the FIRST consideration when selecting a data sanitization method?

A. Risk tolerance

B. Implementation cost

C. Industry standards

D. Storage type

Which method BEST reduces the risk related to sharing of personal data between a software as a service (SaaS) customer and the third party storing it?

A. Data hashing

B. Data encryption

C. Data pseudonymization

D. Data anonymization

Which of the following is the MOST important consideration when determining retention periods for personal data?

A. Sectoral best practices for the industry

B. Notice provided to customers during data collection

C. Data classification standards

D. Storage capacity available for retained data

An organization is developing a wellness smartwatch application and is considering what information should be collected from the application users. Which of the following is the MOST legitimate information to collect for business reasons in this situation?

A. Height, weight, and activities

B. Sleep schedule and calorie intake

C. Education and profession

D. Race, age, and gender

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

A. Review data flow post migration.

B. Ensure appropriate data classification.

C. Engage an external auditor to review the source data.

D. Check the documentation version history for anomalies.

Which of the following is the MOST important topic to cover in privacy awareness training customized for an organization's IT security staff?

A. Sanctions for misuse of personal information

B. Roles and responsibilities in responding to privacy-related incidents

C. Requirements for usage and distribution of personal information

D. Applicable privacy laws, regulations, and policies

Which of the following processes BEST enables an organization to maintain the quality of personal data?

A. Implementing routine automatic validation

B. Maintaining hashes to detect changes in data

C. Encrypting personal data at rest

D. Updating the data quality standard through periodic review

Which of the following should be done FIRST to establish privacy by design when developing a contact-tracing application?

A. Conduct a privacy impact assessment (PIA).

B. Conduct a development environment review.

C. Identify privacy controls for the application.

D. Identify differential privacy techniques.

Which of the following is the best reason for a health organization to use desktop virtualization to implement stronger access control to systems containing patient records?

A. Limited functions and capabilities of a secured operating environment

B. Monitored network activities for unauthorized use

C. Improved data integrity and reduced effort for privacy audits

D. Unlimited functionalities and highly secured applications

Which of the following should be done FIRST when developing an organization-wide strategy to address data privacy risk?

A. Obtain executive support.

B. Develop a data privacy policy.

C. Gather privacy requirements from legal counsel.

D. Create a comprehensive data inventory.

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?

A. Data classification labeling

B. Data residing in another country

C. Volume of data stored

D. Privacy training for backup users

Which of the following is the PRIMARY benefit of implementing policies and procedures for system hardening?

A. It increases system resiliency.

B. It reduces external threats to data.

C. It reduces exposure of data.

D. It eliminates attack motivation for data.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?

A. Type of data being processed

B. Applicable control frameworks

C. Applicable privacy legislation

D. Available technology platforms

Which of the following is defined and implemented to ensure organizational data privacy protection arrangements are maintained and enforced regardless of jurisdiction?

A. Rules for data subject requests

B. Binding corporate rules

C. Privacy notice and consent rules

D. Rules for managing complaints

Which of the following techniques mitigates design flaws in the application development process that may contribute to potential leakage of personal data?

A. User acceptance testing (UAT)

B. Patch management

C. Software hardening

D. Web application firewall (WAF)

A debt collection agency is attempting to locate a debtor and collects information on several people with similar names. During the inquiry, some of these people are discounted. How should the agency decide what data is adequate, relevant, and limited?

A. The agency should keep only the minimum data needed to form a basic record of people removed from the search.

B. The agency should delete all personal data collected after the debtor is found.

C. The agency should keep the data collected but store in an anonymized format.

D. The agency should keep the data collected and mark an indication on the people removed from the search.

Which of the following should trigger a review of an organization's privacy policy?

A. Backup procedures for customer data are changed.

B. Data loss prevention (DLP) incidents increase.

C. An emerging technology will be implemented.

D. The privacy steering committee adopts a new charter.

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?

A. The organization’s potential legal liabilities related to the data

B. The data recovery capabilities of the storage provider

C. The data security policies and practices of the storage provider

D. Any vulnerabilities identified in the cloud system

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?

A. Application design

B. Requirements definition

C. Implementation

D. Testing

Which of the following BEST facilitates an organization’s ability to achieve data privacy-related goals?

A. Implementing a data quality governance process

B. Implementing a detailed system of records process

C. Developing a clear data forensics process

D. Designing a robust data loss prevention (DLP) process

Which of the following is the PRIMARY privacy concern with the use of a data lake containing transaction data, including personal data?

A. The data lake retains all the organization’s data.

B. The data lake supports all operational users.

C. The data lake receives data from all data sources.

D. The data lake supports all types of data structures.

Which of the following would BEST enable an organization to account for unstructured data?

A. Data dictionary

B. Data library

C. Data classification

D. Data flow map

Which of the following is the BEST way for an organization to gain visibility into its exposure to privacy-related vulnerabilities?

A. Review historical privacy incidents in the organization.

B. Monitor inbound and outbound communications.

C. Perform an analysis of known threats.

D. Implement a data loss prevention (DLP) solution.

A material finding related to the integrity of personal data was discovered during a privacy audit. Which of the following should the IT privacy practitioner do FIRST?

A. Discuss the matter with the board.

B. Determine the impact to data subjects.

C. Draft a corrective plan for management.

D. Update the associated data privacy policy.

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

A. Detecting malicious access through endpoints

B. Implementing network traffic filtering on endpoint devices

C. Managing remote access and control

D. Hardening the operating systems of endpoint devices

Which of the following provides the BEST assurance that a potential vendor is able to comply with privacy regulations and the organization's data privacy policy?

A. Including mandatory compliance language in the request for proposal (RFP)

B. Conducting a risk assessment of all candidate vendors

C. Requiring candidate vendors to provide documentation of privacy processes

D. Obtaining self-attestations from all candidate vendors

A global financial institution is implementing data masking technology to protect personal data used for testing purposes in non-production environments. Which of the following is the GREATEST challenge in this situation?

A. Access to personal data is not strictly controlled in development and testing environments.

B. Complex relationships within and across systems must be retained for testing.

C. Personal data across the various interconnected systems cannot be easily identified.

D. Data masking tools are complex and difficult to implement.

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?

A. Identify sensitive unstructured data at the point of creation.

B. Classify sensitive unstructured data.

C. Identify who has access to sensitive unstructured data.

D. Assign an owner to sensitive unstructured data.

An organization wants to change the originally specified purpose of collected personal data. What must be done NEXT?

A. Notify data protection authorities.

B. Obtain consent from data subjects.

C. Update the enterprise data architecture.

D. Revise the privacy notice.

Which of the following is the MOST important consideration when choosing a method for data destruction?

A. Granularity of data to be destroyed

B. Time required for the chosen method of data destruction

C. Validation and certification of data destruction

D. Level and strength of current data encryption

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?

A. Encrypt users’ information so it is inaccessible to the marketing department.

B. Reference the privacy policy to see if the data is truly restricted.

C. Remove users’ information and accounts from the system.

D. Flag users’ email addresses to make sure they do not receive promotional information.

Which of the following BEST prevents users from sending out customers’ personal data without encryption?

A. Data loss prevention (DLP) tools

B. De-identification of data

C. Automatic email blocking

D. User behavior monitoring

Which of the following describes a user’s “right to be forgotten”?

A. The data is being used to comply with legal obligations or the public interest.

B. The data is no longer required for the purpose originally collected.

C. The individual objects despite legitimate grounds for processing.

D. The individual’s legal residence status has recently changed.