Which of the following system architectures BEST supports anonymity for data transmission?

A. Client-server

B. Plug-in-based

C. Front-end

D. Peer-to-peer

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

A. Review data flow post migration.

B. Ensure appropriate data classification.

C. Engage an external auditor to review the source data.

D. Check the documentation version history for anomalies.

Which of the following processes BEST enables an organization to maintain the quality of personal data?

A. Implementing routine automatic validation

B. Maintaining hashes to detect changes in data

C. Encrypting personal data at rest

D. Updating the data quality standard through periodic review

Which of the following is the MOST important consideration when determining retention periods for personal data?

A. Sectoral best practices for the industry

B. Notice provided to customers during data collection

C. Data classification standards

D. Storage capacity available for retained data

An organization wants to change the originally specified purpose of collected personal data. What must be done NEXT?

A. Notify data protection authorities.

B. Obtain consent from data subjects.

C. Update the enterprise data architecture.

D. Revise the privacy notice.

Which of the following should be done FIRST to establish privacy by design when developing a contact-tracing application?

A. Conduct a privacy impact assessment (PIA).

B. Conduct a development environment review.

C. Identify privacy controls for the application.

D. Identify differential privacy techniques.

During which stage of the software development life cycle (SDLC) is it MOST critical to conduct a privacy impact assessment (PIA)?

A. Development

B. Implementation

C. Testing

D. Planning

A global financial institution is implementing data masking technology to protect personal data used for testing purposes in non-production environments. Which of the following is the GREATEST challenge in this situation?

A. Access to personal data is not strictly controlled in development and testing environments.

B. Complex relationships within and across systems must be retained for testing.

C. Personal data across the various interconnected systems cannot be easily identified.

D. Data masking tools are complex and difficult to implement.

Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?

A. Privacy policy

B. Network security standard

C. Multi-factor authentication

D. Virtual private network (VPN)

Which of the following BEST demonstrates that security considerations are embedded in DevOps operations for application development?

A. The compliance team is involved in both pre-implementation and post-implementation stages.

B. Application hardening is performed before rollout of the application.

C. Code review is conducted during the software development life cycle (SDLC).

D. The engineering team has been trained on security and privacy policies.

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?

A. Approving privacy impact assessments (PIAs)

B. Validating the privacy framework

C. Managing privacy notices provided to customers

D. Establishing employee privacy rights and consent

Which of the following BEST represents privacy threat modeling methodology?

A. Mitigating inherent risks and threats associated with privacy control weaknesses

B. Systematically eliciting and mitigating privacy threats in a software architecture

C. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities

D. Replicating privacy scenarios that reflect representative software usage

What is the BEST way for an organization to maintain the effectiveness of its privacy breach incident response plan?

A. Require security management to validate data privacy security practices.

B. Involve the privacy office in an organizational review of the incident response plan.

C. Hire a third party to perform a review of data privacy processes.

D. Conduct annual data privacy tabletop exercises.

Which of the following should trigger a review of an organization's privacy policy?

A. Backup procedures for customer data are changed.

B. Data loss prevention (DLP) incidents increase.

C. An emerging technology will be implemented.

D. The privacy steering committee adopts a new charter.

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?

A. Data classification labeling

B. Data residing in another country

C. Volume of data stored

D. Privacy training for backup users

Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?

A. Private key exposure

B. Poor patch management

C. Lack of password complexity

D. Out-of-date antivirus signatures

Which of the following is the BEST way for an organization to gain visibility into its exposure to privacy-related vulnerabilities?

A. Review historical privacy incidents in the organization.

B. Monitor inbound and outbound communications.

C. Perform an analysis of known threats.

D. Implement a data loss prevention (DLP) solution.

Which of the following is the BEST way to protect personal data in the custody of a third party?

A. Have corporate counsel monitor privacy compliance.

B. Require the third party to provide periodic documentation of its privacy management program.

C. Include requirements to comply with the organization’s privacy policies in the contract.

D. Add privacy-related controls to the vendor audit plan.

A technology company has just launched a mobile application for tracking health symptoms. This application is built on a mobile device technology stack that allows users to share their location and details of their symptoms. Which of the following is the GREATEST privacy concern with collecting this data via mobile devices?

A. Client-side device ID

B. Data storage requirements

C. Encryption of key data elements

D. Data usage without consent

Which of the following is the BEST way to explain the difference between data privacy and data security?

A. Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

B. Data privacy protects the data subjects, while data security is about protecting critical assets.

C. Data privacy is about data segmentation, while data security prevents unauthorized access.

D. Data privacy stems from regulatory requirements, while data security focuses on consumer rights.

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?

A. Identify sensitive unstructured data at the point of creation.

B. Classify sensitive unstructured data.

C. Identify who has access to sensitive unstructured data.

D. Assign an owner to sensitive unstructured data.

Which of the following BEST facilitates a privacy impact assessment (PIA)?

A. Creating an information flow and repository to identify personal data being collected

B. Providing privacy and awareness training for project managers and system owners

C. Comparing current privacy policies and procedures to industry benchmarks

D. Identifying key systems used for processing and storing personal data

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?

A. Tokenization

B. Aggregation

C. Anonymization

D. Encryption

Which of the following is a PRIMARY objective of performing a privacy impact assessment (PIA) prior to onboarding a new Software as a Service (SaaS) provider for a customer relationship management (CRM) system?

A. To identify controls to mitigate data privacy risks

B. To classify personal data according to the data classification scheme

C. To assess the risk associated with personal data usage

D. To determine the service provider’s ability to maintain data protection controls

Which of the following is the GREATEST privacy concern for an organization implementing endpoint detection response (EDR) tools on employee laptops?

A. Lack of an acknowledged user acceptance policy

B. Unclear monitoring scope

C. Poor controls on privileged access to EDR tools

D. Lack of up-to-date EDR capability on employee laptops

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?

A. Compartmentalizing resource access

B. Regular testing of system backups

C. Monitoring and reviewing remote access logs

D. Regular physical and remote testing of the incident response plan

Which of the following is MOST important to consider when setting priorities for privacy data management objectives?

A. IT portfolios

B. Industry benchmarks

C. Business strategies

D. Technical vulnerabilities

Which of the following is the BEST way to hide sensitive personal data that is in use in a data lake?

A. Data masking

B. Data truncation

C. Data encryption

D. Data minimization

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

A. Detecting malicious access through endpoints

B. Implementing network traffic filtering on endpoint devices

C. Managing remote access and control

D. Hardening the operating systems of endpoint devices

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?

A. Application design

B. Requirements definition

C. Implementation

D. Testing

Which of the following should FIRST be established before a privacy office starts to develop a data protection and privacy awareness campaign?

A. Detailed documentation of data privacy processes

B. Strategic goals of the organization

C. Contract requirements for independent oversight

D. Business objectives of senior leaders

Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?

A. Chief data officer (CDO)

B. Privacy steering committee

C. Information security steering committee

D. Chief privacy officer (CPO)

A debt collection agency is attempting to locate a debtor and collects information on several people with similar names. During the inquiry, some of these people are discounted. How should the agency decide what data is adequate, relevant, and limited?

A. The agency should keep only the minimum data needed to form a basic record of people removed from the search.

B. The agency should delete all personal data collected after the debtor is found.

C. The agency should keep the data collected but store in an anonymized format.

D. The agency should keep the data collected and mark an indication on the people removed from the search.

Which of the following should be the FIRST consideration prior to implementing an audit trail of access to personal data?

A. Vulnerability and threat assessments

B. Service level agreements (SLAs)

C. Cost-benefit analysis

D. Sensitivity and regulatory requirements

Which of the following would BEST enable a data warehouse to limit access to individual database objects?

A. Private storage volumes

B. Virtual private database

C. Database privacy firewall

D. Data control dictionary

Which of the following is the PRIMARY reason for an organization to use hash functions when hardening application systems involved in biometric data processing?

A. To ensure technical security measures are effective

B. To prevent possible identity theft

C. To meet the organization’s security baseline

D. To reduce the risk of sensitive data breaches

Which of the following is the BEST control to detect potential internal breaches of personal data?

A. Data loss prevention (DLP) systems

B. Classification of data

C. Employee background checks

D. User behavior analytics tools

What type of personal information can be collected by a mobile application without consent?

A. Full name

B. Geolocation

C. Phone number

D. Accelerometer data

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?

A. Subject matter expertise

B. Type of media

C. Regulatory compliance requirements

D. Location of data

To increase productivity, an organization is planning to implement movement tracking devices in the vehicles of field employees. Which of the following MUST be in place before installing the devices?

A. Bring your own device (BYOD) policy

B. Mobile device management (MDM)

C. Location accuracy mechanisms

D. End user agreements

What is the BEST method to protect customers’ personal data that is forwarded to a central system for analysis?

A. Pseudonymization

B. Deletion

C. Encryption

D. Anonymization

Which of the following would BEST enable an organization to account for unstructured data?

A. Data dictionary

B. Data library

C. Data classification

D. Data flow map

An organization is designing a new human resources (HR) system. Which of the following should be implemented to BEST enable detection of unauthorized access to personal data?

A. Data loss prevention (DLP) solution

B. Security information and event management (SIEM) solution

C. Vulnerability scanning and management software

D. Web application firewall (WAF)

Within a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?

A. Offline backup availability

B. Recovery time objective (RTO)

C. Recovery point objective (RPO)

D. Online backup frequency

A retail company handles payroll accounting for its employees through a Software as a Service (SaaS) provider that uses a data center operator as a subcontractor. Who is responsible for the protection of the employees’ personal data?

A. The SaaS provider

B. The external auditing firm

C. The retail company

D. The data center operator

Which of the following BEST supports an organization’s efforts to create and maintain desired privacy protection practices among employees?

A. Skills training programs

B. Awareness campaigns

C. Performance evaluations

D. Code of conduct principles

Which of the following is the best reason for a health organization to use desktop virtualization to implement stronger access control to systems containing patient records?

A. Limited functions and capabilities of a secured operating environment

B. Monitored network activities for unauthorized use

C. Improved data integrity and reduced effort for privacy audits

D. Unlimited functionalities and highly secured applications

Which of the following is MOST important to include when defining an organization’s privacy requirements as part of a privacy program plan?

A. Data classification process

B. Privacy management governance

C. Privacy protection infrastructure

D. Lessons learned documentation

Which of the following is the MOST important consideration when choosing a method for data destruction?

A. Granularity of data to be destroyed

B. Time required for the chosen method of data destruction

C. Validation and certification of data destruction

D. Level and strength of current data encryption

Which of the following is the GREATEST benefit of adopting data minimization practices?

A. Storage and encryption costs are reduced.

B. Data retention efficiency is enhanced.

C. The associated threat surface is reduced.

D. Compliance requirements are met.