This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPM.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

3) Please use the following to answer the next question:

SCENARIO

You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.

When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data-

The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank, and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification.

The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company/s website and watch a quick advertisement, then provide their name, email address, and month and year of birth.

You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth- The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards.

Shortly after the vendor mails the postcards, you leam the data was on a server that was stolen and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name:

Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will:

  1. Send an enrolment invitation to everyone the day after the contract is signed

      2. Enrol someone with just their first name and the last4 of their national identifier.

  1. Monitor each enrolee’s credit for two years from the date of enrolment.
  2. Send a monthly email with their credit rating and offers for credit-related services at market rates.
  3. Charge your company 20% of the cost of any credit restoration.

You execute the contract, and the enrolment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs.


Which of the following elements of the incident did you adequately determine?

2) What is the key factor that lays the foundation for all other elements of a privacy program?

3) Please use the following to answer the next question:

SCENARIO

You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.

When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data-

The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank, and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification.

The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company/s website and watch a quick advertisement, then provide their name, email address, and month and year of birth.

You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth- The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards.

Shortly after the vendor mails the postcards, you leam the data was on a server that was stolen and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name:

Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will:

  1. Send an enrolment invitation to everyone the day after the contract is signed

      2. Enrol someone with just their first name and the last4 of their national identifier.

  1. Monitor each enrolee’s credit for two years from the date of enrolment.
  2. Send a monthly email with their credit rating and offers for credit-related services at market rates.
  3. Charge your company 20% of the cost of any credit restoration.

You execute the contract, and the enrolment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs.


Which of the following elements of the incident did you adequately determine?

4) Before determining an organization’s privacy strategy, what should a privacy program manager define?

5) What is the best way understand the location, use and importance of personal data within an organization?

6) Please use the following to answer the following question:

SCENARIO

Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseno decided to change the hotel's on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.

Upon hearing about the success of Briseno's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online. As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.

By setting up a user account with PHT, course participants could access an information library. Sign up for courses. and take end-of-course certification tests. When a user opened a new account. all information was saved by default. including the user's name, date of birth, contact information, credit card information, employer, and Job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a username and password were established, users could return to check their course status, review, and reprint their certifications, and sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.

PHT's profits declined in 2009 and 2010. the victim of industry downsizing and increased competition from e-learning providers. By 2011. Pacific Suites was out of the online certification business and PHT was dissolved. The training program's systems and records remained in Pacific Suites' digital archives, un-accessed and unused. Briseno and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed

In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training's customers_ The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.

A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data

PHT course administrators and the IT engineers did not have a system for tracking, cataloguing. and storing information Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed When the PHT database was acquired by Pacific Suites, it had no owner or oversight By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.

How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?

7) In a sample metric template, what does ‘target' mean?

ADD ANSWER
8) Customer service employees for a health insurance company are granted access to subscribers’ sensitive personal information so they can assist with inquiries regarding coverage and billing. What business function is most likely responsible for determining which employees may access subscribers’ sensitive personal information?

9) Please use the following information to answer the below question.

SCENARIO

As the company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.Com, a pioneer in online video viewing with millions of users around the world Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that *appropriate* data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly based on industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. “we want Medialite to have absolutely the highest standards,” he says.” In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective “

You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

The company has achieved a level of privacy protection that established new best practices for the industry- What is a logical next step to help ensure a high level of protection?

ADD answer
10) What is the most important aspect of privacy program management?

11) Which best demonstrates the effectiveness of a firm's privacy incident response process?

3) Please use the following to answer the next question:

SCENARIO

You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.

When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data-

The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank, and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification.

The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company/s website and watch a quick advertisement, then provide their name, email address, and month and year of birth.

You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth- The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards.

Shortly after the vendor mails the postcards, you leam the data was on a server that was stolen and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name:

Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will:

  1. Send an enrolment invitation to everyone the day after the contract is signed

      2. Enrol someone with just their first name and the last4 of their national identifier.

  1. Monitor each enrolee’s credit for two years from the date of enrolment.
  2. Send a monthly email with their credit rating and offers for credit-related services at market rates.
  3. Charge your company 20% of the cost of any credit restoration.

You execute the contract, and the enrolment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs.


Which of the following elements of the incident did you adequately determine?

13) Which of the following indicates you have developed the right privacy framework for your organization?

14) Which is NOT an influence on the privacy environment external to an organization?

15) Please use the following information to answer the below question:

SCENARIO

You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.

When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers.  He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data

The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank, and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification.

The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it- All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company/s website and watch a quick advertisement, then provide their name, email address, and month and year of birth.

You email the incident-response council for their buy-in before 9 am. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth. The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards.

Shortly after the vendor mails the postcards, you leam the data was on a server that was stolen and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name:

Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will:

 

1. Send an enrolment invitation to everyone the day after the contract is signed

2  Enrol someone with just their first name and the last-4 of their national identifier.

3. Monitor each enrolee’s credit for two years from the date of enrolment.

4. Send a monthly email with their credit rating and offers for credit-related services at market rates

5.Charge your company 20% of the cost of any credit restoration

You execute the contract, and the enrolment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs.

Which of the following was done CORRECTLY during the above incident?

16) A Human Resources director at a company reported that a laptop containing employee payroll data was lost on the train. Which action should the company take IMMEDIATELY?

17) An organization's privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrolment report of all employees to a wrong vendor. Which of the following actions should the privacy officer take FIRST?


18) Please use the following information to answer the below question

SCENARIO

Edufox has hosted an annual convention of users of its famous e-leaming software platform, and over time, it has become a grand event- It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centrepiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration. highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. 'It's going to be great: the developer, Deidre Hoffman, tells you, 'if. that is, we actually get it working!' She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm 'It's just three young people,' she says, 'but they do great work.' She describes some of the other apps they have built- When asked how they were selected for this job, Deidre shrugs. 'They do good work, so I chose them.'

Deidre is a terrific employee with a strong track record. That is why she has been charged to deliver this rushed project. You are sure she has the best interests of the company at heart. and you do not doubt that she is under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they are doing. You worry too much, but that's why you're so good at your Job!'

Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?

19) Please use the following information to answer the below question

SCENARIO

Edufox has hosted an annual convention of users of its famous e-leaming software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centrepiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year’s conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. “It's going to be great” the developer, Deidre Hoffman, tells you, “if, that is, we actually get it working” She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm.” It's just three young people,” she says, 'but they do great work.' She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. “They do good work, so I chose them”

Deidre is a terrific employee with a strong track record. That is why she's been charged to deliver this rushed project. You are sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back.  However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they are doing. You worry too much, but that's why you're so good at your job!'

You want to point out that normal protocols have not been followed in this matter. Which process in particular been neglected?

20) Please use the following information to answer the below question:

SCENARIO

Edufox has hosted an annual convention of users of its famous e-leaming software platform, and over time, it has become a grand event- It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centrepiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year’s conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations, and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. “It's going to be great”, the developer, Deidre Hoffman, tells you, “if, that is, we actually get it working “She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. “It's just three young people,” she says, “but they do great work”. She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. “They do good work, so I chose them”.

Deidre is a terrific employee with a strong track record. That is why she has been charged to deliver this rushed project. You are sure she has the best interests of the company at heart, and you do not doubt that she is under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they are doing. You worry too much, but that's why you're so good at your job!'

Which is the best first step in understanding the data security practices of a potential vendor?

21) If an organization maintains a separate ethics office, to whom would its officer typically report too to retain the greatest degree of independence?

22) Which business function ensures business and regulatory requirements are met through detailed market, credit, trade and counterparty analysis?