This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPM.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) What is the purpose for undertaking a privacy maturity assessment?

 

2) Under the privacy maturity model (PMM), what must an organization include in its privacy program to move from a maturity level of “defined” to a maturity level of “managed”?

3) Which of the following is a recognized data governance model?

4) A company’s data center suffers a short power outage and the backup generator does not kick in. After services are restored, some of the personal data processed by the company appears to be lost. What should the privacy team do first?

5) When measuring privacy, which component of analysis concentrates on the reporting data that remains when the other components of the series, primarily time and cyclical, have been accounted for?

6) Please use the following information to answer the question below.

SCENARIO 

You have recently been hired on as privacy officer for a newly-formed, privately-funded kidney dialysis company based in Boston, Massachusetts in the U.S., with subsidiaries in Dublin, Ireland and Dubai, UAE. The company’s focus is on utilizing artificial intelligence software to manage and enhance care for end-stage kidney disease patients around the world by analyzing patient data and making predictions that allow “right care at the right time”. Most of the company’s employees will be located within close proximity to the three main offices; however, the sales team, which makes up approximately one-third of the workforce, will have the ability to work remotely full-time since much of their work will be spent travelling to customer locations to demonstrate and train on the new software. While headquartered in the U.S., the company delegates broad decision-making authority to its two subsidiaries, allowing the subsidiaries to have control of their day-to-day business functions.

As part of this delegation of control, the privacy team has privacy professionals in each region to support privacy within its subsidiaries. The company has chosen to outsource its information security functions utilizing a third-party vendor. All customer data will be stored in a cloud-based server.

Access will be restricted in a manner that only allows each subsidiary to view and access customer data for their own country’s customers. For example, employees based out of Boston will not be able to access the customer data for Dubai’s clients. Certain leadership employees will be able to see across all three locations; however, their access will mainly be to non-customer-specific data.

 

You have a strong background in managing privacy programs in U.S. healthcare organizations. Previously, however, you have only worked at not-for-profit U.S. organizations; this will be your first time working at a for-profit global company. You will be reporting to the chief compliance officer (CCO), headquartered in Boston, who has expertise in the operations of a global kidney dialysis company and general knowledge regarding compliance regulations and laws to which the new organization will be subject. While the CCO has some knowledge of privacy laws and regulations that may impact your new organization, she will be relying on you to ensure company compliance from a privacy program management perspective. Both you and your boss’ roles will entail ensuring all subsidiaries comply with all country-specific laws, regulations and norms. You are well aware of the importance of buy-in at all levels of the leadership in order for the privacy program to be effective and are eager to show your new boss how you can apply that knowledge and expertise to ensure the company is appropriately addressing all privacy risks facing the organization.

Question:
You have been asked to develop a mission statement and code of conduct for the company’s privacy program that will be reviewed and approved by executive leadership. What should your primary focus be when developing these two foundational documents?

7) Please use the following information to answer the question below.

SCENARIO 

You have recently been hired on as privacy officer for a newly-formed, privately-funded kidney dialysis company based in Boston, Massachusetts in the U.S., with subsidiaries in Dublin, Ireland and Dubai, UAE. The company’s focus is on utilizing artificial intelligence software to manage and enhance care for end-stage kidney disease patients around the world by analyzing patient data and making predictions that allow “right care at the right time”. Most of the company’s employees will be located within close proximity to the three main offices; however, the sales team, which makes up approximately one-third of the workforce, will have the ability to work remotely full-time since much of their work will be spent travelling to customer locations to demonstrate and train on the new software. While headquartered in the U.S., the company delegates broad decision-making authority to its two subsidiaries, allowing the subsidiaries to have control of their day-to-day business functions.

As part of this delegation of control, the privacy team has privacy professionals in each region to support privacy within its subsidiaries. The company has chosen to outsource its information security functions utilizing a third-party vendor. All customer data will be stored in a cloud-based server.

Access will be restricted in a manner that only allows each subsidiary to view and access customer data for their own country’s customers. For example, employees based out of Boston will not be able to access the customer data for Dubai’s clients. Certain leadership employees will be able to see across all three locations; however, their access will mainly be to non-customer-specific data.

 

You have a strong background in managing privacy programs in U.S. healthcare organizations. Previously, however, you have only worked at not-for-profit U.S. organizations; this will be your first time working at a for-profit global company. You will be reporting to the chief compliance officer (CCO), headquartered in Boston, who has expertise in the operations of a global kidney dialysis company and general knowledge regarding compliance regulations and laws to which the new organization will be subject. While the CCO has some knowledge of privacy laws and regulations that may impact your new organization, she will be relying on you to ensure company compliance from a privacy program management perspective. Both you and your boss’ roles will entail ensuring all subsidiaries comply with all country-specific laws, regulations and norms. You are well aware of the importance of buy-in at all levels of the leadership in order for the privacy program to be effective and are eager to show your new boss how you can apply that knowledge and expertise to ensure the company is appropriately addressing all privacy risks facing the organization.

Question:
You suggest to your chief compliance officer that the organization adopt usage of one industry- supported framework that will be utilized company-wide. Which of the following frameworks is most likely to meet the organization’s global needs?

8) Please use the following information to answer the question below.

SCENARIO 

You have recently been hired on as privacy officer for a newly-formed, privately-funded kidney dialysis company based in Boston, Massachusetts in the U.S., with subsidiaries in Dublin, Ireland and Dubai, UAE. The company’s focus is on utilizing artificial intelligence software to manage and enhance care for end-stage kidney disease patients around the world by analyzing patient data and making predictions that allow “right care at the right time”. Most of the company’s employees will be located within close proximity to the three main offices; however, the sales team, which makes up approximately one-third of the workforce, will have the ability to work remotely full-time since much of their work will be spent travelling to customer locations to demonstrate and train on the new software. While headquartered in the U.S., the company delegates broad decision-making authority to its two subsidiaries, allowing the subsidiaries to have control of their day-to-day business functions.

As part of this delegation of control, the privacy team has privacy professionals in each region to support privacy within its subsidiaries. The company has chosen to outsource its information security functions utilizing a third-party vendor. All customer data will be stored in a cloud-based server.

Access will be restricted in a manner that only allows each subsidiary to view and access customer data for their own country’s customers. For example, employees based out of Boston will not be able to access the customer data for Dubai’s clients. Certain leadership employees will be able to see across all three locations; however, their access will mainly be to non-customer-specific data.

 

You have a strong background in managing privacy programs in U.S. healthcare organizations. Previously, however, you have only worked at not-for-profit U.S. organizations; this will be your first time working at a for-profit global company. You will be reporting to the chief compliance officer (CCO), headquartered in Boston, who has expertise in the operations of a global kidney dialysis company and general knowledge regarding compliance regulations and laws to which the new organization will be subject. While the CCO has some knowledge of privacy laws and regulations that may impact your new organization, she will be relying on you to ensure company compliance from a privacy program management perspective. Both you and your boss’ roles will entail ensuring all subsidiaries comply with all country-specific laws, regulations and norms. You are well aware of the importance of buy-in at all levels of the leadership in order for the privacy program to be effective and are eager to show your new boss how you can apply that knowledge and expertise to ensure the company is appropriately addressing all privacy risks facing the organization.

Question:
Which of the following methods would be the most efficient and effective method for administering a privacy training program to your company’s workforce?

9) If a data controller outsources activities pertaining to personal data management then accountability for compliance is retained by the controller. Which type of audit would be appropriate for this situation?

10) A prospective vendor should be evaluated against standards through questionnaires, privacy impact assessments and other checklists. One initial standard for selecting vendors should include which of the following?

11) To collect and process personal data, a particular healthcare provider is required by law to obtain explicit consent from its patients. A privacy notice is published on the provider's website informing the patients of how their data will be processed. Before giving their consent, the patients must acknowledge that they read and understood the notice. What process should the healthcare provider have in place to avoid misunderstanding and reduce the risk of potential legal claims?

12) Which of the following best defines data governance with respect to personal data?

13) Which of the following is one way that global organizations ensure that proposed privacy policies align to local laws?

14) Betty, a member of the privacy team, has been asked to consider the effectiveness of her company’s privacy framework. To do so, she has been conducting interviews with employees across the business, from senior executives to the customer service staff. Betty has found that, in general, back-office employees are aware that there are documented privacy policies and procedures in place, but they are not able to confidently explain what they say nor how personal data is handled by the company. Betty has also found that, in general, employees who have direct interaction with customers have a clear understanding of what personal data is, but they are less familiar with documented procedures or what compliance obligations the company has. Of the following options, which is the best suggestion Betty can make to the company?

15) Which of the following is an example of a technical control used to safeguard personal data during the privacy operational life cycle?

16) Please use the following information to answer the question below.

SCENARIO

Mollie has been a customer of a popular online retailer for a women’s fashion brand for over 10 years. Mollie is a frequent shopper and a “VIP customer.” As such, she often gets early access to sales and special offers and had a dedicated account manager, Toby. Mollie often communicated with Toby via phone, email and text about order updates, special offers or even complaints. Toby was always on hand to resolve issues and has provided excellent customer service for Mollie. Over the last year, Mollie has noticed she has had to return several items for a variety of reasons. Mollie also recently moved and has repeatedly asked for her address details to be changed on her account; however, her deliveries are still going to her old address, causing unnecessary delays. A few of the purchases Mollie returned have not been refunded to her. She even agreed to receive the refunds in the form of gift vouchers or credit applied to her account, but those have not been applied. Her account manager has been replaced by Karen, who is not as easy to contact as Toby, and who often doesn’t respond to her messages.

Mollie received a notice that her account information may have been compromised by a data breach, which the company is currently investigating. No further details about the breach have been provided to Mollie. She is becoming increasingly worried and disappointed by the lack of customer service and information provided on the data breach, considering she has been a loyal customer for many years. Because of this, Mollie has not been purchasing as many items and is worried she may lose her “VIP” customer status. Additionally, she is still owed money from many returns that have not been processed and has concerns about identity theft. Mollie reaches out to the generic customer service team rather than Karen. She is escalated to the complaints team, who have already been investigating her complaints for the past month. Despite several attempts to reach the complaints team, she isn’t getting any updates. Mollie decides to hire an attorney to take legal action on her behalf.



Question:
After consulting with her attorney, Mollie allows them to create a data subject access request (DSAR) on her How should the fashion retailer respond to the attorney?

17) Please use the following information to answer the question below.

SCENARIO

Mollie has been a customer of a popular online retailer for a women’s fashion brand for over 10 years. Mollie is a frequent shopper and a “VIP customer.” As such, she often gets early access to sales and special offers and had a dedicated account manager, Toby. Mollie often communicated with Toby via phone, email and text about order updates, special offers or even complaints. Toby was always on hand to resolve issues and has provided excellent customer service for Mollie. Over the last year, Mollie has noticed she has had to return several items for a variety of reasons. Mollie also recently moved and has repeatedly asked for her address details to be changed on her account; however, her deliveries are still going to her old address, causing unnecessary delays. A few of the purchases Mollie returned have not been refunded to her. She even agreed to receive the refunds in the form of gift vouchers or credit applied to her account, but those have not been applied. Her account manager has been replaced by Karen, who is not as easy to contact as Toby, and who often doesn’t respond to her messages.

Mollie received a notice that her account information may have been compromised by a data breach, which the company is currently investigating. No further details about the breach have been provided to Mollie. She is becoming increasingly worried and disappointed by the lack of customer service and information provided on the data breach, considering she has been a loyal customer for many years. Because of this, Mollie has not been purchasing as many items and is worried she may lose her “VIP” customer status. Additionally, she is still owed money from many returns that have not been processed and has concerns about identity theft. Mollie reaches out to the generic customer service team rather than Karen. She is escalated to the complaints team, who have already been investigating her complaints for the past month. Despite several attempts to reach the complaints team, she isn’t getting any updates. Mollie decides to hire an attorney to take legal action on her behalf.

Question:
Which of the following information would NOT be provided to Mollie under a data subject access request?

18) When assessing how privacy practices are managed within an organization, what is the role of the ethics and compliance department?

19) You are looking to write a data classification policy for the entire organization. One issue is that each department has different types of data and other requirements for that data. How should you manage this policy and its rollout?

20) Under which of the following circumstances is a data protection impact assessment (DPIA) required?

21) Which of the following contains information about whether a company discloses personal data to third parties?

22) Before entering into any new business relationships or renewing old contracts with vendors, what should an organization do as a key component of securing the service?

23) Please use the following information to answer the question below.

SCENARIO

GoodGifts.com is a gift company that provides businesses with the ability to order a variety of physical gifts to send to their employees. The business is completely web-based, and the website for ordering is hosted by a third-party software company. All products are sent via a national shipping company. GoodGifts.com is careful to maintain separate databases for each client along with appropriate firewalls and security measures.

 

Businesses have the option to select specific gifts for each employee, or GoodGifts.com can select the items for the business based on the age of the employee. General guidelines for gifts can be provided to select or omit specific items, such as gift cards, humorous items or alcohol, allowing businesses to adjust their employee gifts to align with the company values and culture.

A national supermarket chain in the U.S. has a contract with GoodGifts.com to send an age- appropriate birthday gift to nearly all of its 7,000 employees on their birthdays. The supermarket’s point of contact provides GoodGifts.com with each employee’s name, address and birthdate, including birth year, and the gift items they wish to have included as options. All employee data provided by the supermarket is encrypted.

 

During a routine audit, an administrator at GoodGifts.com identified a potential data breach. Upon further investigation, they concluded that there was a breach of their systems wherein the personal data of 553 of the supermarket’s employees was compromised. None of GoodGifts.com’s other clients’ data was affected. GoodGifts.com notified the appropriate supervisory authorities and those individuals whose information they identified as having been directly affected by the breach.



Question:
Who else should GoodGifts.com notify about the data breach?

24) Please use the following information to answer the question below.

SCENARIO

GoodGifts.com is a gift company that provides businesses with the ability to order a variety of physical gifts to send to their employees. The business is completely web-based, and the website for ordering is hosted by a third-party software company. All products are sent via a national shipping company. GoodGifts.com is careful to maintain separate databases for each client along with appropriate firewalls and security measures.

 

Businesses have the option to select specific gifts for each employee, or GoodGifts.com can select the items for the business based on the age of the employee. General guidelines for gifts can be provided to select or omit specific items, such as gift cards, humorous items or alcohol, allowing businesses to adjust their employee gifts to align with the company values and culture.

A national supermarket chain in the U.S. has a contract with GoodGifts.com to send an age- appropriate birthday gift to nearly all of its 7,000 employees on their birthdays. The supermarket’s point of contact provides GoodGifts.com with each employee’s name, address and birthdate, including birth year, and the gift items they wish to have included as options. All employee data provided by the supermarket is encrypted.

 

During a routine audit, an administrator at GoodGifts.com identified a potential data breach. Upon further investigation, they concluded that there was a breach of their systems wherein the personal data of 553 of the supermarket’s employees was compromised. None of GoodGifts.com’s other clients’ data was affected. GoodGifts.com notified the appropriate supervisory authorities and those individuals whose information they identified as having been directly affected by the breach.



Question:
GoodGifts.com was able to manage the breach with relatively minor impact to personal data and therefore to individuals. Which of the following was NOT a contributing factor to minimizing the impact?

25) Please use the following information to answer the question below.

SCENARIO

GoodGifts.com is a gift company that provides businesses with the ability to order a variety of physical gifts to send to their employees. The business is completely web-based, and the website for ordering is hosted by a third-party software company. All products are sent via a national shipping company. GoodGifts.com is careful to maintain separate databases for each client along with appropriate firewalls and security measures.

 

Businesses have the option to select specific gifts for each employee, or GoodGifts.com can select the items for the business based on the age of the employee. General guidelines for gifts can be provided to select or omit specific items, such as gift cards, humorous items or alcohol, allowing businesses to adjust their employee gifts to align with the company values and culture.

A national supermarket chain in the U.S. has a contract with GoodGifts.com to send an age- appropriate birthday gift to nearly all of its 7,000 employees on their birthdays. The supermarket’s point of contact provides GoodGifts.com with each employee’s name, address and birthdate, including birth year, and the gift items they wish to have included as options. All employee data provided by the supermarket is encrypted.

 

During a routine audit, an administrator at GoodGifts.com identified a potential data breach. Upon further investigation, they concluded that there was a breach of their systems wherein the personal data of 553 of the supermarket’s employees was compromised. None of GoodGifts.com’s other clients’ data was affected. GoodGifts.com notified the appropriate supervisory authorities and those individuals whose information they identified as having been directly affected by the breach.



Question:
Why is it important to review privacy impact assessments on a regular basis?

26) Which of the following is a reason for having an executive sponsor for the organizational vision for privacy?

27) A local dentistry business, Dr. John & Associates, intends to convert paper-based records on clients to an electronic format to adopt online booking and payment systems for clients. When would it be recommended the business conducts a privacy threshold analysis?

28) Based on budget and time constraints, which of the following is the BEST approach for a company to take when identifying legal requirements as part of a privacy program framework?

29) Which of the following outlines the standard phases for an audit life cycle?

30) You have just started a role with a start-up company that has existing relationships with third- party vendors. During a meeting with the stakeholders, you are told that they are not worried about risks because they only do business with “reputable” companies. You convince them to allow you to conduct a high-level preliminary vendor risk assessment. Which of the following should be performed as part of an initial assessment?

31) Which of the following is an aspect of the performing phase of the International Organization for Standardization (ISO) guidelines (ISO 29134) regarding the process for completing a privacy impact assessment (PIA) and the structure of the resulting report?

32) A small IT company offers customer relationship management (CRM) software to other businesses across five continents but is facing serious budget constraints. The company has appointed its first data protection officer (DPO) to implement a privacy program. To help ensure the success of the program, what should the DPO do first?

33) Please use the following information to answer the question below.


SCENARIO

A Europe-based snacking company, GoodSnack, has been driving expansion through acquisition for the last few years. As part of its expansion, it has acquired several new businesses, including:

 

  • HealthySnack, which offers a range of healthy snack products that are mainly sold in Europe, but has a growing customer base in Canada, Australia and New
  • PharmaSnack, the snacking division of a global pharmaceuticals giant. PharmaSnack sells a wide range of medicated products through its direct-to-consumer online
  • SnackAI, an India-based startup that uses artificial intelligence to predict consumer snacking

 

Just after it acquires HealthySnack, GoodSnack learns of a data breach that occurred in HealthySnack’s Australian division, which exposed personal data from its Australia/New Zealand customer base. The breach was traced to a third-party website where consumers were encouraged to register and post pictures of themselves with HealthySnack products. The images were then visible on HealthySnack’s social media channels. The investigation by the Office of the Privacy Commissioner of New Zealand found that while the breach was attributed to a zero-day exploit, HealthySnack had failed to assess risks of the processing of consumer data by a third party.

 

Following a wider review by parent company GoodSnack, an internal audit has found HealthySnack to be deficient in its privacy practices—especially privacy risk assessments—and seeks to ensure all its subsidiaries have adequate privacy measures in place. You have been recruited by GoodSnack and tasked by the audit board with designing and implementing a global privacy assessment process, as well as with assessing any solutions already in use.

 

From your data gathering, it is clear that SnackAI’s expertise can support GoodSnack’s strategy to use artificial intelligence to target its marketing activity. Any privacy risk assessment developed for GoodSnack will need to assess the impact of AI. GoodSnack is creating a central data repository of all customer data from GoodSnack and its subsidiary companies to look for direct marketing opportunities. GoodSnack also intends to share data with SnackAI to develop a customer-specific pricing and discount model based on previous purchase history.


Question:

When conducting a privacy impact assessment (PIA) of SnackAI’s additional processing of the combined marketing dataset to develop a customer pricing and discount model, what is the additional privacy risk?

34) Please use the following information to answer the question below.

SCENARIO

A Europe-based snacking company, GoodSnack, has been driving expansion through acquisition for the last few years. As part of its expansion, it has acquired several new businesses, including:

 

  • HealthySnack, which offers a range of healthy snack products that are mainly sold in Europe, but has a growing customer base in Canada, Australia and New
  • PharmaSnack, the snacking division of a global pharmaceuticals giant. PharmaSnack sells a wide range of medicated products through its direct-to-consumer online
  • SnackAI, an India-based startup that uses artificial intelligence to predict consumer snacking

 

Just after it acquires HealthySnack, GoodSnack learns of a data breach that occurred in HealthySnack’s Australian division, which exposed personal data from its Australia/New Zealand customer base. The breach was traced to a third-party website where consumers were encouraged to register and post pictures of themselves with HealthySnack products. The images were then visible on HealthySnack’s social media channels. The investigation by the Office of the Privacy Commissioner of New Zealand found that while the breach was attributed to a zero-day exploit, HealthySnack had failed to assess risks of the processing of consumer data by a third party.

 

Following a wider review by parent company GoodSnack, an internal audit has found HealthySnack to be deficient in its privacy practices—especially privacy risk assessments—and seeks to ensure all its subsidiaries have adequate privacy measures in place. You have been recruited by GoodSnack and tasked by the audit board with designing and implementing a global privacy assessment process, as well as with assessing any solutions already in use.

 

From your data gathering, it is clear that SnackAI’s expertise can support GoodSnack’s strategy to use artificial intelligence to target its marketing activity. Any privacy risk assessment developed for GoodSnack will need to assess the impact of AI. GoodSnack is creating a central data repository of all customer data from GoodSnack and its subsidiary companies to look for direct marketing opportunities. GoodSnack also intends to share data with SnackAI to develop a customer-specific pricing and discount model based on previous purchase history.


Question:

Which of the following factors of GoodSnack’s new global privacy threshold assessment is most likely to trigger the requirement of a DPIA under the GDPR?

35) Please use the following information to answer the question below.

SCENARIO

A Europe-based snacking company, GoodSnack, has been driving expansion through acquisition for the last few years. As part of its expansion, it has acquired several new businesses, including:

 

  • HealthySnack, which offers a range of healthy snack products that are mainly sold in Europe, but has a growing customer base in Canada, Australia and New
  • PharmaSnack, the snacking division of a global pharmaceuticals giant. PharmaSnack sells a wide range of medicated products through its direct-to-consumer online
  • SnackAI, an India-based startup that uses artificial intelligence to predict consumer snacking

 

Just after it acquires HealthySnack, GoodSnack learns of a data breach that occurred in HealthySnack’s Australian division, which exposed personal data from its Australia/New Zealand customer base. The breach was traced to a third-party website where consumers were encouraged to register and post pictures of themselves with HealthySnack products. The images were then visible on HealthySnack’s social media channels. The investigation by the Office of the Privacy Commissioner of New Zealand found that while the breach was attributed to a zero-day exploit, HealthySnack had failed to assess risks of the processing of consumer data by a third party.

 

Following a wider review by parent company GoodSnack, an internal audit has found HealthySnack to be deficient in its privacy practices—especially privacy risk assessments—and seeks to ensure all its subsidiaries have adequate privacy measures in place. You have been recruited by GoodSnack and tasked by the audit board with designing and implementing a global privacy assessment process, as well as with assessing any solutions already in use.

 

From your data gathering, it is clear that SnackAI’s expertise can support GoodSnack’s strategy to use artificial intelligence to target its marketing activity. Any privacy risk assessment developed for GoodSnack will need to assess the impact of AI. GoodSnack is creating a central data repository of all customer data from GoodSnack and its subsidiary companies to look for direct marketing opportunities. GoodSnack also intends to share data with SnackAI to develop a customer-specific pricing and discount model based on previous purchase history.


Question:

You have completed the design of your PIA/DPIA process, including supporting documents, and are ready to roll them out. As a final step, you are asked to consider when it would be appropriate to update and reapprove each PIA/DPIA. Which of the following statements most accurately answers that question?

36) Of the following options, which is the BEST way for an organization to handle communication of a personal data breach?

37) It is important to consider which of the following when determining the scope of a privacy program?

38) Company X, based in Europe, is acquiring Company Z, which operates in Europe as well as other As part of a plan to integrate Company Z's employees into its systems, Company X is about to run some test loads of employee data to ensure completeness and accuracy. To appropriately address privacy concerns under the GDPR, what should Company X do first?

39) There was a recent theft at your office building where your organization rents a Management would like to provide the board of directors with the assurance that the suite is secure by conducting an audit of the physical safeguards. Select the response that will solely audit the physical safeguards on premises?

40) A privacy team should work with information security and IT to ensure effective access Which of the following is a basic security principle for role-based access controls (RBAC)?

41) What is the overall function of cryptography within the privacy operational lifecycle?

42) What is considered to be the main benefit and objective for having a privacy program framework?

43) A new online retailer has emerged as the result of the amalgamation of several international They have hired you as a privacy consultant to support their global marketing strategy. The new retail company collects and uses personal data for the purpose of email marketing communications to individuals. What do you recommend to the retail company as the BEST way to screen the organization’s use of personal email addresses?

44) An organization signs an agreement with a new vendor who, on behalf of the organization, will process the personal data of the organization’s customers. What personal data processing best practice should the organization follow after engaging with this new vendor?

45) When should a privacy impact assessment be undertaken?

46) The investigation of a company’s latest data breach reveals that errors and negligence of several company employees were the breach’s main cause. What is the BEST course of action for the company to reduce the probability of similar incidents in the future?

47) A financial services company recently experienced a catastrophic privacy breach due to the malicious actions of an employee. The supervisory authority has investigated the breach and has ordered the organization to implement stronger privacy and security controls, including employee As the HR lead on the privacy team, how can you ensure that the employee training requirements are being met?

48) Which of the following BEST describes the benefits of a hybrid data governance model?

49) Your organization, targeting individuals in the United States, is looking to implement a new customer relationship management solution, and you are on the project team in a privacy role. Under Ann Cavoukian’s Privacy by Design principles, which item below would be most important when reviewing the collection of data to ensure that the answer is compliant with privacy regulations and principles before launch?

50) What is the primary purpose of a vendor assessment?