This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPM.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) Which of the following situations would NOT require conducting a privacy impact assessment?

2) Please use the following information to answer the question below

SCENARIO

A global media company that operates through various outlets in fifteen countries and four continents is undergoing a global restructure. Traditionally, the business has operated in each country as a separate entity.

 

The business plans to pivot to a global structure to take advantage of economies of scale, streamlining teams and products and to create a unified customer database across all markets. Sharing data and information globally has increased risks to data privacy, and the global leadership team has recognized the need to create a global privacy program headed by a board-level chief privacy officer.

 

Prior to the restructure, there was no global privacy program, as each market operated its own privacy program with its own databases and systems. Personal data and processes were not shared across the global business between different markets or the global headquarters.

 

While the different markets are at varying levels of data privacy maturity, the new global CPO recognizes that each local market has data privacy teams with skills and knowledge pertinent to their region’s regulatory environment and the local business unit’s culture. The goal is to create global cross-functional teams operating at all levels of the business. Therefore, there is a strong need to create a new global data privacy vision from the start of the restructure to embed and instill a strong privacy ethic from the start.

 

The new CPO wants to operate a hybrid data governance structure that will harness some of the existing privacy programs but with a central global privacy team that defines the new privacy vision, who will communicate the new privacy program to the whole global business.

 

The new sales and marketing department will be based in the U.S. and will be responsible for global sales targets and growing subscriptions of the business’s various subscription-based media products. The new global subscriber databases will also be based in the U.S., with current and prospective subscribers targeted in the global database and email marketing platform.

 

The business still has a privacy notice for each local market’s websites, which does not describe the new way customer data is shared with different parts of the business in different countries, and each privacy notice is written to reflect the data privacy laws of that particular country. The business still has separate HR teams in each market with their own internal privacy policies.

 

A privacy program director has been recruited to the new global privacy team to support the CPO, and is responsible for communicating the new global privacy program across the business and running training and awareness programs.

Question:

One of the tasks of the privacy program director is to communicate about the privacy program to existing and prospective customers. Which of the following is the best way to create customer awareness of the privacy program?

3) Please use the following information to answer the question below

SCENARIO

A global media company that operates through various outlets in fifteen countries and four continents is undergoing a global restructure. Traditionally, the business has operated in each country as a separate entity.

 

The business plans to pivot to a global structure to take advantage of economies of scale, streamlining teams and products and to create a unified customer database across all markets. Sharing data and information globally has increased risks to data privacy, and the global leadership team has recognized the need to create a global privacy program headed by a board-level chief privacy officer.

 

Prior to the restructure, there was no global privacy program, as each market operated its own privacy program with its own databases and systems. Personal data and processes were not shared across the global business between different markets or the global headquarters.

 

While the different markets are at varying levels of data privacy maturity, the new global CPO recognizes that each local market has data privacy teams with skills and knowledge pertinent to their region’s regulatory environment and the local business unit’s culture. The goal is to create global cross-functional teams operating at all levels of the business. Therefore, there is a strong need to create a new global data privacy vision from the start of the restructure to embed and instill a strong privacy ethic from the start.

 

The new CPO wants to operate a hybrid data governance structure that will harness some of the existing privacy programs but with a central global privacy team that defines the new privacy vision, who will communicate the new privacy program to the whole global business.

 

The new sales and marketing department will be based in the U.S. and will be responsible for global sales targets and growing subscriptions of the business’s various subscription-based media products. The new global subscriber databases will also be based in the U.S., with current and prospective subscribers targeted in the global database and email marketing platform.

 

The business still has a privacy notice for each local market’s websites, which does not describe the new way customer data is shared with different parts of the business in different countries, and each privacy notice is written to reflect the data privacy laws of that particular country. The business still has separate HR teams in each market with their own internal privacy policies.

 

A privacy program director has been recruited to the new global privacy team to support the CPO, and is responsible for communicating the new global privacy program across the business and running training and awareness programs.

Question:

To help instill a sense of accountability throughout the organization, the privacy director wants to make sure the new central database team specifically builds in privacy by design from the beginning of the What would be the BEST strategy to achieve this?

4) Please use the following information to answer the question below

SCENARIO

A global media company that operates through various outlets in fifteen countries and four continents is undergoing a global restructure. Traditionally, the business has operated in each country as a separate entity.

 

The business plans to pivot to a global structure to take advantage of economies of scale, streamlining teams and products and to create a unified customer database across all markets. Sharing data and information globally has increased risks to data privacy, and the global leadership team has recognized the need to create a global privacy program headed by a board-level chief privacy officer.

 

Prior to the restructure, there was no global privacy program, as each market operated its own privacy program with its own databases and systems. Personal data and processes were not shared across the global business between different markets or the global headquarters.

 

While the different markets are at varying levels of data privacy maturity, the new global CPO recognizes that each local market has data privacy teams with skills and knowledge pertinent to their region’s regulatory environment and the local business unit’s culture. The goal is to create global cross-functional teams operating at all levels of the business. Therefore, there is a strong need to create a new global data privacy vision from the start of the restructure to embed and instill a strong privacy ethic from the start.

 

The new CPO wants to operate a hybrid data governance structure that will harness some of the existing privacy programs but with a central global privacy team that defines the new privacy vision, who will communicate the new privacy program to the whole global business.

 

The new sales and marketing department will be based in the U.S. and will be responsible for global sales targets and growing subscriptions of the business’s various subscription-based media products. The new global subscriber databases will also be based in the U.S., with current and prospective subscribers targeted in the global database and email marketing platform.

 

The business still has a privacy notice for each local market’s websites, which does not describe the new way customer data is shared with different parts of the business in different countries, and each privacy notice is written to reflect the data privacy laws of that particular country. The business still has separate HR teams in each market with their own internal privacy policies.

 

A privacy program director has been recruited to the new global privacy team to support the CPO, and is responsible for communicating the new global privacy program across the business and running training and awareness programs.

Question:

The new privacy team has identified that the global sales and marketing team, based in the S., requires additional privacy training and awareness. What is the best option to ensure they have access to the right policies, procedures and updates relative to their roles?

5) Please use the following information to answer the question below

SCENARIO

A global media company that operates through various outlets in fifteen countries and four continents is undergoing a global restructure. Traditionally, the business has operated in each country as a separate entity.

 

The business plans to pivot to a global structure to take advantage of economies of scale, streamlining teams and products and to create a unified customer database across all markets. Sharing data and information globally has increased risks to data privacy, and the global leadership team has recognized the need to create a global privacy program headed by a board-level chief privacy officer.

 

Prior to the restructure, there was no global privacy program, as each market operated its own privacy program with its own databases and systems. Personal data and processes were not shared across the global business between different markets or the global headquarters.

 

While the different markets are at varying levels of data privacy maturity, the new global CPO recognizes that each local market has data privacy teams with skills and knowledge pertinent to their region’s regulatory environment and the local business unit’s culture. The goal is to create global cross-functional teams operating at all levels of the business. Therefore, there is a strong need to create a new global data privacy vision from the start of the restructure to embed and instill a strong privacy ethic from the start.

 

The new CPO wants to operate a hybrid data governance structure that will harness some of the existing privacy programs but with a central global privacy team that defines the new privacy vision, who will communicate the new privacy program to the whole global business.

 

The new sales and marketing department will be based in the U.S. and will be responsible for global sales targets and growing subscriptions of the business’s various subscription-based media products. The new global subscriber databases will also be based in the U.S., with current and prospective subscribers targeted in the global database and email marketing platform.

 

The business still has a privacy notice for each local market’s websites, which does not describe the new way customer data is shared with different parts of the business in different countries, and each privacy notice is written to reflect the data privacy laws of that particular country. The business still has separate HR teams in each market with their own internal privacy policies.

 

A privacy program director has been recruited to the new global privacy team to support the CPO, and is responsible for communicating the new global privacy program across the business and running training and awareness programs.

Question:

The privacy director is working on a communications plan for the new privacy What is the BEST option for the privacy director to develop this plan?

6) Please use the following information to answer the question below

SCENARIO

A global media company that operates through various outlets in fifteen countries and four continents is undergoing a global restructure. Traditionally, the business has operated in each country as a separate entity.

 

The business plans to pivot to a global structure to take advantage of economies of scale, streamlining teams and products and to create a unified customer database across all markets. Sharing data and information globally has increased risks to data privacy, and the global leadership team has recognized the need to create a global privacy program headed by a board-level chief privacy officer.

 

Prior to the restructure, there was no global privacy program, as each market operated its own privacy program with its own databases and systems. Personal data and processes were not shared across the global business between different markets or the global headquarters.

 

While the different markets are at varying levels of data privacy maturity, the new global CPO recognizes that each local market has data privacy teams with skills and knowledge pertinent to their region’s regulatory environment and the local business unit’s culture. The goal is to create global cross-functional teams operating at all levels of the business. Therefore, there is a strong need to create a new global data privacy vision from the start of the restructure to embed and instill a strong privacy ethic from the start.

 

The new CPO wants to operate a hybrid data governance structure that will harness some of the existing privacy programs but with a central global privacy team that defines the new privacy vision, who will communicate the new privacy program to the whole global business.

 

The new sales and marketing department will be based in the U.S. and will be responsible for global sales targets and growing subscriptions of the business’s various subscription-based media products. The new global subscriber databases will also be based in the U.S., with current and prospective subscribers targeted in the global database and email marketing platform.

 

The business still has a privacy notice for each local market’s websites, which does not describe the new way customer data is shared with different parts of the business in different countries, and each privacy notice is written to reflect the data privacy laws of that particular country. The business still has separate HR teams in each market with their own internal privacy policies.

 

A privacy program director has been recruited to the new global privacy team to support the CPO, and is responsible for communicating the new global privacy program across the business and running training and awareness programs.

Question:

Part of the privacy officer’s role is to develop a new global privacy policy for the Which of the following would be the first action they should take to develop this?

7) Kelly is consulting for Switchwand Inc., a small company with limited resources, on risk management solutions. The CEO of the company is concerned that its financial position will limit options to secure the physical data collected and stored on Some safeguards are already in place, including scanning a keycard to enter the building and a clean desk policy. Kelly is responsible for the most cost-efficient way to protect files containing personal data. Of the below examples of physical security deterrents, which should Kelly suggest to Switchwand Inc. as the MOST cost-efficient option?

8) Justine has just been appointed data protection officer (DPO) of a tech start-up that produces a health monitoring app that is downloaded by users all over the As a new company, it is the first time they have had a DPO. What should her first task be?

9) The National Institute of Standards and Technology (NIST) Privacy Framework is a risk-based, adaptable approach that identifies and manages privacy risks separating its components into three key Which of the following is NOT a key component of the NIST Privacy Framework?

10) What is the MAIN purpose of conducting a privacy threshold analysis?

11) Which of the following is applied to continually monitor risks?

12) You are hired as a privacy officer for an organization that collects sensitive personal data via a third-party vendor to provide a service to The organization is looking to embed privacy by design into its existing architecture. You are trying to figure out where to start. According to Ann Cavoukian’s Privacy by Design Principles, which of the following is the MOST important consideration when approaching this issue?

13) A customer service agent accidentally sends an email to a customer containing information about another customer, which has not been password protected. The incident is escalated to the data privacy team. Which immediate step should the privacy team recommend the customer service agent take to mitigate the incident?

14) What should a privacy officer do before instituting processes or procedures?

15) When drafting a privacy vision or mission statement, from whom should an organization seek feedback?

16) An unknown third party has managed to maliciously access a customer database containing large amounts of customer personal data records. No sensitive or special category data is known to have been affected. The response team has been notified and gathered. Which of the following should the team investigate first?

17) When creating a privacy vision or mission statement, what would be the best way of getting executive approval?

18) Which of the following is an action an organization should take when developing a data retention policy?

19) Which of the following considerations comes after the development of a privacy program’s scope and charter?

20) As a result of a data breach involving a retail bank, the personal data of millions of the bank’s customers was compromised. The data includes the customers’ names, home addresses, employment details, bank account information and social security After the breach is contained, what remediation action would be the BEST for the bank to consider?

21) A company uses a third-party agent to monitor their data subject requests. A new request is submitted by a different third-party website often used by individuals to help manage their digital How should the agent respond?

22) When assessing an artificial intelligence (AI) system, privacy principles are often hindered by the presence of AI. One such drawback is known as the “black box effect.” This drawback refers to which of the following concepts?

23) Which of the following is a benefit of a centralized data governance model?

24) Please use the following information to answer the question below.

SCENARIO

GoodGifts.com is a gift company that provides businesses with the ability to order a variety of physical gifts to send to their employees. The business is completely web-based, and the website for ordering is hosted by a third-party software company. All products are sent via a national shipping company. GoodGifts.com is careful to maintain separate databases for each client along with appropriate firewalls and security measures.

 

Businesses have the option to select specific gifts for each employee, or GoodGifts.com can select the items for the business based on the age of the employee. General guidelines for gifts can be provided to select or omit specific items, such as gift cards, humorous items or alcohol, allowing businesses to adjust their employee gifts to align with the company values and culture.

A national supermarket chain in the U.S. has a contract with GoodGifts.com to send an age- appropriate birthday gift to nearly all of its 7,000 employees on their birthdays. The supermarket’s point of contact provides GoodGifts.com with each employee’s name, address and birthdate, including birth year, and the gift items they wish to have included as options. All employee data provided by the supermarket is encrypted.

 

During a routine audit, an administrator at GoodGifts.com identified a potential data breach. Upon further investigation, they concluded that there was a breach of their systems wherein the personal data of 553 of the supermarket’s employees was compromised. None of GoodGifts.com’s other clients’ data was affected. GoodGifts.com notified the appropriate supervisory authorities and those individuals whose information they identified as having been directly affected by the breach.



Question:
GoodGifts.com was able to manage the breach with relatively minor impact to personal data and therefore to individuals. Which of the following was NOT a contributing factor to minimizing the impact?

25) You are working at an organization that was recently served a class action lawsuit. The legal department has sent out a litigation hold for all records related to the impending matter. Your organization follows an information management policy that mandates keeping personal data for as long as operationally needed to meet business and legal obligations. The data relative to the lawsuit is no longer available. Through what process can you demonstrate that the organization follows a systematic destruction strategy?

26) Please use the following information to answer the question below

SCENARIO

After searching on the internet for vacation timeshares a few months ago, the number of timeshare advertisements continued to progressively populate on the family computer of Jared and Melissa Stark. After much hesitation, they decided to accept an offer from Marisol Multipropiedad, headquartered in Barcelona, Spain. With numerous properties throughout the Caribbean and other tropical locations around the world, Marisol Multipropiedad welcomed the Starks to one of their properties in Playa del Carmen, Mexico for a free four-night vacation if they supplied their own airfare. After Jared conducted a little research on the legitimacy of the company, they decided to accept the offer and began to provide Marisol Multipropiedad with a significant amount of personal data to secure the reservation, including contact information and financial details. Although one of the conditions of acceptance to the offer was to attend a day-long seminar and tour of the nearby time-share properties, the Starks needed a vacation and booked a flight from Denver, Colorado later that evening.

 

Roughly a month later, the Starks arrived in Cancun and were escorted to a passenger van with a few other couples and left the airport toward the vacation property 45 minutes south. The presentation for the time-share was scheduled for 9AM on Monday.

 

As Jared and Melissa entered the presentation room, they were each handed a tablet to begin filling out a questionnaire about spending habits, income and savings information, and which level and price range of timeshare ownership they were interested in with Marisol Multipropiedad. Secondly, they were directed to a different website for the actual resort, El Playacar del Mar, based in Playa del Carmen, Mexico, and asked to fill out a variety of personal data (address, email address, generic financial information regarding their savings and investments). Neither the website nor the questionnaire contained a privacy statement.

 

Jared asked why he had to provide information when he had already given to Marisol. He was told that there may be limitations on access to that information, depending on the membership level they choose, and that smaller local companies may require information be provided directly to them.

 

Leaving the presentation, Jared and Melissa felt a little too pressured to purchase a timeshare membership at that time and planned to discuss matters when they returned home. Once home, the pressure to buy really intensified. Within weeks, both of their email inboxes were flooded with timeshare opportunities from an array of companies they had never heard of, but claimed to be a part of the Marisol Multipropiedad network, while others seemed to have no affiliation whatsoever. Pretty soon, offer after offer began arriving in the mailbox and telemarketing calls seemed to come at all hours. Jared finally had enough and decided to contact Marisol Multipropiedad to have them delete all of their personal information and to never be contacted again.

Question:

If Marisol Multipropiedad, based in Spain, wants to transfer Jared and Melissa’s personal data to a smaller company, based in Mexico, how may it transfer the data?

27) Please use the following information to answer the question below

SCENARIO

After searching on the internet for vacation timeshares a few months ago, the number of timeshare advertisements continued to progressively populate on the family computer of Jared and Melissa Stark. After much hesitation, they decided to accept an offer from Marisol Multipropiedad, headquartered in Barcelona, Spain. With numerous properties throughout the Caribbean and other tropical locations around the world, Marisol Multipropiedad welcomed the Starks to one of their properties in Playa del Carmen, Mexico for a free four-night vacation if they supplied their own airfare. After Jared conducted a little research on the legitimacy of the company, they decided to accept the offer and began to provide Marisol Multipropiedad with a significant amount of personal data to secure the reservation, including contact information and financial details. Although one of the conditions of acceptance to the offer was to attend a day-long seminar and tour of the nearby time-share properties, the Starks needed a vacation and booked a flight from Denver, Colorado later that evening.

 

Roughly a month later, the Starks arrived in Cancun and were escorted to a passenger van with a few other couples and left the airport toward the vacation property 45 minutes south. The presentation for the time-share was scheduled for 9AM on Monday.

 

As Jared and Melissa entered the presentation room, they were each handed a tablet to begin filling out a questionnaire about spending habits, income and savings information, and which level and price range of timeshare ownership they were interested in with Marisol Multipropiedad. Secondly, they were directed to a different website for the actual resort, El Playacar del Mar, based in Playa del Carmen, Mexico, and asked to fill out a variety of personal data (address, email address, generic financial information regarding their savings and investments). Neither the website nor the questionnaire contained a privacy statement.

 

Jared asked why he had to provide information when he had already given to Marisol. He was told that there may be limitations on access to that information, depending on the membership level they choose, and that smaller local companies may require information be provided directly to them.

 

Leaving the presentation, Jared and Melissa felt a little too pressured to purchase a timeshare membership at that time and planned to discuss matters when they returned home. Once home, the pressure to buy really intensified. Within weeks, both of their email inboxes were flooded with timeshare opportunities from an array of companies they had never heard of, but claimed to be a part of the Marisol Multipropiedad network, while others seemed to have no affiliation whatsoever. Pretty soon, offer after offer began arriving in the mailbox and telemarketing calls seemed to come at all hours. Jared finally had enough and decided to contact Marisol Multipropiedad to have them delete all of their personal information and to never be contacted again.

Question:

How could Marisol Multipropiedad have avoided the concerns Jared raised regarding having to directly provide his information to other parties?

28) Please use the following information to answer the question below

SCENARIO

After searching on the internet for vacation timeshares a few months ago, the number of timeshare advertisements continued to progressively populate on the family computer of Jared and Melissa Stark. After much hesitation, they decided to accept an offer from Marisol Multipropiedad, headquartered in Barcelona, Spain. With numerous properties throughout the Caribbean and other tropical locations around the world, Marisol Multipropiedad welcomed the Starks to one of their properties in Playa del Carmen, Mexico for a free four-night vacation if they supplied their own airfare. After Jared conducted a little research on the legitimacy of the company, they decided to accept the offer and began to provide Marisol Multipropiedad with a significant amount of personal data to secure the reservation, including contact information and financial details. Although one of the conditions of acceptance to the offer was to attend a day-long seminar and tour of the nearby time-share properties, the Starks needed a vacation and booked a flight from Denver, Colorado later that evening.

 

Roughly a month later, the Starks arrived in Cancun and were escorted to a passenger van with a few other couples and left the airport toward the vacation property 45 minutes south. The presentation for the time-share was scheduled for 9AM on Monday.

 

As Jared and Melissa entered the presentation room, they were each handed a tablet to begin filling out a questionnaire about spending habits, income and savings information, and which level and price range of timeshare ownership they were interested in with Marisol Multipropiedad. Secondly, they were directed to a different website for the actual resort, El Playacar del Mar, based in Playa del Carmen, Mexico, and asked to fill out a variety of personal data (address, email address, generic financial information regarding their savings and investments). Neither the website nor the questionnaire contained a privacy statement.

 

Jared asked why he had to provide information when he had already given to Marisol. He was told that there may be limitations on access to that information, depending on the membership level they choose, and that smaller local companies may require information be provided directly to them.

 

Leaving the presentation, Jared and Melissa felt a little too pressured to purchase a timeshare membership at that time and planned to discuss matters when they returned home. Once home, the pressure to buy really intensified. Within weeks, both of their email inboxes were flooded with timeshare opportunities from an array of companies they had never heard of, but claimed to be a part of the Marisol Multipropiedad network, while others seemed to have no affiliation whatsoever. Pretty soon, offer after offer began arriving in the mailbox and telemarketing calls seemed to come at all hours. Jared finally had enough and decided to contact Marisol Multipropiedad to have them delete all of their personal information and to never be contacted again.

Question:

What requirement under the GDPR did Marisol bypass regarding sharing personal data?

29) Please use the following information to answer the question below

SCENARIO

After searching on the internet for vacation timeshares a few months ago, the number of timeshare advertisements continued to progressively populate on the family computer of Jared and Melissa Stark. After much hesitation, they decided to accept an offer from Marisol Multipropiedad, headquartered in Barcelona, Spain. With numerous properties throughout the Caribbean and other tropical locations around the world, Marisol Multipropiedad welcomed the Starks to one of their properties in Playa del Carmen, Mexico for a free four-night vacation if they supplied their own airfare. After Jared conducted a little research on the legitimacy of the company, they decided to accept the offer and began to provide Marisol Multipropiedad with a significant amount of personal data to secure the reservation, including contact information and financial details. Although one of the conditions of acceptance to the offer was to attend a day-long seminar and tour of the nearby time-share properties, the Starks needed a vacation and booked a flight from Denver, Colorado later that evening.

 

Roughly a month later, the Starks arrived in Cancun and were escorted to a passenger van with a few other couples and left the airport toward the vacation property 45 minutes south. The presentation for the time-share was scheduled for 9AM on Monday.

 

As Jared and Melissa entered the presentation room, they were each handed a tablet to begin filling out a questionnaire about spending habits, income and savings information, and which level and price range of timeshare ownership they were interested in with Marisol Multipropiedad. Secondly, they were directed to a different website for the actual resort, El Playacar del Mar, based in Playa del Carmen, Mexico, and asked to fill out a variety of personal data (address, email address, generic financial information regarding their savings and investments). Neither the website nor the questionnaire contained a privacy statement.

 

Jared asked why he had to provide information when he had already given to Marisol. He was told that there may be limitations on access to that information, depending on the membership level they choose, and that smaller local companies may require information be provided directly to them.

 

Leaving the presentation, Jared and Melissa felt a little too pressured to purchase a timeshare membership at that time and planned to discuss matters when they returned home. Once home, the pressure to buy really intensified. Within weeks, both of their email inboxes were flooded with timeshare opportunities from an array of companies they had never heard of, but claimed to be a part of the Marisol Multipropiedad network, while others seemed to have no affiliation whatsoever. Pretty soon, offer after offer began arriving in the mailbox and telemarketing calls seemed to come at all hours. Jared finally had enough and decided to contact Marisol Multipropiedad to have them delete all of their personal information and to never be contacted again.

Question:

Jared no longer wants to receive any promotional/advertising emails from El Playacar del What affirmative action should he immediately take?

30) Who is responsible for determining how frequently the intended objective of the organizational vision for privacy should be reviewed?

31) A Europe-based company (Company A) agrees to acquire a startup company (Company B). Company A decides to assess the maturity of Company B’s privacy processes. In the assessment, it finds that procedures and processes are fully in place, they are fully documented and they cover the scope of expected controls; however, Company A cannot find any evidence of reviews to assess the effectiveness of the controls. Under the privacy maturity model (PMM), Company B should be considered at which level of maturity?

32) A company operating solely in the S. has a notice in its rules of conduct for employees that their internet usage will be monitored to ensure the use is appropriate and necessary to the performance of their job. When analyzed in light of privacy by design compliance, which of the following is correct about the rule?

33) Due to a legislative amendment, an organization’s lawyers recently updated its privacy policy to include additional uses of personal As the privacy officer, you are unsure of how the changes affect your current program. How do you confirm that your privacy program remains compliant with the privacy policy?

34) In which of the following situations is an organization NOT required by the General Data Protection Regulation (GDPR) to designate a Data Protection Officer (DPO)?

35) Company A, located in Germany, decided to change processors from OldPay to NewPay for its payroll services, which includes tax Once all personal data is transferred from OldPay to NewPay, which of the following determines when OldPay must delete the records?

36) When developing an effective internal communications plan, the privacy program management team needs to address each of the following questions EXCEPT which of the following?

37) What is the difference between a key risk indicator (KRI) and a key performance indicator (KPI)?

38) VendorZ is a small third-party vendor that handles XCompany’s payroll through a contractual arrangement wherein XCompany maintains control of how the data is processed. XCompany has expanded significantly, so VendorZ wants to use ABCVendor, a larger company, to help VendorZ process XCompany’s payroll. What step must VendorZ take, after proper vetting, before transferring payroll processing to ABCVendor?

39) Which of the following skills and qualifications are MOST important for a privacy manager to be effective in any size organization?

40) Which of the following is an assessment mechanism for controllers to assess the reliability of a processor?

41. Where should an organization’s procedures for resolving consumer complaints about privacy protection be found?

42) Company X wants to develop a new mobile application that will allow users to find friends by continuously tracking the locations of the devices on which the application is installed. Which one of the following should Company X do before developing the application to minimize its privacy risks?

43) Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

44. Each of the following are actions an organization should take when developing a data retention policy EXCEPT:

Access to an organization’s information systems should be tied to an employee’s role and, therefore, determined by basic security principles for role-based access controls (RBAC). Which of the following contains the correct role-based access controls principles?

46) What is business resiliency?

47) What role would data loss prevention software have in a privacy program?

48) Healthcare organization began integrating the concept of privacy into all facets of their organization, to include targeted and specialized training for handling of sensitive information, along with the adoption within the conceptual and design phases of new business processes, IT systems, contractual agreements, devices and policies. What is this concept of applying privacy solutions into early phases of development known as? 

49) Which of the following is NOT a good reason to perform a privacy audit on a supplier?

50) Under the FCRA, if inaccurate information is discovered in a consumer’s file, what is the usual time period in which the credit reporting agency must examine the disputed information?