This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPM.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1) All of the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions EXCEPT:

2) What are nongovernmental organizations that advocate for privacy protection known as?

3) Which of the following is NOT a good reason to perform a privacy audit on a supplier?

4) Where should an organization's procedures for resolving consumer complaints about privacy protection be found?

5) Each of the following organizations could consider developing a highly centralized privacy team structure EXCEPT:

6) Who is considered a primary audience for metrics data?

7) Please use the following information to answer the below question.

SCENARIO

As the company’s new chief executive officer, Julian Andrews wants to be known as a leader in data protection. Julian recently served as the chief information officer of liberty.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Liberty is infamous within privacy protection circles for its ethically questionable practices, including unauthorised sales of personal data to marketers. Liberty also was the target of credit card data theft that made headlines around the world, as at least 2 million credit card numbers were thought to have been pilfered despite the companies claims that “appropriate” data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke Liberty’s founder and CEO Ian Payne, Jilian’s mentor was forced to step down.

Jilian, however seems to have landed on his feet securing the CEO position at your company, InfoGem which is just emerging its start-up phase. He sold the company's board and investors on his vision of InfoGem building its brand partly on the basis of industry leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organisation in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job he calls you into his office and explains that your primary work responsibility is to bring his vision to life. But you also detect some reservations. “We want InfoGem to have absolutely the highest standards”, he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company’s finances. So, while I want the best solution across the board, they also need to be cost effective.”

You are told to report back in a week’s time with your recommendations. Charged with the ambiguous mission, you depart the executive suites, already considering your next steps.  

Read the following steps:

  • Perform frequent data backups.
  • Perform test restorations to verify integrity of backup data.
  • Maintain backs up data offline or in separate servers.

Question:
You give a presentation to your CEO about privacy programme maturity. What does it mean to have a managed privacy programme, according to the AICPA/CICA privacy maturity model?

8) Please use the following information to answer the below question.

SCENARIO

As the company’s new chief executive officer, Julian Andrews wants to be known as a leader in data protection. Julian recently served as the chief information officer of liberty.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Liberty is infamous within privacy protection circles for its ethically questionable practices, including unauthorised sales of personal data to marketers. Liberty also was the target of credit card data theft that made headlines around the world, as at least 2 million credit card numbers were thought to have been pilfered despite the companies claims that “appropriate” data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke Liberty’s founder and CEO Ian Payne, Jilian’s mentor was forced to step down.

Jilian, however seems to have landed on his feet securing the CEO position at your company, InfoGem which is just emerging its start-up phase. He sold the company's board and investors on his vision of InfoGem building its brand partly on the basis of industry leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organisation in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job he calls you into his office and explains that your primary work responsibility is to bring his vision to life. But you also detect some reservations. “We want InfoGem to have absolutely the highest standards”, he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company’s finances. So, while I want the best solution across the board, they also need to be cost effective.”

You are told to report back in a week’s time with your recommendations. Charged with the ambiguous mission, you depart the executive suites, already considering your next steps.

Read the following steps:

  • Perform frequent data backups.
  • Perform test restorations to verify integrity of backup data.
  • Maintain backs up data offline or in separate servers.

Question:
These steps can help an organisation recover from what?

9) Please use the following information to answer the below question.

SCENARIO

As the company’s new chief executive officer, Julian Andrews wants to be known as a leader in data protection. Julian recently served as the chief information officer of liberty.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Liberty is infamous within privacy protection circles for its ethically questionable practices, including unauthorised sales of personal data to marketers. Liberty also was the target of credit card data theft that made headlines around the world, as at least 2 million credit card numbers were thought to have been pilfered despite the companies claims that “appropriate” data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke Liberty’s founder and CEO Ian Payne, Jilian’s mentor was forced to step down.

Jilian, however seems to have landed on his feet securing the CEO position at your company, InfoGem which is just emerging its start-up phase. He sold the company's board and investors on his vision of InfoGem building its brand partly on the basis of industry leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organisation in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job he calls you into his office and explains that your primary work responsibility is to bring his vision to life. But you also detect some reservations. “We want InfoGem to have absolutely the highest standards”, he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company’s finances. So, while I want the best solution across the board, they also need to be cost effective.”

You are told to report back in a week’s time with your recommendations. Charged with the ambiguous mission, you depart the executive suites, already considering your next steps.

Read the following steps:

  • Perform frequent data backups.
  • Perform test restorations to verify integrity of backup data.
  • Maintain backs up data offline or in separate servers.

Question:
What are you doing if you succumb to over generalisation when analysing data from metrics?

10) What is business resiliency?

11) What role would data loss prevention software have in a privacy program?

12) When conducting a baseline assessment of your privacy program, you should:

13) InterWeb wants to develop a new mobile application that will allow users to find friends by continuously tracking the locations of the devices on which the application is installed. Which one of the following should InterWeb do before developing the application to minimize its privacy risks?

14) An example of media sanitization would be:

15) Please use the following information to answer the below question.

SCENARIO

Jo’s Place started in the kitchen of its founder, Joanne King, as she made soap following a traditional family recipe. It is a much different business today, having grown first through product placement in health and beauty retail outlets, then through a thriving catalogue business. The company was slow to launch an online store, but once it did so, the online business grew rapidly. Online sales now account for 65 percent of business, which is increasingly international in scope. In fact, Jo’s Place is now a leading seller of luxury soaps in Europe and South America, as well as continuing its strong record of growth in the United States. Despite its rapid ascent, Jo’s Place prides itself on maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front of a factory in a rural region, in the U.S. The company is notably "employee friendly, " allowing, for instance, employees to use their personal computers for conducting business and encouraging people to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company's first dedicated privacy professional. During the interview process, you found that while the people you talked to, including Julie Andrews, CEO and daughter of the founder, and Stuart Rimmel, Vice President for Operations, meant well, they did not possess a sophisticated knowledge of privacy practices and regulations and were unsure of exactly where the company stood in relation to compliance and security. Stuart candidly admitted, "We know there is a lot we need to be thinking about and doing regarding privacy, but none of us know much about it. We have put some safeguards in place, but we are not even sure they are effective. We need someone to build a privacy program from the ground up. "

The final interview ended after the close of business. The cleaning crew had started its nightly work. As you walked through the office, you noticed that computers had been left on at employee work stations and the only shredder you saw was marked with a sign that said, "Out of Order. Do Not Use."

You have accepted the job offer and are about to report to work on Monday. You are now on a plane headed toward your new office, considering your course of action in this position and jotting down some notes.



Question:
How can you discover where personal data resides at Jo's Place?

16) Please use the following information to answer the below question.

SCENARIO

Jo’s Place started in the kitchen of its founder, Joanne King, as she made soap following a traditional family recipe. It is a much different business today, having grown first through product placement in health and beauty retail outlets, then through a thriving catalogue business. The company was slow to launch an online store, but once it did so, the online business grew rapidly. Online sales now account for 65 percent of business, which is increasingly international in scope. In fact, Jo’s Place is now a leading seller of luxury soaps in Europe and South America, as well as continuing its strong record of growth in the United States. Despite its rapid ascent, Jo’s Place prides itself on maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front of a factory in a rural region, in the U.S. The company is notably "employee friendly, " allowing, for instance, employees to use their personal computers for conducting business and encouraging people to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company's first dedicated privacy professional. During the interview process, you found that while the people you talked to, including Julie Andrews, CEO and daughter of the founder, and Stuart Rimmel, Vice President for Operations, meant well, they did not possess a sophisticated knowledge of privacy practices and regulations and were unsure of exactly where the company stood in relation to compliance and security. Stuart candidly admitted, "We know there is a lot we need to be thinking about and doing regarding privacy, but none of us know much about it. We have put some safeguards in place, but we are not even sure they are effective. We need someone to build a privacy program from the ground up. "

The final interview ended after the close of business. The cleaning crew had started its nightly work. As you walked through the office, you noticed that computers had been left on at employee work stations and the only shredder you saw was marked with a sign that said, "Out of Order. Do Not Use."

You have accepted the job offer and are about to report to work on Monday. You are now on a plane headed toward your new office, considering your course of action in this position and jotting down some notes.



Question:
You need a master plan or roadmap to guide your choices in developing and refining Jo's Place's privacy program. What is the best action to take?

17) Please use the following information to answer the below question.

SCENARIO

Jo’s Place started in the kitchen of its founder, Joanne King, as she made soap following a traditional family recipe. It is a much different business today, having grown first through product placement in health and beauty retail outlets, then through a thriving catalogue business. The company was slow to launch an online store, but once it did so, the online business grew rapidly. Online sales now account for 65 percent of business, which is increasingly international in scope. In fact, Jo’s Place is now a leading seller of luxury soaps in Europe and South America, as well as continuing its strong record of growth in the United States. Despite its rapid ascent, Jo’s Place prides itself on maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front of a factory in a rural region, in the U.S. The company is notably "employee friendly, " allowing, for instance, employees to use their personal computers for conducting business and encouraging people to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company's first dedicated privacy professional. During the interview process, you found that while the people you talked to, including Julie Andrews, CEO and daughter of the founder, and Stuart Rimmel, Vice President for Operations, meant well, they did not possess a sophisticated knowledge of privacy practices and regulations and were unsure of exactly where the company stood in relation to compliance and security. Stuart candidly admitted, "We know there is a lot we need to be thinking about and doing regarding privacy, but none of us know much about it. We have put some safeguards in place, but we are not even sure they are effective. We need someone to build a privacy program from the ground up. "

The final interview ended after the close of business. The cleaning crew had started its nightly work. As you walked through the office, you noticed that computers had been left on at employee work stations and the only shredder you saw was marked with a sign that said, "Out of Order. Do Not Use."

You have accepted the job offer and are about to report to work on Monday. You are now on a plane headed toward your new office, considering your course of action in this position and jotting down some notes.

Question:
What step can best help you to identify the specific needs and objectives of Jo's Place regarding privacy protection?

18) Please use the following information to answer the below question.

SCENARIO

Jo’s Place started in the kitchen of its founder, Joanne King, as she made soap following a traditional family recipe. It is a much different business today, having grown first through product placement in health and beauty retail outlets, then through a thriving catalogue business. The company was slow to launch an online store, but once it did so, the online business grew rapidly. Online sales now account for 65 percent of business, which is increasingly international in scope. In fact, Jo’s Place is now a leading seller of luxury soaps in Europe and South America, as well as continuing its strong record of growth in the United States. Despite its rapid ascent, Jo’s Place prides itself on maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front of a factory in a rural region, in the U.S. The company is notably "employee friendly, " allowing, for instance, employees to use their personal computers for conducting business and encouraging people to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company's first dedicated privacy professional. During the interview process, you found that while the people you talked to, including Julie Andrews, CEO and daughter of the founder, and Stuart Rimmel, Vice President for Operations, meant well, they did not possess a sophisticated knowledge of privacy practices and regulations and were unsure of exactly where the company stood in relation to compliance and security. Stuart candidly admitted, "We know there is a lot we need to be thinking about and doing regarding privacy, but none of us know much about it. We have put some safeguards in place, but we are not even sure they are effective. We need someone to build a privacy program from the ground up. "

The final interview ended after the close of business. The cleaning crew had started its nightly work. As you walked through the office, you noticed that computers had been left on at employee work stations and the only shredder you saw was marked with a sign that said, "Out of Order. Do Not Use."

You have accepted the job offer and are about to report to work on Monday. You are now on a plane headed toward your new office, considering your course of action in this position and jotting down some notes.

Question:
In analyzing Jo's Place' existing privacy program, you find procedures that are informal and incomplete. What stage does this represent in the AICPA/CICA Privacy Maturity Model?

19) Please use the following information to answer the below question.

SCENARIO

Jo’s Place started in the kitchen of its founder, Joanne King, as she made soap following a traditional family recipe. It is a much different business today, having grown first through product placement in health and beauty retail outlets, then through a thriving catalogue business. The company was slow to launch an online store, but once it did so, the online business grew rapidly. Online sales now account for 65 percent of business, which is increasingly international in scope. In fact, Jo’s Place is now a leading seller of luxury soaps in Europe and South America, as well as continuing its strong record of growth in the United States. Despite its rapid ascent, Jo’s Place prides itself on maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front of a factory in a rural region, in the U.S. The company is notably "employee friendly, " allowing, for instance, employees to use their personal computers for conducting business and encouraging people to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company's first dedicated privacy professional. During the interview process, you found that while the people you talked to, including Julie Andrews, CEO and daughter of the founder, and Stuart Rimmel, Vice President for Operations, meant well, they did not possess a sophisticated knowledge of privacy practices and regulations and were unsure of exactly where the company stood in relation to compliance and security. Stuart candidly admitted, "We know there is a lot we need to be thinking about and doing regarding privacy, but none of us know much about it. We have put some safeguards in place, but we are not even sure they are effective. We need someone to build a privacy program from the ground up. "

The final interview ended after the close of business. The cleaning crew had started its nightly work. As you walked through the office, you noticed that computers had been left on at employee work stations and the only shredder you saw was marked with a sign that said, "Out of Order. Do Not Use."

You have accepted the job offer and are about to report to work on Monday. You are now on a plane headed toward your new office, considering your course of action in this position and jotting down some notes.

Question:
Which of the following best describes who at Jo's Place needs to be trained on privacy protection?

20) Which of the following indicates you have developed the right privacy framework for your organisation?

21) In a sample metric templates, what does ‘target’ mean?

22) Please use the following information to answer the below question.

SCENARIO

A high-end United States retail store that specializes in bespoke suits creates an opt-in program to provide personalized attention to its customers. On their first visit, customers are invited to log in to a kiosk in the retail store to enter their various shopping preferences, as well as personal information such as credit card numbers, banking information, birthdays, anniversary dates, etc. In an effort to make the customer experience even richer, the program also collects facial recognition data, so that when a customer enters the store, an alert staff member can call the customer by name and speak knowledgeably about his or her preferences, perhaps even directing the customer to a particular item. All the customer preference data, including facial recognition data, is encrypted and stored on a computer system within the store. This computer system is also secured physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer experience, the owners of the retail store do not recognize that this collection of data has the potential to become a data privacy issue. No policies or procedures have been developed to address how this data is used or whether it can be resold. The owners simply assume that if a customer does not want to participate, they won't enter data into the kiosk.

An employee at the store, Mary Popper, has full access to the data because she is the most computer-knowledgeable employee. Mary has a friend who works for a wealth management firm in another U.S. state. Wishing to do her friend a business favour, she copies an unencrypted set of the customer names, preferences, and the facial recognition data onto a hard drive and sends it to her friend for him to use in marketing his wealth management services to preselected suitable customers. He intends to use the customer data in a way similar to the suit designers, to provide highly personalized service. Since she is not selling the data to him, Mary does not think there is anything wrong with what she has done.

The owners of the wealth management company buy another list of customers and information legitimately from an outside vendor. This data included financial information, as well as names, addresses, and number and brand of automobiles owned. The wealth management company collates the list with the list from the retailer, though the owners of the wealth management company are unaware the retailer's list was given informally, and now the wealth management firm has a very valuable list that contains a deep level of personal information about potential customers and their buying preferences.

The man who works at the wealth management firm puts the combined list up on an unencrypted public website so that Mary can copy it back and enhance the clothing store's original data set. While it is exposed, the wealth management company becomes the victim of an online attack and the combined collection of customer data is stolen. The owners of the wealth management company only find this out when several of their customers report that their vehicles have been stolen. Further investigation of the crimes by the police links the data breach to home invasion burglaries. The criminals were using the stolen facial recognition data to identify potential victims, then using address data to find their primary residences. The owners of the suit designers have no knowledge any of this has happened until several months later, when the employee who traded their data to the wealth management firm quits and informs them of the data breach.

Question:
All of the following would protect the suit retailer's owners from future employee misuse of customer data except:

23) Please use the following information to answer the below question.

SCENARIO

A high-end United States retail store that specializes in bespoke suits creates an opt-in program to provide personalized attention to its customers. On their first visit, customers are invited to log in to a kiosk in the retail store to enter their various shopping preferences, as well as personal information such as credit card numbers, banking information, birthdays, anniversary dates, etc. In an effort to make the customer experience even richer, the program also collects facial recognition data, so that when a customer enters the store, an alert staff member can call the customer by name and speak knowledgeably about his or her preferences, perhaps even directing the customer to a particular item. All the customer preference data, including facial recognition data, is encrypted and stored on a computer system within the store. This computer system is also secured physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer experience, the owners of the retail store do not recognize that this collection of data has the potential to become a data privacy issue. No policies or procedures have been developed to address how this data is used or whether it can be resold. The owners simply assume that if a customer does not want to participate, they won't enter data into the kiosk.

An employee at the store, Mary Popper, has full access to the data because she is the most computer-knowledgeable employee. Mary has a friend who works for a wealth management firm in another U.S. state. Wishing to do her friend a business favour, she copies an unencrypted set of the customer names, preferences, and the facial recognition data onto a hard drive and sends it to her friend for him to use in marketing his wealth management services to preselected suitable customers. He intends to use the customer data in a way similar to the suit designers, to provide highly personalized service. Since she is not selling the data to him, Mary does not think there is anything wrong with what she has done.

The owners of the wealth management company buy another list of customers and information legitimately from an outside vendor. This data included financial information, as well as names, addresses, and number and brand of automobiles owned. The wealth management company collates the list with the list from the retailer, though the owners of the wealth management company are unaware the retailer's list was given informally, and now the wealth management firm has a very valuable list that contains a deep level of personal information about potential customers and their buying preferences.

The man who works at the wealth management firm puts the combined list up on an unencrypted public website so that Mary can copy it back and enhance the clothing store's original data set. While it is exposed, the wealth management company becomes the victim of an online attack and the combined collection of customer data is stolen. The owners of the wealth management company only find this out when several of their customers report that their vehicles have been stolen. Further investigation of the crimes by the police links the data breach to home invasion burglaries. The criminals were using the stolen facial recognition data to identify potential victims, then using address data to find their primary residences. The owners of the suit designers have no knowledge any of this has happened until several months later, when the employee who traded their data to the wealth management firm quits and informs them of the data breach.



Question:
After the breach is made known, which task should the suit retailers accomplish first?

 

25) Please use the following information to answer the below question.

SCENARIO

A high-end United States retail store that specializes in bespoke suits creates an opt-in program to provide personalized attention to its customers. On their first visit, customers are invited to log in to a kiosk in the retail store to enter their various shopping preferences, as well as personal information such as credit card numbers, banking information, birthdays, anniversary dates, etc. In an effort to make the customer experience even richer, the program also collects facial recognition data, so that when a customer enters the store, an alert staff member can call the customer by name and speak knowledgeably about his or her preferences, perhaps even directing the customer to a particular item. All the customer preference data, including facial recognition data, is encrypted and stored on a computer system within the store. This computer system is also secured physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer experience, the owners of the retail store do not recognize that this collection of data has the potential to become a data privacy issue. No policies or procedures have been developed to address how this data is used or whether it can be resold. The owners simply assume that if a customer does not want to participate, they won't enter data into the kiosk.

An employee at the store, Mary Popper, has full access to the data because she is the most computer-knowledgeable employee. Mary has a friend who works for a wealth management firm in another U.S. state. Wishing to do her friend a business favour, she copies an unencrypted set of the customer names, preferences, and the facial recognition data onto a hard drive and sends it to her friend for him to use in marketing his wealth management services to preselected suitable customers. He intends to use the customer data in a way similar to the suit designers, to provide highly personalized service. Since she is not selling the data to him, Mary does not think there is anything wrong with what she has done.

The owners of the wealth management company buy another list of customers and information legitimately from an outside vendor. This data included financial information, as well as names, addresses, and number and brand of automobiles owned. The wealth management company collates the list with the list from the retailer, though the owners of the wealth management company are unaware the retailer's list was given informally, and now the wealth management firm has a very valuable list that contains a deep level of personal information about potential customers and their buying preferences.

The man who works at the wealth management firm puts the combined list up on an unencrypted public website so that Mary can copy it back and enhance the clothing store's original data set. While it is exposed, the wealth management company becomes the victim of an online attack and the combined collection of customer data is stolen. The owners of the wealth management company only find this out when several of their customers report that their vehicles have been stolen. Further investigation of the crimes by the police links the data breach to home invasion burglaries. The criminals were using the stolen facial recognition data to identify potential victims, then using address data to find their primary residences. The owners of the suit designers have no knowledge any of this has happened until several months later, when the employee who traded their data to the wealth management firm quits and informs them of the data breach.



Question:
After the data breach, what data can the wealth management company use legally?

 

26) Please use the following information to answer the below question.

SCENARIO

A high-end United States retail store that specializes in bespoke suits creates an opt-in program to provide personalized attention to its customers. On their first visit, customers are invited to log in to a kiosk in the retail store to enter their various shopping preferences, as well as personal information such as credit card numbers, banking information, birthdays, anniversary dates, etc. In an effort to make the customer experience even richer, the program also collects facial recognition data, so that when a customer enters the store, an alert staff member can call the customer by name and speak knowledgeably about his or her preferences, perhaps even directing the customer to a particular item. All the customer preference data, including facial recognition data, is encrypted and stored on a computer system within the store. This computer system is also secured physically in a locked room.

Because the intent of this effort was benign, i.e., to enhance the overall customer experience, the owners of the retail store do not recognize that this collection of data has the potential to become a data privacy issue. No policies or procedures have been developed to address how this data is used or whether it can be resold. The owners simply assume that if a customer does not want to participate, they won't enter data into the kiosk.

An employee at the store, Mary Popper, has full access to the data because she is the most computer-knowledgeable employee. Mary has a friend who works for a wealth management firm in another U.S. state. Wishing to do her friend a business favour, she copies an unencrypted set of the customer names, preferences, and the facial recognition data onto a hard drive and sends it to her friend for him to use in marketing his wealth management services to preselected suitable customers. He intends to use the customer data in a way similar to the suit designers, to provide highly personalized service. Since she is not selling the data to him, Mary does not think there is anything wrong with what she has done.

The owners of the wealth management company buy another list of customers and information legitimately from an outside vendor. This data included financial information, as well as names, addresses, and number and brand of automobiles owned. The wealth management company collates the list with the list from the retailer, though the owners of the wealth management company are unaware the retailer's list was given informally, and now the wealth management firm has a very valuable list that contains a deep level of personal information about potential customers and their buying preferences.

The man who works at the wealth management firm puts the combined list up on an unencrypted public website so that Mary can copy it back and enhance the clothing store's original data set. While it is exposed, the wealth management company becomes the victim of an online attack and the combined collection of customer data is stolen. The owners of the wealth management company only find this out when several of their customers report that their vehicles have been stolen. Further investigation of the crimes by the police links the data breach to home invasion burglaries. The criminals were using the stolen facial recognition data to identify potential victims, then using address data to find their primary residences. The owners of the suit designers have no knowledge any of this has happened until several months later, when the employee who traded their data to the wealth management firm quits and informs them of the data breach.



Question:
What would be the best way for the wealth management firm to respond to its customers' complaints?

 

27) In privacy protection, what is a covered entity?

28) All of the following changes would likely trigger a data inventory updates except?

29) What is the key factor that lays the foundation for all other elements of a privacy programme?

30) Use the following scenario to answer below question:

As the director of data protection for Millennium Image Inc, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may not in their own programme development.

You started the program at consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program sponsor, the vice president of operations, as well as by a privacy team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company’s “old guard” among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon have the leaders and key decision makers largely on your side. Many of the other employees were more resistant, but face to face meetings with each Department and the development of a baseline privacy training programme achieved sufficient buy-in to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or Protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:  What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?


Question:
What practice would afford the Director the most rigorous way to check on the programs compliance with laws, regulations and industry best practises?

31) Use the following scenario to answer below question:

As the director of data protection for Millennium Image Inc, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may not in their own programme development.

You started the program at consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program sponsor, the vice president of operations, as well as by a privacy team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company’s “old guard” among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon have the leaders and key decision makers largely on your side. Many of the other employees were more resistant, but face to face meetings with each Department and the development of a baseline privacy training programme achieved sufficient buy-in to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or Protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:  What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?

Question:
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Millennium?

 

32) Use the following scenario to answer below question:

As the director of data protection for Millennium Image Inc, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may not in their own programme development.

You started the program at consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program sponsor, the vice president of operations, as well as by a privacy team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company’s “old guard” among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon have the leaders and key decision makers largely on your side. Many of the other employees were more resistant, but face to face meetings with each Department and the development of a baseline privacy training programme achieved sufficient buy-in to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or Protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:  What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?


Question:
What is the main purpose in notifying data subjects of a data breach?

33) Use the following scenario to answer below question:

As the director of data protection for Millennium Image Inc, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may not in their own programme development.

You started the program at consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program sponsor, the vice president of operations, as well as by a privacy team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company’s “old guard” among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon have the leaders and key decision makers largely on your side. Many of the other employees were more resistant, but face to face meetings with each Department and the development of a baseline privacy training programme achieved sufficient buy-in to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or Protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:  What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?


Question:
Collection, access and destruction aspects of what privacy management process?

34) The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 million EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?

35) What is the function of the Asia Pacific Economic Cooperation privacy framework?

36) Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?

37) Which is NOT an influence in the privacy environment external to an organisation?

38) An organization’s privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrolment reports of all employees to wrong vendor. Which of the following actions should the privacy officer take first?

39) The following best demonstrates the effectiveness of a firm's privacy incident response process?

40) In addition to regulatory requirements and business practises, what important factors would a global privacy strategy consider?

41) Under the General Data Protection Regulation GDPR, when would a data subject have the right to require the erasure of his or her data without undue delay?

42) What does it mean to ‘rationalize’ data protection requirements?

43) Which of the following is NOT TRUE about the use of a PIA (Privacy Impact Assessment)

44) Which of the following best describes proper compliance for an international organisation using Binding Corporate Rules (BCRs) as a controller or processor?

45) Why do Binding Corporate Rules (BCRs) prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?

46) Which is one obligation that the GDPR imposes on data processors?

47) Which of the following measures how closely an organization’s best practices align with its legal obligations and stated practices?

48) In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?

49) Which of the following business functions has the role within the privacy program to:

Translates policies and procedures into teachable content to help contextualize privacy principles into tangible operations and processes

50) The following listed tasks correspond to which privacy strategy function?

- Leverage key functions
- Align organisational culture and privacy objectives
- Make an operational business case for privacy
- Identify stakeholders and internal partnerships