This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPT.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

A cloud service provider wants to advertise the benefits of its service by publishing information that shows how its users have interacted with the platform. It plans to publish only aggregated data to not identify its customers. What would be a best practice before publishing its aggregated data?

A utility company discovers that it is missing first names for some of its customers. It purchases householder data from a credit reference agency to obtain names and attempt to find a match in their customer database. The two companies will apply a logical rule that attributes the utility bills and assigns liability for such debts to the individual with the most active credit history at an address. What kind of privacy threat is most likely to occur based on this scenario?

Which of the following statements about aggregated data sets is TRUE?

A company is developing a web-based chatbot that will ask customers to input information about preferences and hobbies to direct them to relevant products and services. Which of the following is the first step software developers should take to ensure only the data needed is collected?

Jack is a privacy engineer working in a bank. DevOps is enhancing the user interface of the bank’s mobile application and contemplating the use of an open-source library module for facial recognition. DevOps approached Jack for his guidance. What is the first step that Jack must take?


Please use the following scenario to answer the next THREE questions.

A U.S.-based national retail store chain is looking to expand its business and has recently hired its first chief privacy officer (CPO) and a new chief marketing officer (CMO) to help it drive greater marketing efforts in a way that protects privacy.


The company already operates in several states but currently does not operate in other countries. In addition to its brick-and-mortar retail locations, the company has a website where people are able to order items for home delivery.


The CPO has been asked to review the company’s existing practices related to personal data and to remediate any significant issues they identify. One of the first areas that the CPO reviewed was practices related to marketing to existing and potential customers.


The organization used to rely on non-personalized marketing techniques, such as TV and radio advertising and physical billboards, as well as personalized marketing to individuals who have joined their loyalty program. The new CMO is looking to develop and deliver more personalized marketing experiences using personal data to target specific groups and individuals, with the goals of increasing both the customer base and increasing the total amount that existing customers spend per year.

The CMO meets with the CPO and relays that the marketing team has several analyses they would like to run to assist with the marketing efforts:


First, they would like to identify potential new store locations to meet the needs of online customers who might prefer to shop in-person. The sites must meet the following criteria: (a) they do not have an existing store within 20 miles, and (b) there are a minimum number of people with similar demographics to their existing customers. Before they commence this analysis, they would like to gain a baseline understanding of where their current online customers live.


Second, the CMO would like to run a joint marketing campaign with another company. To do this, they would like to identify customers the two companies have in common so they can target them for this campaign.


After the meeting, the CMO emails the CPO and tells them that as part of their analysis, the marketing team has identified an old customer dataset which has not been updated for several years and does not appear to be in use.

Which of the following should the marketing team do to understand the profile of their current customers’ locations to meet the CMO’s objective while preserving customer’s privacy?

Which technique would allow the identification of regular customers to be performed in a way that does not require either company to directly share customers’ personal data with the other?

Which of the following actions could the company take with respect to the old customer data set identified by the CMO that will provide the most privacy protection?

A company has hired a marketing company to identify past website visitors who revisit its site for future marketing. This is an example of what type of activity?