Spring Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

examout.co

Which is the best way to view an organization’s privacy framework?

A.

As an industry benchmark that can apply to many organizations

B.

As a fixed structure that directs changes in the organization

C.

As an aspirational goal that improves the organization

D.

As a living structure that aligns to changes in the organization

A company's human resources (HR) group is working with their information security team lo tag data within their systems as ''special data" or "sensitive data" What is the most probable reason for the group to do so?

A.

To ensure the data is fully controlled and used for only authorized purposes.

B.

To apply the organization's data deletion standard.

C.

To create a robust record of processing activities.

D.

To prepare for an upcoming regulatory audit under GDPR.

Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?

A.

The DPIA result must be reported to the corresponding supervisory authority.

B.

The DPIA report must be published to demonstrate the transparency of the data processing.

C.

The DPIA must include a description of the proposed processing operation and its purpose.

D.

The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.

SCENARIO

Please use the following to answer the next QUESTION:

Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society’s store had been hacked. The thefts could have been employee-related.

Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the “misunderstanding” has not occurred again.

As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society’s operating budget is slim, and all sources of revenue are essential.

Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won’t be exorbitant, especially considering the advantages of a cloud.”

Lately, you have been hearing about cloud computing and you know it’s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason’s Finnish provider is signing on.

After conducting research, you discover a primary data protection issue with cloud computing. Which of the following should be your biggest concern?

A.

An open programming model that results in easy access

B.

An unwillingness of cloud providers to provide security information

C.

A lack of vendors in the cloud computing market

D.

A reduced resilience of data structures that may lead to data loss.

Under the GDPR, what obligation does a data controller or processor have after appointing a data protection officer (DPO)?

A.

To submit for approval to the DPO a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

B.

To provide resources necessary to carry out the defined tasks of the DPO and to maintain their expert knowledge.

C.

To ensure that the DPO acts as the sole point of contact for individuals' questions about their personal data.

D.

To ensure that the DPO receives sufficient instructions regarding the exercise of their defined tasks.

SCENARIO

Please use the following to answer the next question:

Liam is the newly appointed information technology (IT) compliance manager at Mesa, a USbased outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.

At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the audit manager and Liam met to discuss her team’s findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

All of the key phases of an audit have occurred with Liam's involvement in the situation EXCEPT?

A.

Prepare.

B.

Audit.

C.

Report.

D.

Follow-up.

(All of the following are components of a data collection notice EXCEPT?)

A.

The categories of information shared with third parties.

B.

The length of time the personal information will be stored.

C.

The meta-data which could be generated from collection of the information.

D.

The lawful interests pursued by the responsible party collecting the information.

When implementing Privacy by Design (PbD), what would NOT be a key consideration?

A.

Collection limitation.

B.

Data minimization.

C.

Limitations on liability.

D.

Purpose specification.

What steps can an organization take to ensure its data inventory is kept up to date?

A.

Identify a process owner for each processing activity in the data inventory.

B.

Conduct an annual review of the data inventory against the Privacy Notice.

C.

Review the data inventory when there are changes to laws and regulations.

D.

Link the data inventory to the implementation of new systems or applications.

A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all employees to view. What is the first step to mitigate further risks?

A.

Notify all employees whose information was contained in the file.

B.

Check access logs to see who accessed the folder.

C.

Notify legal counsel of a privacy incident.

D.

Restrict access to the folder.