Weekend Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

IAPP CIPM - Certified Information Privacy Manager (CIPM)

IAPP CIPM Premium Access     Download Demo    
Page: 7 / 8
Total 262 questions

SCENARIO

Please use the following to answer the next question:

Recently, a boutique fashion company headquartered in California, US needed to fill a very large online order from one of their best customers located in France. The boutique did not have all the items needed to complete the order, so they asked one of their partners located in Canada to help fulfill the order. To save time, the boutique had the items shipped directly from the Canadian partner’s store to the customer’s home address. The partner sent SMS messages to provide the customer with direct shipping updates.

The merchandise arrived to the customer and they were happy with the experience. However, soon after, the customer contacted the boutique to complain that they had been receiving telemarketing calls and emails from other fashion boutiques and stores.

What should the boutique have done to properly handle and govern the customer’s personal information?

A.

Performed a sub-processor due diligence review of the partner store.

B.

Ensured that standard contractual clauses were in place between the boutique and the partner store.

C.

Ensured that Canada has received an adequacy decision by European Commission before moving forward with the transaction.

D.

Notified the customer that part of their order would be fulfilled by the partner and obtain the customer’s opt-in consent before sharing any data.

SCENARIO

Please use the following to answer the next question:

Liam is the newly appointed information technology (IT) compliance manager at Mesa, a USbased outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.

At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the audit manager and Liam met to discuss her team’s findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

All of the key phases of an audit have occurred with Liam's involvement in the situation EXCEPT?

A.

Prepare.

B.

Audit.

C.

Report.

D.

Follow-up.

SCENARIO

Please use the following lo answer the next question:

The board risk committee of your organization is particularly concerned not only by the number and frequency of data breaches reported to it over the past 12 months, but also the inconsistency in responses and poor incident response turnaround times.

Upon reviewing the current incident response plan (IRP), it was discovered that while the business continuity plan (BCP> had been updated on time, the IRP, linked to BCP. was last updated over three years ago.

The board risk committee has noted this as high risk especially since company policy is to review and update policies and plans annually. Consequently, the newly appointed data protection officer (DPO) was requested to provide a paper on how she would remediate the situation.

As a seasoned data privacy professional, you have been requested to assist the new DPO.

Your first recommendation in addressing the board risk committee's concerns is to?

A.

Integrate the IRP into the BCP so it is not a stand-alone document.

B.

Conduct a table-top exercise based on the version of the IRP that is currently on record.

C.

Focus on training and awareness sessions in order to familiarize relevant staff with current policies and procedures.

D.

Update the IRP with the applicable emergency contact information, policies and procedures, as well as timelines and action steps.

SCENARIO

Please use the following to answer the next QUESTION:

Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them."

Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her

about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!"

What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?

A.

Include appropriate language about privacy protection in vendor contracts.

B.

Perform a privacy audit on any vendor under consideration.

C.

Require that a person trained in privacy protection be part of all vendor selection teams.

D.

Do business only with vendors who are members of privacy trade associations.

A start-up tech company is developing its privacy policies and processes.

Which policy is most important to ensure the organization is successful at processing consumer health information?

A.

The employee notice.

B.

The consumer health data policy.

C.

The privacy impact assessment (PIA).

D.

The Health Insurance Portability and Accountability Act (HIPAA) privacy notice.

SCENARIO

Please use the following to answer the next QUESTION:

Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.

In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.

Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.

Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.

You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.

What does this example best illustrate about training requirements for privacy protection?

A.

Training needs must be weighed against financial costs.

B.

Training on local laws must be implemented for all personnel.

C.

Training must be repeated frequently to respond to new legislation.

D.

Training must include assessments to verify that the material is mastered.

What should be the first major goal of a company developing a new privacy program?

A.

To survey potential funding sources for privacy team resources.

B.

To schedule conversations with executives of affected departments.

C.

To identify potential third-party processors of the organization's information.

D.

To create Data Lifecycle Management policies and procedures to limit data collection.

An online retailer detects an incident involving customer shopping history but no keys have been compromised. The Privacy Offce is most concerned when it also involves?

A.

Internal unique personal identifiers.

B.

Plain text personal identifiers.

C.

Hashed mobile identifiers.

D.

No personal identifiers.

All of the following are components of a data collection notice EXCEPT?

A.

The categories of information shared with third parties

B.

The length of time the personal information will be stored.

C.

The meta-data which could be generated from collection of the information.

D.

The lawful interests pursued by the responsible party collecting the information.

K a privacy professional wants to show that an organization's privacy program is working as intended, the professional should?

A.

Collect feedback from customers about the privacy program.

B.

Carry out a personal data breach tabletop exercise.

C.

Collect and analyze privacy program metrics.

D.

Review privacy policies.