CDPSE

What should be the PRIMARY consideration of a multinational organization deploying a user and entity behavior analytics (UEBA) tool to centralize the monitoring of anomalous employee behavior?. Cross-border data transfer. Support staff availability and skill set. User notification. Global public interest.

Which of the following BEST represents privacy threat modeling methodology?. Mitigating inherent risks and threats associated with privacy control weaknesses. Systematically eliciting and mitigating privacy threats in a software architecture. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities. Replicating privacy scenarios that reflect representative software usage.

An organization is creating a personal data processing register to document actions taken with personal data. Which of the following categories should document controls relating to periods of retention for personal data?. Data archiving. Data storage. Data acquisition. Data input.

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?. The applicable privacy legislation. The quantity of information within the scope of the assessment. The systems in which privacy-related data is stored. The organizational security risk profile.

Data collected by a third-party vendor and provided back to the organization may not be protected according to the organization’s privacy notice. Which of the following is the BEST way to address this concern?. Review the privacy policy. Obtain independent assurance of current practices. Re-assess the information security requirements. Validate contract compliance.

During the design of a role-based user access model for a new application, which of the following principles is MOST important to ensure data privacy is protected?. Segregation of duties. Unique user credentials. Two-person rule. Need-to-know basis.

Which of the following should FIRST be established before a privacy office starts to develop a data protection and privacy awareness campaign?. Detailed documentation of data privacy processes. Strategic goals of the organization. Contract requirements for independent oversight. Business objectives of senior leaders.

Which of the following features should be incorporated into an organization’s technology stack to meet privacy requirements related to the rights of data subjects to control their personal data?. Providing system engineers the ability to search and retrieve data. Allowing individuals to have direct access to their data. Allowing system administrators to manage data access. Establishing a data privacy customer service bot for individuals.

Which of the following is the GREATEST concern for an organization subject to cross-border data transfer regulations when using a cloud service provider to store and process data?. The service provider has denied the organization’s request for right to audit. Personal data stored on the cloud has not been anonymized. The extent of the service provider’s access to data has not been established. The data is stored in a region with different data protection requirements.

When configuring information systems for the communication and transport of personal data, an organization should: adopt the default vendor specifications. review configuration settings for compliance. implement the least restrictive mode. enable essential capabilities only.

Which of the following helps define data retention time is a stream-fed data lake that includes personal data?. Information security assessments. Privacy impact assessments (PIAs). Data privacy standards. Data lake configuration.

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?. Data classification labeling. Data residing in another country. Volume of data stored. Privacy training for backup users.

Which of the following should be the FIRST consideration when selecting a data sanitization method?. Risk tolerance. Implementation cost. Industry standards. Storage type.

Which of the following system architectures BEST supports anonymity for data transmission?. Client-server. Plug-in-based. Front-end. Peer-to-peer.

Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?. Chief data officer (CDO). Privacy steering committee. Information security steering committee. Chief privacy officer (CPO).

Which of the following is the BEST way to protect personal data in the custody of a third party?. Have corporate counsel monitor privacy compliance. Require the third party to provide periodic documentation of its privacy management program. Include requirements to comply with the organization’s privacy policies in the contract. Add privacy-related controls to the vendor audit plan.

Which of the following is MOST important to ensure when developing a business case for the procurement of a new IT system that will process and store personal information?. The system architecture is clearly defined. A risk assessment has been completed. Security controls are clearly defined. Data protection requirements are included.

Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?. Conduct an audit. Report performance metrics. Perform a control self-assessment (CSA). Conduct a benchmarking analysis.

Which of the following is the GREATEST benefit of adopting data minimization practices?. Storage and encryption costs are reduced. Data retention efficiency is enhanced. The associated threat surface is reduced. Compliance requirements are met.

An organization want to develop an application programming interface (API) to seamlessly exchange personal data with an application hosted by a third-party service provider. What should be the FIRST step when developing an application link?. Data tagging. Data normalization. Data mapping. Data hashing.

Which of the following vulnerabilities is MOST effectively mitigated by enforcing multi-factor authentication to obtain access to personal information?. End users using weak passwords. Organizations using weak encryption to transmit data. Vulnerabilities existing in authentication pages. End users forgetting their passwords.

Which of the following is the BEST way for an organization to limit potential data exposure when implementing a new application?. Implement a data loss prevention (DLP) system. Use only the data required by the application. Encrypt all data used by the application. Capture the application’s authentication logs.

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?. Data integrity and confidentiality. System use requirements. Data use limitation. Lawfulness and fairness.

What type of personal information can be collected by a mobile application without consent?. Full name. Geolocation. Phone number. Accelerometer data.

What is the PRIMARY means by which an organization communicates customer rights as it relates to the use of their personal information?. Distributing a privacy rights policy. Mailing rights documentation to customers. Publishing a privacy notice. Gaining consent when information is collected.

A new marketing application needs to use data from the organization’s customer database. Prior to the application using the data, which of the following should be done FIRST?. Ensure the data loss prevention (DLP) tool is logging activity. De-identify all personal data in the database. Determine what data is required by the application. Renew the encryption key to include the application.

Which of the following MUST be available to facilitate a robust data breach management response?. Lessons learned from prior data breach responses. Best practices to obfuscate data for processing and storage. An inventory of previously impacted individuals. An inventory of affected individuals and systems.

Which of the following zones within a data lake requires sensitive data to be encrypted or tokenized?. Trusted zone. Clean zone. Raw zone. Temporal zone.

Which of the following poses the GREATEST privacy risk for client-side application processing?. Failure of a firewall protecting the company network. An employee loading personal information on a company laptop. A remote employee placing communication software on a company server. A distributed denial of service attack (DDoS) on the company network.

Which of the following is the PRIMARY consideration to ensure control of remote access is aligned to the privacy policy?. Access is logged on the virtual private network (VPN). Multi-factor authentication is enabled. Active remote access is monitored. Access is only granted to authorized users.

Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?. The organization lacks a hardware disposal policy. Emails are not consistently encrypted when sent internally. Privacy training is carried out by a service provider. The organization’s privacy policy has not been reviewed in over a year.

Within a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?. Offline backup availability. Recovery time objective (RTO). Recovery point objective (RPO). Online backup frequency.

In which of the following should the data record retention period be defined and established?. Data record model. Data recovery procedures. Data quality standard. Data management plan.

When tokenizing credit card data, what security practice should be employed with the original data before it is stored in a data lake?. Encoding. Backup. Encryption. Classification.

Which key stakeholder within an organization should be responsible for approving the outcomes of a privacy impact assessment (PIA)?. Data custodian. Privacy data analyst. Data processor. Data owner.

Which of the following is the best reason for a health organization to use desktop virtualization to implement stronger access control to systems containing patient records?. Limited functions and capabilities of a secured operating environment. Monitored network activities for unauthorized use. Improved data integrity and reduced effort for privacy audits. Unlimited functionalities and highly secured applications.

What is the BEST way for an organization to maintain the effectiveness of its privacy breach incident response plan?. Require security management to validate data privacy security practices. Involve the privacy office in an organizational review of the incident response plan. Hire a third party to perform a review of data privacy processes. Conduct annual data privacy tabletop exercises.

Which of the following is MOST important when developing an organizational data privacy program?. Obtaining approval from process owners. Profiling current data use. Following an established privacy framework. Performing an inventory of all data.

Which of the following should be considered personal information?. Biometric records. Company address. University affiliation. Age.

Which of the following should an IT privacy practitioner do FIRST following a decision to expand remote working capability to all employees due to a global pandemic?. Evaluate the impact resulting from this change. Revisit the current remote working policies. Implement a virtual private network (VPN) tool. Enforce multi-factor authentication for remote access.

When using anonymization techniques to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?. The key must be kept separate and distinct from the data it protects. The data must be protected by multi-factor authentication. The key must be a combination of alpha and numeric characters. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?. Privacy rights advocate. Outside privacy counsel. Data protection authorities. The organization’s chief privacy officer (CPO).

Which of the following BEST enables an IT privacy practitioner to ensure appropriate protection for personal data collected that is required to provide necessary services?. Understanding the data flows within the organization. Implementing strong access controls on a need-to-know basis. Anonymizing privacy data during collection and recording. Encrypting the data throughout its life cycle.

Which of the following tracking technologies associated with unsolicited targeted advertisements presents the GREATEST privacy risk?. Online behavioral tracking. Radio frequency identification (RFID). Website cookies. Beacon-based tracking.

Which of the following should an IT privacy practitioner do FIRST before an organization migrates personal data from an on-premise solution to a cloud-hosted solution?. Develop and communicate a data security plan. Perform a privacy impact assessment (PIA). Ensure strong encryption is used. Conduct a security risk assessment.

Which of the following is a PRIMARY consideration to protect against privacy violations when utilizing artificial intelligence (AI) driven business decisions?. De-identifying the data to be analyzed. Verifying the data subjects have consented to the processing. Defining the intended objectives. Ensuring proper data sets are used to train the models.

To ensure effective management of an organization’s data privacy policy, senior leadership MUST define. training and testing requirements for employees handling personal data. roles and responsibilities of the person with oversights. metrics and outcomes recommended by external agencies. the scope and responsibilities of the data owner.

Which of the following BEST ensures data confidentiality across databases?. Logical data model. Data normalization. Data catalog vocabulary. Data anonymization.

Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?. Private Key exposure. Poor patch management. Lack of password complexity. Out-of-date antivirus signatures.

Which of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?. Changes to current information architecture. Updates to data life cycle policy. Business impact due to the changes. Modifications to data quality standards.

Which of the following techniques mitigates design flaws in the application development process that may contribute to potential leakage of personal data?. User acceptance testing (UAT). Patch management. Software hardening. Web application firewall (WAF).

Which of the following is the PRIMARY reason that a single cryptographic key should be used for only one purpose, such as encryption or authentication?. It eliminates cryptographic key collision. It minimizes the risk if the cryptographic key is compromised. It is more practical and efficient to use a single cryptographic key. Each process can only be supported by its own unique key management process.

During which of the following system lifecycle stages is it BEST to conduct a privacy impact assessment (PIA) on a system that holds personal data?. Functional testing. Development. Production. User acceptance testing (UAT).

Which of the following is the PRIMARY reason that organizations need to map the data flows of personal data?. To assess privacy risks. To evaluate effectiveness of data controls. To determine data integration gaps. To comply with regulations.

Which of the following is the BEST method to ensure the security of encryption keys when transferring data containing personal information between cloud applications?. Whole disk encryption. Asymmetric encryption. Digital Signature. Symmetric encryption.

When using pseudonymization to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?. The data must be protected by multi-factor authentication. The identifier must be kept separate and distinct from the data it protects. The key must be a combination of alpha and numeric characters. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which of the following is the BEST way to limit the organization’s potential exposure in the event of consumer data loss while maintaining the traceability of the data?. Encrypt the data at rest. De-identify the data. Use a unique hashing algorithm. Require a digital signature.

Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?. Possession factor authentication. Knowledge-based credential authentication. Multi-factor authentication. Biometric authentication.

Which of the following BEST ensures a mobile application implementation will meet an organization’s data security standards?. User acceptance testing (UAT). Data classification. Privacy impact assessment (PIA). Automatic dynamic code scan.

Which of the following is the PRIMARY benefit of implementing policies and procedures for system hardening?. It increases system resiliency. It reduces external threats to data. It reduces exposure of data. It eliminates attack motivation for data.

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?. Subject matter expertise. Type of media. Regulatory compliance requirements. Location of data.

An email opt-in form on a website applies to which privacy principle?. Accuracy. Consent. Transparency. Integrity.

Which of the following is MOST likely to present a valid use case for keeping a customer’s personal data after contract termination?. For the purpose of medical research. A forthcoming campaign to win back customers. A required retention period due to regulations. Ease of onboarding when the customer returns.

Which of the following is the BEST approach for a local office of a global organization faced with multiple privacy-related compliance requirements?. Focus on developing a risk action plan based on audit reports. Focus on requirements with the highest organizational impact. Focus on global compliance before meeting local requirements. Focus on local standards before meeting global compliance.

Which of the following is the MOST important consideration when writing an organization’s privacy policy?. Using a standardized business taxonomy. Aligning statements to organizational practices. Ensuring acknowledgment by the organization’s employees. Including a development plan for personal data handling.

Which of the following BEST supports an organization’s efforts to create and maintain desired privacy protection practices among employees?. Skills training programs. Awareness campaigns. Performance evaluations. Code of conduct principles.

Which of the following hard drive sanitation methods provides an organization with the GREATEST level of assurance that data has been permanently erased?. Degaussing the drive. Factory resetting the drive. Crypto-shredding the drive. Reformatting the drive.

Which of the following describes a user’s “right to be forgotten”?. The data is being used to comply with legal obligations or the public interest. The data is no longer required for the purpose originally collected. The individual objects despite legitimate grounds for processing. The individual’s legal residence status has recently changed.

When choosing data sources to be used within a big data architecture, which of the following data attributes MUST be considered to ensure data is not aggregated?. Accuracy. Granularity. Consistency. Reliability.

Which of the following should be used to address data kept beyond its intended lifespan?. Data minimization. Data anonymization. Data security. Data normalization.

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?. Compartmentalizing resource access. Regular testing of system backups. Monitoring and reviewing remote access logs. Regular physical and remote testing of the incident response plan.

A multinational corporation is planning a big data initiative to help with critical business decisions. Which of the following is the BEST way to ensure personal data usage is standardized across the entire organization?. De-identify all data. Develop a data dictionary. Encrypt all sensitive data. Perform data discovery.

An organization’s data destruction guidelines should require hard drives containing personal data to go through which of the following processes prior to being crushed?. Low-level formatting. Remote partitioning. Degaussing. Hammer strike.

Which of the following processes BEST enables an organization to maintain the quality of personal data?. Implementing routine automatic validation. Maintaining hashes to detect changes in data. Encrypting personal data at rest. Updating the data quality standard through periodic review.

Which of the following is the MOST important consideration when determining retention periods for personal data?. Sectoral best practices for the industry. Notice provided to customers during data collection. Data classification standards. Storage capacity available for retained data.

What is the BEST method to protect customers’ personal data that is forwarded to a central system for analysis?. Pseudonymization. Deletion. Encryption. Anonymization.

Which of the following should be done FIRST to address privacy risk when migrating customer relationship management (CRM) data to a new system?. Develop a data migration plan. Conduct a legitimate interest analysis (LIA). Perform a privacy impact assessment (PIA). Obtain consent from data subjects.

Which of the following is the GREATEST obstacle to conducting a privacy impact assessment (PIA)?. Conducting a PIA requires significant funding and resources. PIAs need to be performed many times in a year. The organization lacks knowledge of PIA methodology. The value proposition of a PIA is not understood by management.

Which of the following is the MOST important consideration to ensure privacy when using big data analytics?. Maintenance of archived data. Disclosure of how the data is analyzed. Transparency about the data being collected. Continuity with business requirements.

An organization uses analytics derived from archived transaction data to create individual customer profiles for customizing product and service offerings. Which of the following is the IT privacy. Anonymize personal data. Discontinue the creation of profiles. Implement strong access controls. Encrypt data at rest.

When a government’s health division established the complete privacy regulation for only the health market, which privacy protection reference model is being used?. Co-regulatory. Sectoral. Comprehensive. Self-regulatory.

An organization is developing a wellness smartwatch application and is considering what information should be collected from the application users. Which of the following is the MOST legitimate information to collect for business reasons in this situation?. Height, weight, and activities. Sleep schedule and calorie intake. Education and profession. Race, age, and gender.

Which of the following is the BEST way to distinguish between a privacy risk and compliance risk?. Perform a privacy risk audit. Conduct a privacy risk assessment. Validate a privacy risk attestation. Conduct a privacy risk remediation exercise.

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?. Application design. Requirements definition. Implementation. Testing.

Which of the following is a PRIMARY objective of performing a privacy impact assessment (PIA) prior to onboarding a new Software as a Service (SaaS) provider for a customer relationship management (CRM) system?. To identify controls to mitigate data privacy risks. To classify personal data according to the data classification scheme. To assess the risk associated with personal data usage. To determine the service provider’s ability to maintain data protection controls.

Which of the following protocols BEST protects end-to-end communication of personal data?. Transmission Control Protocol (TCP). Transport Layer Security Protocol (TLS). Secure File Transfer Protocol (SFTP). Hypertext Transfer Protocol (HTTP).

An organization is planning a new implementation for tracking consumer web browser activity. Which of the following should be done FIRST?. Seek approval from regulatory authorities. Conduct a privacy impact assessment (PIA). Obtain consent from the organization’s clients. Review and update the cookie policy.

Which of the following is the BEST control to secure application programming interfaces (APIs) that may contain personal information?. Encrypting APIs with the organization’s private key. Requiring nondisclosure agreements (NDAs) when sharing APIs. Restricting access to authorized users. Sharing only digitally signed APIs.

Which of the following rights is an important consideration that allows data subjects to request the deletion of their data?. The right to object. The right to withdraw consent. The right to access. The right to be forgotten.

A global organization is planning to implement a customer relationship management (CRM) system to be used in offices based in multiple countries. Which of the following is the MOST important data protection consideration for this project?. Industry best practice related to information security standards in each relevant jurisdiction. Identity and access management mechanisms to restrict access based on need to know. Encryption algorithms for securing customer personal data at rest and in transit. National data privacy legislative and regulatory requirements in each relevant jurisdiction.

An organization is concerned with authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Which of the following technologies is the BEST choice to mitigate this risk?. Email filtering system. Intrusion monitoring. Mobile device management (MDM). User behavior analytics.

Which of the following MOST effectively protects against the use of a network sniffer?. Network segmentation. Transport layer encryption. An intrusion detection system (IDS). A honeypot environment.

Which of the following is the BEST indication of an effective records management program for personal data?. Archived data is used for future analytics. The legal department has approved the retention policy. All sensitive data has been tagged. A retention schedule is in place.

Which of the following is MOST important to establish within a data storage policy to protect data privacy?. Data redaction. Data quality assurance (QA). Irreversible disposal. Collection limitation.

Which of the following helps to ensure the identities of individuals in two-way communication are verified?. Virtual private network (VPN). Transport Layer Security (TLS). Mutual certificate authentication. Secure Shell (SSH).

Which of the following is the BEST way to hide sensitive personal data that is in use in a data lake?. Data masking. Data truncation. Data encryption. Data minimization.

A global financial institution is implementing data masking technology to protect personal data used for testing purposes in non-production environments. Which of the following is the GREATEST challenge in this situation?. Access to personal data is not strictly controlled in development and testing environments. Complex relationships within and across systems must be retained for testing. Personal data across the various interconnected systems cannot be easily identified. Data masking tools are complex and difficult to implement.

Which of the following is the BEST way to manage different IT staff access permissions for personal data within an organization?. Mandatory access control. Network segmentation. Dedicated access system. Role-based access control.

Which of the following deployed at an enterprise level will MOST effectively block malicious tracking of user Internet browsing?. Web application firewall (WAF). Website URL blacklisting. Domain name system (DNS) sinkhole. Desktop antivirus software.

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?. To comply with consumer regulatory requirements. To establish privacy breach response procedures. To classify personal data. To understand privacy risks.

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?. Review self-attestations of compliance provided by vendor management. Obtain independent assessments of the vendors’ data management processes. Perform penetration tests of the vendors’ data security. Compare contract requirements against vendor deliverables.

Before executive leadership approves a new data privacy policy, it is MOST important to ensure. a training program is developed. a privacy committee is established. a distribution methodology is identified. a legal review is conducted.

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?. Tokenization. Aggregation. Anonymization. Encryption.

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?. Approving privacy impact assessments (PIAs). Validating the privacy framework. Managing privacy notices provided to customers. Establishing employee privacy rights and consent.

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?. Encrypt users’ information so it is inaccessible to the marketing department. Reference the privacy policy to see if the data is truly restricted. Remove users’ information and account from the system. Flag users’ email addresses to make sure they do not receive promotional information.

Which of the following should be done FIRST when developing an organization-wide strategy to address data privacy risk?. Obtain executive support. Develop a data privacy policy. Gather privacy requirements from legal counsel. Create a comprehensive data inventory.

Which of the following is the BEST way to protect the privacy of data stored on a laptop in case of loss or theft?. Strong authentication controls. Remote wipe. Regular backups. Endpoint encryption.

Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?. Privacy policy. Network security standard. Multi-factor authentication. Virtual private network (VPN).

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?. The organization’s potential legal liabilities related to the data. The data recovery capabilities of the storage provider. The data security policies and practices of the storage provider. Any vulnerabilities identified in the cloud system.

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?. Identify sensitive unstructured data at the point of creation. Classify sensitive unstructured data. Identify who has access to sensitive unstructured data. Assign an owner to sensitive unstructured data.

Which types of controls need to be applied to ensure accuracy at all stages of processing, storage, and deletion throughout the data life cycle?. Processing flow controls. Time-based controls. Purpose limitation controls. Integrity controls.

Which of the following is the BEST approach to minimize privacy risk when collecting personal data?. Use a third party to collect, store, and process the data. Collect data through a secure organizational web server. Collect only the data necessary to meet objectives. Aggregate the data immediately upon collection.

Which of the following should be done FIRST to establish privacy to design when developing a contact-tracing application?. Conduct a privacy impact assessment (PIA). Conduct a development environment review. Identify privacy controls for the application. Identify differential privacy techniques.

A software development organization with remote personnel has implemented a third-party virtualized workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?. The third-party workspace is hosted in a highly regulated jurisdiction. Personal data could potentially be exfiltrated through the virtual workspace. The organization’s products are classified as intellectual property. There is a lack of privacy awareness and training among remote personnel.

Which of the following is MOST important when designing application programming interfaces (APIs) that enable mobile device applications to access personal data?. The user’s ability to select, filter, and transform data before it is shared. Umbrella consent for multiple applications by the same developer. User consent to share personal data. Unlimited retention of personal data by third parties.

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?. Review data flow post migration. Ensure appropriate data classification. Engage an external auditor to review the source data. Check the documentation version history for anomalies.

Which of the following is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access?. Enable whole disk encryption on remote devices. Purchase an endpoint detection and response (EDR) tool. Implement multi-factor authentication. Deploy single sign-on with complex password requirements.

Which of the following is the PRIMARY objective of privacy incident response?. To ensure data subjects impacted by privacy incidents are notified. To reduce privacy risk to the lowest possible level. To mitigate the impact of privacy incidents. To optimize the costs associated with privacy incidents.

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?. Detecting malicious access through endpoints. Implementing network traffic filtering on endpoint devices. Managing remote access and control. Hardening the operating systems of endpoint devices.

An organization has a policy requiring the encryption of personal data if transmitted through email. Which of the following is the BEST control to ensure the effectiveness of this policy?. Provide periodic user awareness training on data encryption. Implement a data loss prevention (DLP) tool. Conduct regular control self-assessments (CSAs). Enforce annual attestation to policy compliance.

Which of the following helps to ensure the identities of individuals in a two-way communication are verified?. Virtual private network (VPN). Secure Shell (SSH). Transport Layer Security (TLS). Mutual certificate authentication.

Which of the following is the BEST practice to protect data privacy when disposing removable backup media?. Data encryption. Data sanitization. Data scrambling. Data masking.

Which of the following should be done FIRST before an organization migrates data from an onpremise solution to a cloud-hosted solution that spans more than one jurisdiction?. Ensure data loss prevention (DLP) alerts are turned on. Encrypt the data while it is being migrated. Conduct a penetration test of the hosted solution. Assess the organization's exposure related to the migration.

Which of the following is the MOST effective way to support organizational privacy awareness objectives?. Funding in-depth training and awareness education for data privacy staff. Implementing an annual training certification process. Including mandatory awareness training as part of performance evaluations. Customizing awareness training by business unit function.

Which of the following assurance approaches is MOST effective in identifying vulnerabilities within an application programming interface (API) transferring personal data?. Source code review. Security audit. Bug bounty program. Tabletop simulation.

Which of the following activities would BEST enable an organization to identify gaps in its privacy posture?. Retargeting employees for awareness training after a social engineering attack. Conducting a simulation exercise that requires participants to respond to a privacy incident. Providing an interactive session on privacy risks at an organization-wide meeting. Requiring employees to review the organization's privacy policy on an annual basis.

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?. Disable location services. Disable Bluetooth services. Enable Trojan scanners. Enable antivirus for mobile devices.

Which of the following BEST enables an organization to ensure privacy-related risk responses meet organizational objectives?. Integrating security and privacy control requirements into the development of risk scenarios. Prioritizing privacy-related risk scenarios as part of enterprise risk management ERM) processes. Using a top-down approach to develop privacy-related risk scenarios for the organization. Assigning the data protection officer accountability for privacy protection controls.

Which of the following technologies BEST facilitates protection of personal data?. Data loss prevention (DLP) tools. Data discovery and mapping tools. Data log file monitoring tools. Data profiling tools.

Which of the following is the MOST important consideration when choosing a method for data destruction?. Granularity of data to be destroyed. Validation and certification of data destruction. Time required for the chosen method of data destruction. Level and strength of current data encryption.

A multi-national organization has decided that regional human resources (HR) team members must be limited in their access to employee data only within their regional office. Which of the following is the BEST approach?. Discretionary access control (DAC). Attribute-based access control (ABAC). Provision-based access control (PBAC). Mandatory access control (MAC).

Which of the following provides the BEST assurance that a potential vendor is able to comply with privacy regulations and the organization's data privacy policy?. Including mandatory compliance language in the request for proposal (RFP). Obtaining self-attestations from all candidate vendors. Requiring candidate vendors to provide documentation of privacy processes. Conducting a risk assessment of all candidate vendors.

The BEST way for a multinational organization to ensure the comprehensiveness of its data privacy policy is to perform an annual review of changes to privacy regulations in. the region where the business IS incorporated. all jurisdictions where corporate data is processed. all countries with privacy regulations. all data sectors in which the business operates.

Using hash values With stored personal data BEST enables an organization to. Protect against unauthorized access. Detect changes to the data. Ensure data indexing performance. Tag the data with classification information.

To ensure the protection of personal data, privacy policies should mandate that access to information system applications be authorized by the. general counsel. database administrator. business application owner. chief information officer (CIO).

Which of the following is MOST important to include in a data use policy?. The requirements for collecting and using personal data. The method used to delete or destroy personal data. The reason for collecting and using personal data. The length of time personal data will be retained.

Which of the following is MOST important to capture in the audit log of an application hosting personal data?. Server details of the hosting environment. Last logins of privileged users. Last user who accessed personal data. Application error events.

Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?. Understand the data in its possession. Invest in a platform to automate data review. Confirm what is required for disclosure. Create a policy for handling access request.

A technology company has just launched a mobile application tor tracking health symptoms_ This application is built on a mobile device technology stack that allows users to share their location and details of their symptoms. Which of the following is the GREATEST privacy concern with collecting this data via mobile devices?. Client-side device ID. Data storage requirements. Encryption of key data elements. Data usage without consent.

Which of the following is the BEST way for senior management to verify the success of its commitment to privacy by design?. Review the findings of an industry benchmarking assessment. Identify trends in the organization's amount of compromised personal data. Review the findings of a third-party privacy control assessment. Identify trends in the organization's number of privacy incidents.

Which of the following is the BEST way to explain the difference between data privacy and data security?. Data privacy is about data segmentation, while data security prevents unauthorized access. Data privacy protects the data subjects, while data security is about protecting critical assets. Data privacy stems from regulatory requirements, while data security focuses on consumer rights. Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

An organization is considering the use of remote employee monitoring software. Which of the following is the MOST important privacy consideration when implementing this solution?. Data should be used to improve employee performance. Data should be retained per the organization's retention policy. Data access should be restricted based on roles. Data analysis should be used to set staffing levels.

Which of the following is the BEST way to reduce the risk of compromise when transferring personal information using email?. Centrally managed encryption. End user-managed encryption. Private cloud storage space. Password-protected .zip files.

Which of the following is an example of data anonymization as a means to protect personal data when sharing a database?. The data is encrypted and a key is required to re-identify the data. Key fields are hidden and unmasking is required to access to the data. Names and addresses are removed but the rest of the data is left untouched. The data is transformed such that re-identification is impossible.

Which of the following BEST enables an organization to ensure consumer credit card numbers are accurately captured?. Input reference controls. Access controls. Input validation controls. Reconciliation controls.

Which of the following is the BEST course of action to prevent false positives from data loss prevention (DLP) tools?. Conduct additional discovery scans. Suppress the alerts generating the false positives. Evaluate new data loss prevention (DLP) tools. Re-establish baselines tor configuration rules.

When contracting with a Software as a Service (SaaS) provider, which of the following is the MOST important contractual requirement to ensure data privacy at service termination?. Encryption of customer data. Removal of customer data. De-identification of customer data. Destruction of customer data.

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA What is the BEST way to avoid this situation in the future?. Conduct a privacy post-implementation review. Document personal data workflows in the product life cycle. Require management approval of changes to system architecture design. Incorporate privacy checkpoints into the secure development life cycle.

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?. Data process flow diagrams. Data inventory. Data classification. Data collection standards.

Which of the following is the FIRST step toward the effective management of personal data assets?. Establish data security controls. Analyze metadata. Create a personal data inventory. Minimize personal data.

Which of the following should be done FIRST when performing a data quality assessment?. Identify the data owner. Define data quality rules. Establish business thresholds. Assess completeness of the data inventory.

Which of the following is a foundational goal of data privacy laws?. Privacy laws are designed to protect companies' collection of personal data. Privacy laws are designed to prevent the collection of personal data. Privacy laws are designed to provide transparency for the collection of personal data. Privacy laws are designed to give people rights over the collection of personal data.

Which of the following is the MOST effective remote access model for reducing the likelihood of attacks originating from connecting devices?. Thick client desktop with virtual private network (VPN) connection. Remote wide area network (WAN) links. Thin Client remote desktop protocol (RDP). Site-to-site virtual private network (VPN).

Which of the following is the PRIMARY reason for an organization to use hash functions when hardening application systems involved in biometric data processing?. To reduce the risk of sensitive data breaches. To meet the organization's security baseline. To ensure technical security measures are effective. To prevent possible identity theft.

When is the BEST time during the secure development life cycle to perform privacy threat modeling?. When identifying business requirements. Early in the design phase. During functional verification testing. Prior to the production release.

Which of the following is BEST used to validate compliance with agreed-upon service levels established with a third party that processes personal data?. Key risk indicators (KRIS). Key performance indicators (KPIS). Industry benchmarks. Contractual right to audit.

Which of the following BEST ensures an effective data privacy policy is implemented?. Developing a clear privacy statement with documented objectives. Incorporating data privacy regulations from all jurisdictions. Aligning regulatory requirements with business needs. Providing a comprehensive review of the policy for all business units.

Which type of data is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people?. Observed data. Inferred data. Derived data. Provided data.

Which of the following is a PRIMARY element of application and software hardening?. Vulnerability analysis. Database configuration. Code review. Software repository.

A mortgage lender has created an online application that collects borrower information and delivers a mortgage decision automatically based on criteria set by the lender. Which fundamental data subject right does this process infringe upon?. Right to restriction of processing. Right to be informed. Right not to be profiled. Right to object.

Which of the following is the BEST way to ensure third-party providers that process an organization's personal data are addressed as part of the data privacy strategy?. Require data dictionaries from service providers that handle the organization's personal data. Outsource personal data processing to the same third party. Require independent audits of the providers' data privacy controls. Require service level agreements (SLAs) to ensure data integrity while safeguarding confidentiality.

An organization must de-identify its data before it is transferred to a third party Which of the following should be done FIRST?. Encrypt the data at rest and in motion. Remove the identifiers during the data transfer. Determine the categories of personal data collected. Ensure logging is turned on for the database.

Which of the following is the MOST important consideration for developing data retention requirements?. Industry guidelines. Cost-benefit analysis. Data classification rules. Applicable regulations.

Which of the following is the MOST important action to protect a mobile banking app and its data against manipulation and disclosure?. Define the mobile app privacy policy. Implement application hardening measures. Provide the app only through official app stores. Conduct penetration testing.

Which of the following BEST mitigates the privacy risk associated with setting cookies on a website?. Implementing impersonation. Obtaining user consent. Ensuring nonrepudiation. Applying data masking.

Which of the following is the MOST important attribute of a privacy policy?. Breach notification period. Data retention period. Transparency. Language localization.

Which of the following is the GREATEST privacy risk associated with the use of application programming interfaces (APIs)?. APIs are costly to assess and monitor. API keys could be stored insecurely. APIs are complex to build and test. APIS could create an unstable environment.

An organization's work-from-home policy allows employees to access corporate IT assets remotely Which of the following controls is MOST important to mitigate the risk of potential personal data compromise?. Encryption of network traffic. Intrusion prevention system (IPS). Firewall rules review. Intrusion detection system (IOS).

Which of the following should be done NEXT after a privacy risk has been accepted?. Monitor the risk landscape for material changes. Determine the risk appetite With management. Adjust the risk rating to help ensure it is remediated. Reconfirm the risk during the next reporting period.

Which of the following is MOST important to review before using an application programming interface (API) to help mitigate related privacy risk?. Data taxonomy. Data classification. Data collection. Data flows.

Which of the following is the BEST way to address privacy concerns when an organization captures personal data from a third party through an open application programming interface (API)?. Develop a service level agreement (SLA) with the third party. Implement encryption for the data transmission. Obtain consent from the data subjects. Review the specification document of the open API.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?. Type of data being processed. Applicable privacy legislation. Applicable control frameworks. Available technology platforms.

The MOST effective way to incorporate privacy by design principles into applications is to include privacy requirements in. Senior management approvals. Secure coding practices. Software development practices. Software testing guidelines.

Which of the following should be done FIRST when a data collection process is deemed to be a highlevel risk?. Perform a business impact analysis (BIA). Implement remediation actions to mitigate privacy risk. Conduct a privacy Impact assessment (PIA). Create a system of records notice (SORN).

An organization has an initiative to implement database encryption to strengthen privacy controls. Which of the following is the MOST useful information for prioritizing database selection?. Database administration audit logs. Historical security incidents. Penetration test results. Asset classification scheme.

Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?. Cryptographic erasure. Factory reset. Data deletion. Degaussing.

Which of the following is the MOST important privacy consideration for video surveillance in high security areas?. Video surveillance recordings may only be viewed by the organization. Those affected must be informed of the video surveillance. There is no limitation for retention of this data. Video surveillance data must be stored in encrypted format.

Which of the following is the PRIMARY reason to use public key infrastructure (PRI) for protection against a man-in-the-middle attack?. It uses Transport Layer Security (TLS). It provides a secure connection on an insecure network. It makes public key cryptography feasible. It contains schemes for revoking keys.

Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?. Updates to data quality standards. New inter-organizational data flows. New data retention and backup policies. Updates to the enterprise data policy.

When can data subjects be prohibited from withdrawing consent for processing their personal data?. When the data is no longer necessary. When the processing is unlawful. When there is an absence of overriding legitimate grounds. When the data is being archived in the public interest.

Which of the following is the BEST way for an organization to gain visibility into Its exposure to privacy-related vulnerabilities?. Implement a data loss prevention (DLP) solution. Review historical privacy incidents in the organization. Monitor inbound and outbound communications. Perform an analysis of known threats.

An organization has initiated a project to enhance privacy protections by improving its information security controls. Which of the following is the MOST useful action to help define the scope of the project?. Review recent audit reports on the internal control environment. Identify databases that contain personal data. Identify databases that do not have encryption in place. Review proposed privacy rules that govern the processing of personal data.

Which of the following is the BEST way to ensure privacy considerations are included when working with vendors?. Including privacy requirements in the request for proposal (RFP) process. Monitoring privacy-related service level agreements (SLAS). Including privacy requirements in vendor contracts. Requiring vendors to complete privacy awareness training.

Which of the following is the BEST control to detect potential internal breaches of personal data?. Data loss prevention (DLP) systems. User behavior analytics tools. Employee background Checks. Classification of data.

From a privacy perspective, it is MOST important to ensure data backups are: encrypted. incremental. differential. pseudonymized.

A data processor that handles personal data tor multiple customers has decided to migrate its data warehouse to a third-party provider. What is the processor obligated to do prior to implementation?. Seek approval from all in-scope data controllers. Obtain assurance that data subject requests will continue to be handled appropriately. Implement comparable industry-standard data encryption in the new data warehouse. Ensure data retention periods are documented.

Which of the following BEST ensures an organization's data retention requirements will be met in the public cloud environment?. Data classification schemes. Automated data deletion schedules. Cloud vendor agreements. Service level agreements (SLAs).

Which of the following is the MOST important privacy consideration when developing a contact tracing application?. The proportionality of the data collected tor the intended purpose. Whether the application can be audited for compliance purposes. The creation of a clear privacy notice. Retention period for data storage.

An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption keys?. Ensure key management responsibility is assigned to the privacy officer. Ensure the keys are stored in a remote server. Ensure the keys are stored in a cryptographic vault. Ensure all access to the keys is under dual control.

An IT privacy practitioner wants to test an application in pre-production that will be processing sensitive personal dat a. Which of the following testing methods is BEST used to identity and review the application's runtime modules?. Static application security testing (SAST). Dynamic application security testing (DAST). Regression testing. Software composition analysis.

What is the BES T way for an organization to maintain the effectiveness of its privacy breach incident response plan?. Require security management to validate data privacy security practices. Conduct annual data privacy tabletop exercises. Hire a third party to perform a review of data privacy processes. Involve the privacy office in an organizational review of the incident response plan.

What is the PRIMARY means by which an organization communicates customer rights as it relates to the use of their personal information?. Gaining consent when information is collected. Publishing a privacy notice. Mailing rights documentation to customers. Distributing a privacy rights policy.

Which of the following is a role PRIMARILY assigned to an internal data owner?. Monitoring data retention periods. Authorizing access rights. Serving as primary contact with regulators. Implementing appropriate technical controls.

Which of the following practices BEST indicates an organization follows the data minimization principle?. Data is pseudonymized when being backed up. Data is encrypted before storage. Data is only accessible on a need-to-know basis. Data is regularly reviewed tor its relevance.

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?. System use requirements. Data integrity and confidentiality. Lawfulness and fairness. Data use limitation.

Which of the following is the BEST indication of a highly effective privacy training program?. Members of the workforce understand their roles in protecting data privacy. Recent audits have no findings or recommendations related to data privacy. No privacy incidents have been reported in the last year. HR has made privacy training an annual mandate for the organization.

Which encryption method encrypts and decrypts data using two separate yet mathematically connected cryptographic keys?. Hashing. Private key. Asymmetric. Symmetric.

A health organization experienced a breach of a database containing pseudonymized personal dat a. Which of the following should be of MOST concern to the IT privacy practitioner?. The data may be re-identified. The data was proprietary. The data was classified as confidential. The data is subject to regulatory fines.

Which of the following information would MOST likely be considered sensitive personal data?. Mailing address. Bank account login ID. Ethnic origin. Contact phone number.

Within a regulatory and legal context, which of the following is the PRIMARY purpose of a privacy notice sent to customers?. To educate data subjects regarding how personal data will be safeguarded. To inform customers about the procedure to legally file complaints for misuse of personal data. To provide transparency to the data subject on the intended use of their personal data. To establish the organization's responsibility for protecting personal data during the relationship with the data subject.

Transport Layer Security (TLS) provides data integrity through: calculation of message digests. use of File Transfer Protocol (FTP). asymmetric encryption of data sets. exchange of digital certificates.

Which of the following outputs of a privacy audit is MOST likely to trigger remedial action?. Deficiencies in how personal data is shared with third parties. Recommendations to optimize current privacy policy. Identification of uses of sensitive personal data. Areas of focus for privacy training.

Which of the following is the BEST control to prevent the exposure of personal information when redeploying laptops within an organization?. Set a unique static IP for the default network interface. Disable all wireless networking in the group policy. Reinstall the operating system and enable laptop encryption. Perform a full wipe and reimage of the laptops.

Critical data elements should be mapped to which of the following?. Data process flow. Business analytics. Business taxonomy. Privacy policy.

Which of the following is the BEST way to ensure an organization's enterprise risk management (ERM) framework can protect the organization from privacy harms?. Include privacy risks as a risk category. Establish a privacy incident response plan. Conduct an internal privacy audit. Complete a privacy risk assessment.

A privacy risk assessment identified that a third-party collects personal data on the organization's behalf. This finding could subject the organization to a regulatory fine for not disclosing this relationship. What should the organization do NEXT?. Amend the privacy policy to include a provision that data might be collected by trusted third parties. Review the third-party relationship to determine who should be collecting data. Update the risk assessment process to cover only required disclosures. Disclose the relationship to those affected in jurisdictions where such disclosures are required.

Which of the following MOST significantly impacts an organization's ability to respond to data subject access requests?. The organization's data retention schedule is complex. Logging of systems and application data is limited. Third-party service level agreement (SLA) data is not always available. Availability of application data flow diagrams is limited.

Which of the following has the GREATEST impact on the treatment of data within the scope of an organization's privacy policy?. Data protection impact assessment (DPIA). Data flow diagram. Data classification. Data processing agreement.

Which cloud deployment model is BEST for an organization whose main objectives are to logically isolate personal data from other tenants and adopt custom privacy controls for the data?. Community cloud. Private cloud. Hybrid cloud. Public cloud.

Which of the following helps define data retention time in a stream-fed data lake that includes personal data?. Privacy impact assessments (PIAs). Data lake configuration. Data privacy standards. Information security assessments.

An organization plans to implement a new cloud-based human resources (HR) solution with a mobile application interface. Which of the following is the BEST control to prevent data leakage?. Download of data to the mobile devices is disabled. Single sign-on is enabled for the mobile application. Data stored in the cloud-based solution is encrypted. Separate credentials are used for the mobile application.

Which of the following is MOST important to capture in the audit log of an application hosting personal data?. Server details of the hosting environment. Last user who accessed personal data. Application error events. Last logins of privileged users.

Which of the following is the MOST important consideration for determining the operational life of an encryption key?. Number of entities involved in communication. Number of digitally signed documents in force. Volume and sensitivity of data protected. Length of key and complexity of algorithm.

Which of the following is the BEST way to ensure that application hardening is included throughout the software development life cycle (SDLC)?. Require an annual internal audit of SDLC processes. Include qualified application security personnel as part of the process. Ensure comprehensive application security testing immediately prior to release. Require an annual third-party audit of new client software solutions.

An increase in threats originating from endpoints is an indication that: network audit frequency should increase. network protection should be maintained remotely. extended detection and response should be installed. credential management should be implemented.

Which of the following BEST illustrates privacy by design in the development of a consumer mobile application?. The application only stores data locally. The application shares personal information upon request. The application only stores data for 24 hours. The application requires consent before sharing locations.

Who is ULTIMATELY accountable for the protection of personal data collected by an organization?. Data processor. Data owner. Data custodian. Data protection officer.

Which of the following principles is MOST important to apply when granting access to an enterprise resource planning (ERP) system that contains a significant amount of personal data?. Read-only access. Least privilege. Segregation of duties. Data minimization.

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?. The organization’s potential legal liabilities related to the data. The data recovery capabilities of the storage provider. The data security policies and practices of the storage provider. Any vulnerabilities identified in the cloud system.

Which of the following should be done FIRST to establish privacy by design when developing a contact-tracing application?. Conduct a privacy impact assessment (PIA). Conduct a development environment review. Identify privacy controls for the application. Identify differential privacy techniques.

Which of the following is the MOST important privacy consideration for video surveillance in high security areas?. Video surveillance recordings may only be viewed by the organization. There is no limitation for retention of this data. Video surveillance data must be stored in encrypted format. Those affected must be informed of the video surveillance.

What should a sender do to send a recipient a file of personal data using asymmetric encryption?. Recipient's private key is used to encrypt; recipient's public key is used to decrypt. Sender’s public key is used to encrypt; recipient's public key is used to decrypt. Recipient's public key is used to encrypt; recipient's private key is used to decrypt. Recipient's private key is used to encrypt; sender’s public key is used to decrypt.

An organization decides to outsource its customer personal data analytics to a third party to understand spending habits. Which of the following is the MOST important contractual consideration?. Platform architecture used to process the data. Terms for continuous monitoring of the vendor. Clearly defined data responsibilities of all parties. The vendor's vulnerability management program.

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?. Disable location services. Enable Trojan scanners. Enable antivirus for mobile devices. Disable Bluetooth services.

Which of the following is the BEST way to convert personal information to non-personal information?. Encryption. Pseudonymization. Hashing. Anonymization.

What is the BEST method for protecting data transmissions to devices in the field?. Multi-factor authentication. Transport Layer Security (TLS). Application level authentication. Hypertext Transfer Protocol Secure (HTTPS).

Which of the following is the BEST control to detect potential internal breaches of personal data?. Data loss prevention (DLP) systems. Classification of data. Employee background checks. User behavior analytics tools.

Which of the following is the GREATEST privacy concern for an organization implementing endpoint detection response (EDR) tools on employee laptops?. Lack of an acknowledged user acceptance policy. Unclear monitoring scope. Poor controls on privileged access to EDR tools. Lack of up-to-date EDR capability on employee laptops.

Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?. Factory reset. Degaussing. Cryptographic erasure. Data deletion.

Which of the following BEST facilitates a privacy impact assessment (PIA)?. Creating an information flow and repository to identify personal data being collected. Providing privacy and awareness training for project managers and system owners. Comparing current privacy policies and procedures to industry benchmarks. Identifying key systems used for processing and storing personal data.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?. Type of data being processed. Applicable control frameworks. Applicable privacy legislation. Available technology platforms.

Which of the following is defined and implemented to ensure organizational data privacy protection arrangements are maintained and enforced regardless of jurisdiction?. Rules for data subject requests. Binding corporate rules. Privacy notice and consent rules. Rules for managing complaints.

Which type of data is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people?. Derived data. Observed data. Inferred data. Provided data.

Which of the following is the BEST example of risk-based data protection?. Data encryption. Data segmentation. Transit-layer encryption. Data partitioning.

Which of the following is the MOST important consideration when choosing a method for data destruction?. Granularity of data to be destroyed. Time required for the chosen method of data destruction. Validation and certification of data destruction. Level and strength of current data encryption.

Which of the following is the BEST way to ensure third-party providers that process an organization's personal data are addressed as part of the data privacy strategy?. Require service level agreements (SLAs) to ensure data integrity while safeguarding confidentiality. Require data dictionaries from service providers that handle the organization's personal data. Outsource personal data processing to the same third party. Require independent audits of the providers' data privacy controls.

Which of the following statements BEST differentiates sensitive personal data from other types of confidential data?. The legal department is accountable for protecting sensitive personal data. Masking techniques are only applicable to the protection of sensitive personal data. Sensitive personal data merits a higher level of protection. Sensitive personal data requires deletion beyond the retention period by law.

A debt collection agency is attempting to locate a debtor and collects information on several people with similar names. During the inquiry, some of these people are discounted. How should the agency decide what data is adequate, relevant, and limited?. The agency should keep only the minimum data needed to form a basic record of people removed from the search. The agency should delete all personal data collected after the debtor is found. The agency should keep the data collected but store in an anonymized format. The agency should keep the data collected and mark an indication on the people removed from the search.

An organization wants to change the originally specified purpose of collected personal data. What must be done NEXT?. Notify data protection authorities. Obtain consent from data subjects. Update the enterprise data architecture. Revise the privacy notice.

Which of the following would BEST enable a data warehouse to limit access to individual database objects?. Private storage volumes. Virtual private database. Database privacy firewall. Data control dictionary.

A retail company handles payroll accounting for its employees through a Software as a Service (SaaS) provider that uses a data center operator as a subcontractor. Who is responsible for the protection of the employees’ personal data?. The SaaS provider. The external auditing firm. The retail company. The data center operator.

Which of the following is MOST important to consider when setting priorities for privacy data management objectives?. IT portfolios. Industry benchmarks. Business strategies. Technical vulnerabilities.

During which stage of the software development life cycle (SDLC) is it MOST critical to conduct a privacy impact assessment (PIA)?. Development. Implementation. Testing. Planning.

Which method BEST reduces the risk related to sharing of personal data between a software as a service (SaaS) customer and the third party storing it?. Data hashing. Data encryption. Data pseudonymization. Data anonymization.

Which of the following is the MOST important key management practice when deploying cryptography for protecting personal data?. Preventing users from using incorrect private keys. Protecting the confidentiality and authenticity of private keys. Preventing users from using incorrect public keys. Protecting the confidentiality and authenticity of public keys.

Which of the following is the MOST effective way to support organizational privacy awareness objectives?. Funding in-depth training and awareness education for data privacy staff. Implementing an annual training certification process. Including mandatory awareness training as part of performance evaluations. Customizing awareness training by business unit function.

An employee accidentally sends an email with personal data to the wrong person. Which of the following should the employee do FIRST upon becoming aware of the issue?. Notify the privacy regulator and the impacted data subjects. Send the recipient another email requesting deletion of the email that was accidentally sent. Document and file the details of what happened in anticipation of further questioning. Report the situation to the data privacy officer as it could be a privacy breach.

Which of the following is MOST useful for understanding an organization’s approach towards privacy compliance?. Data classifications. Data privacy policies. Privacy awareness training. Privacy audit reports.

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA. What is the BEST way to avoid this situation in the future?. Conduct a privacy post-implementation review. Document personal data workflows in the product life cycle. Incorporate privacy checkpoints into the secure development life cycle. Require management approval of changes to system architecture design.

Which of the following is the PRIMARY reason to allow data transfer between regions?. Data subjects give implicit consent for a contract or claim. There is a legal basis of public interest. Data transfer concerns a limited number of data subjects. here are legitimate interests that override data subject rights.

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?. Data process flow diagrams. Data classification. Data collection standards. Data inventory.

Which of the following is the BEST course of action to manage privacy risk when a significant vulnerability is identified in the operating system (OS) that supports an organization’s customer relationship management (CRM) system?. Apply OS patching to fix the vulnerability immediately. Manage system permissions and access more strictly. Enable comprehensive logging of activities at the OS level. Perform a vulnerability assessment to determine the impact.

In a contract for cloud services, whom should a cloud provider agree to notify in the event of a personal data breach?. Its client’s end users. Its client’s insurance carrier. Its client’s regulatory authority. Its client.

To increase productivity, an organization is planning to implement movement tracking devices in the vehicles of field employees. Which of the following MUST be in place before installing the devices?. Bring your own device (BYOD) policy. Mobile device management (MDM). Location accuracy mechanisms. End user agreements.

Which of the following is the MOST effective way to prevent employees from inappropriately accessing customer information?. nforce an acceptable use policy. Require organization-wide data privacy training. Implement role-based user provisioning. Engage in employee monitoring.

A data processor that handles personal data for multiple customers has decided to migrate its data warehouse to a third-party provider. What is the processor obligated to do prior to implementation?. Seek approval from all in-scope data controllers. Ensure data retention periods are documented. Obtain assurance that data subject requests will continue to be handled appropriately. Implement comparable industry-standard data encryption in the new data warehouse.

Which of the following is the BEST way to prevent dangerous SQL write statements from being executed on data?. Restrict access to row-specific data. Create encrypted versions of the data. Exclude access to specific tables or columns of data. Create a read-only data warehouse.

Which of the following should be done FIRST before an organization migrates data from an on-premise solution to a cloud-hosted solution that spans more than one jurisdiction?. Conduct a penetration test of the hosted solution. Ensure data loss prevention (DLP) alerts are turned on. Encrypt the data while it is being migrated. Assess the organization’s exposure related to the migration.

Of the following, who is the BEST resource for determining which privacy laws must be followed for data that crosses international borders?. The legal counsel for the organization that plans to collect the data. The government in the country where the data is initially collected. The chief information security officer (CISO) in the country that processes the data. The chief risk officer (CRO) for the organization that plans to collect the data.

Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?. New data retention and backup policies. Updates to the enterprise data policy. New inter-organizational data flows. Updates to data quality standards.

Which of the following is MOST important when creating a data retention policy?. Requesting and obtaining board approval. Identifying and classifying information assets. Reviewing and updating current procedures. Identifying and scoping regulatory requirements.

Which of the following is the PRIMARY outcome of a privacy risk assessment?. Comprehensive privacy risk register. Defined risk mitigation strategy and plans. Identified risk associated with data processing. Approved organizational risk appetite.

Which of the following should be reviewed FIRST as part of an audit of controls implemented to mitigate data privacy risk?. Privacy impact assessment (PIA). Security impact assessment. Privacy policies and procedures. Privacy risk and control framework.

Which of the following is the BEST solution for storing both non-relational and relational personal data from Internet of Things (IoT) devices, web sites, and mobile applications?. Data lake. Block storage. Blockchain. Data warehouse.

Which of the following should be done FIRST when performing a data quality assessment?. Assess completeness of the data inventory. Establish business thresholds. Identify the data owner. Define data quality rules.

Which data warehousing operating model masks data within a larger database to provide subset views to users?. Least privilege access control. Context-aware access control. Mandatory access control. Hierarchy-based user classification.

Which of the following is the PRIMARY consideration when managing consent for the use of an application targeted toward children?. Requiring children to obtain permission from parents or guardians before using the application. Using clear and consistent terminology in the terms of use and privacy notices. Verifying the approval of parents or guardians before processing personal data of children. Verifying the date of birth for users who may be legally considered as minors.

Privacy flaws can MOST effectively be minimized during which phase of the software development life cycle?. Planning and design. Maintenance. Test and release. Development.

Which of the following BEST helps to determine appropriate access privileges for an application containing customer personal data?. Data catalog. RACI charts. Data classification. Access control lists.

In which of the following scenarios would implementing a machine learning algorithm for anomaly detection raise data privacy concerns?. Establishing benchmarks to identify outliers. Determining employee email spam classification. Evaluating employee behavior to identify potential fraud. Accessing personal information in audits.

A visitor approaches the security desk of a global bank to gain access to attend a meeting. The security desk personnel ask for an official form of identity. Which of the following is the BEST practice with regard to documentation for company record-keeping?. Maintain a record of identity verification but not a copy of the ID document itself. Ask the visitor to send a copy of the ID document directly to the meeting host. Post a written notice that explains copies of IDs are stored in a secure system. Ask for the visitor’s consent to make a copy of the ID document.

Which of the following BEST mitigates the privacy risk associated with setting cookies on a website?. Obtaining user consent. Applying data masking. Implementing impersonation. Ensuring nonrepudiation.

Which of the following is MOST important to include in a data use policy?. The length of time personal data will be retained. The method used to delete or destroy personal data. The reason for collecting and using personal data. The requirements for collecting and using personal data.

Which of the following is the GREATEST privacy threat when an organization wants to leverage artificial intelligence (AI) for marketing purposes?. Unencrypted data transfer. Low data accuracy. Hallucinations. Data exploitation.

Which type of flaw in an application programming interface (API) allows an attacker to manipulate legitimate standard functionality?. Business logic misconfiguration. Excessive data exposure. Lack of resources and rate limiting. Broken object level authorization.

Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?. Understand the data in its possession. Invest in a platform to automate data review. Confirm what is required for disclosure. Create a policy for handling access requests.

Which of the following BEST mitigates the risk of users not understanding the purpose of their data being collected?. Encryption. Transparency. Intervenability. Unlinkability.

Which of the following BEST protects against unauthorized access to stored personal data?. Advanced Encryption Standard (AES). Transport Layer Security (TLS). Intrusion detection system (IDS). Data loss prevention (DLP).

Which of the following is the PRIMARY benefit of data flow mapping?. It provides a holistic view of the operational procedures for each business process. It provides visibility into the data footprint across the organization. It helps to optimize cost savings through more efficient storage solutions. It creates a data catalogue for the enterprise.

Which of the following techniques BEST protects the privacy of personal data accessed via system endpoints?. Endpoint detection and response (EDR). Encryption. Normalization. Intrusion detection system (IDS).

A recently issued privacy regulation requires that customer data be deleted within a certain timeframe upon customer request. What is an organization’s MOST important consideration related to compliance with this regulation?. Access privileges to customer information. Classification policies related to customer information. Knowing the retention schedule for customer information. Knowing the storage location of customer information.

Which of the following is MOST important to review when determining the data lineage of a data element?. Data classification. Data flow. Data storage location. Data retention schedule.

Which of the following is MOST important to help determine the controls required to secure the servers that support a customer portal?. Configuration management tool. Data classification policy. Patch management software. Control self-assessments (CSAs).

Which of the following is a privacy by design principle?. Shared privileged access. Respect for user privacy. Trust but verify. Reactive privacy controls.

Which of the following is the MOST essential attribute to distinguish between personal data protection and information security?. Confidentiality. Integrity. Linkability. Authenticity.

As part of network hardening it is MOST important to set up thresholds to trigger privacy alerts for: Internet Protocol (IP) masquerading. Data exfiltration. Excessive network connection length. Unsuccessful access requests.

An audit of an organization’s customer relationship management (CRM) system revealed duplicate user accounts for many customers. Which of the following should be the IT privacy practitioner's GREATEST concern?. Duplicates may lead to increased customer inquiries and communication costs. Lack of data quality violates database integrity rules. Lack of data quality may result in increased audit findings. Critical communications may not reach the correct customer contacts.

Which of the following is the GREATEST privacy risk factor for data stored on disk?. Lack of encryption at rest. Users storing data locally. Hardware degradation. Lack of periodic backups.

A bug has been identified in a third-party video library that could expose sensitive user data. Which of the following is the BEST recommendation to address this issue?. Perform a full antivirus scan before using the library. Sanitize any sensitive data in the library. Patch the vulnerability before using the library. Require authentication to access the library.

Which of the following is the BEST way to protect the confidentiality of the information returned by a new application programming interface (API) integration?. Require all API requests to be monitored. Update the privacy policy to include use of the API. Ensure all API traffic is encrypted in transit. Use only APIs with de-identified data.

Which of the following is MOST likely to be considered confidential data as opposed to personal information'?. Government identification number. Driver's license number. Internet Protocol (IP) address. Customer income level.

Rounding and nulling are examples of which type of data de-identification function?. Hashing. Tokenization. Masking. Salting.

Which of the following poses the GREATEST privacy risk for users of an application that collects their geolocation information?. Complex legal disclosures. Inaccurate cell tower triangulation. Use of the location data for user profiling. Third-party access to aggregated location data.

Which of the following is the BEST indication that an organization needs to perform a privacy impact assessment (PIA)?. The privacy policy is included in an online training course. An inventory of personal information is reported to stakeholders. The privacy practices are being reviewed by clients. New personal information categories are being collected about customers.

Which of the following should trigger a review of an organization's privacy policy?. Backup procedures for customer data are changed. Data loss prevention (DLP) incidents increase. An emerging technology will be implemented. The privacy steering committee adopts a new charter.

A web-based payment service is adding a requirement for biometric authentication. Which risk factor is BEST mitigated by this practice?. User validation failures when reconnecting after lost sessions. Zero-day attacks and exploits. Identity spoofing by unauthorized users. Legal liability from the misuse of accounts.

An online retailer has recently acquired a travel company and is planning to share its retail customer database with the new company for marketing purposes. Which data protection principle is at GREATEST risk of being violated?. Data portability. Data integrity. Data use limitation. Data transparency.

Which of the following is MOST important to include when defining an organization’s privacy requirements as part of a privacy program plan?. Data classification process. Privacy management governance. Privacy protection infrastructure. Lessons learned documentation.

An organization has developed a tracking system to better understand customer purchasing behavior. Prior to deployment it is discovered that the consumer privacy policy does not properly convey that customer purchases may be tracked in this way. Which of the following is the BEST course of action?. Create a script for customer service representatives to describe the change when customers call. Include a notice in the purchase confirmation that informs customers of the tracking. Delay launching the system until the privacy policy and notice have been updated. When the system is launched, collect the data but do not analyze it until the policy and notice have been updated.

An enterprise is planning to introduce a new product that involves geolocation tracking of customers. Which of the following is the BEST way to determine the associated risk?. Conduct a third-party application penetration test to identify vulnerabilities. Conduct a business impact assessment (BIA). Evaluate the control environment for the collected data. Require an annual privacy and security assessment.

Which of the following is the BEST information to use as a framework to evaluate an organization's data management practices?. Capability maturity model. Regulatory changes. Privacy policies and procedures. Benchmarking studies.

Which of the following is MOST important to ensure when reviewing strategic customer decisions driven by predictive AI?. Results are verified by a human in the loop. The organization is using a private large language model (LLM). The speed of models can be leveraged to expedite business decisions. Creativity levels are lowered to reduce hallucinations.

Which of the following controls BEST helps to maintain the integrity of customer information?. Encryption. Logging. Hashing. Access control lists.

An organization's privacy office is planning to conduct privacy awareness training for all staff. Which of the following topics is MOST important to include to help improve data privacy protection practices across the organization?. Data security monitoring management. Identity access management (IAM). Encryption key management. Data classification management.

Which of the following should be done FIRST when creating specialized training for employees with key duties to protect personal data?. Identify the key internal and external threats to data protection. Develop metrics to define and measure a successful training program. Benchmark existing training programs against industry standards. Define the roles, responsibilities, and required skills based on job descriptions.

An organization is considering the use of generative AI to create realistic marketing content, such as personalized product descriptions. Which of the following is the MOST important privacy consideration when using generative AI for marketing purposes?. The lack of transparency around the inner workings of the generative AI mode. The potential for bias in the generated content. Hallucinations resulting from the use of large customer datasets. The inadvertent disclosure of sensitive information in the generated content.

In a system implementation project where production data must be used for testing, which of the following practices would MOST effectively protect customer data privacy?. Data minimization. Data classification. Data obfuscation. Data cleansing.

An organization must de-identify its data before it is transferred to a third party. Which of the following should be done FIRST?. Determine the categories of personal data collected. Remove the identifiers during the data transfer. Encrypt the data at rest and in motion. Ensure logging is turned on for the database.

Which of the following is the MOST critical action for an organization prior to tracking user activity in its applications?. Providing notification to users of the organization’s privacy policies. Establishing a data classification scheme. Identifying and validating users’ countries of residence. Requesting users to read and accept the organization's privacy notice.

A data subject's ability to securely obtain and reuse personal data for their own purposes across different services is known as the right to: Data portability. Data sanitization. Data limitation. Data protection.

Which of the following MUST be included in a contract with a vendor that will be processing personal data?. A clause to hash all data that is processed or stored by the vendor. A clause to prohibit the vendor from sending data to third parties. A clause to report breaches in a timely manner to the organization. A clause to require the vendor to comply with industry best practices.

In addition to lowering costs and improving performance, which of the following is the MOST compelling reason to archive data?. Improving business alignment. Restricting data access. Achieving compliance. Improving data confidentiality.

The identification of all data recipients in a privacy notice to website visitors reflects which privacy principle?. Accuracy. Consent. Integrity. Transparency.

Which of the following is the BEST approach when providing data subjects with access to their personal data?. Use an email address to automatically generate a unique ID. Create a profile page where users can view their information. Disable user profile data modification so there is no possibility to introduce mistakes. Only allow users to edit data fields that are not derived from their personal information.

Information should only be considered personal information if it: Relates directly or indirectly to an individual. appears in a digital or electronic format. is classified as sensitive and confidential. s objectively accurate or verifiable.

An organization decides to outsource its customer personal data analytics to a third party to understand spending habits. Which of the following is the MOST important contractual consideration?. Platform architecture used to process the data. Terms for continuous monitoring of the vendor. Clearly defined data responsibilities of all parties. The vendor's vulnerability management program.

hich of the following is MOST important to capture in the audit log of an application hosting personal data?. Last logins of privileged users. Last user who accessed personal data. Application error events. Server details of the hosting environment.

Which of the following is the BEST way to convert personal information to non-personal information?. Encryption. Pseudonymization. Hashing. Anonymization.

What is the BEST method for protecting data transmissions to devices in the field?. Multi-factor authentication. Transport Layer Security (TLS). Application level authentication. Hypertext Transfer Protocol Secure (HTTPS).

Which of the following should be done FIRST when a data collection process is deemed to be a high-level risk?. Conduct a privacy impact assessment (PIA). Create a system of records notice (SORN). Perform a business impact analysis (BIA). Implement remediation actions to mitigate privacy risk.

A privacy impact assessment (PIA) is BEST performed by reviewing controls: in best practices frameworks. for identity and access management. based on vulnerability assessments. throughout the technology stack.

Which of the following should an IT privacy practitioner do FIRST when assessing the potential impact of new privacy legislation on the organization?. Identify systems and processes that contain privacy components. Research and identify privacy legislation in other countries that may contain similar requirements. Share operational plans for achieving compliance with regulatory entities. Restrict the collection of personal information until there is assurance the organization is compliant.

Which of the following approaches to incorporating privacy by design principles BEST ensures the privacy of personal information?. Embedding the principles into remediation data procedures. Including the principles in reactive data breach plans. Building the principles into final data product developments. Implementing the principles into the end-to-end data life cycle.

To ensure security when accessing personal data from a corporate website, which of the following is a prerequisite to implementing Hypertext Transfer Protocol Secure (HTTPS)?. Virtual private network (VPN). Load balancer. Firewall. Transport Layer Security (TLS).

Which of the following is the MOST important topic to cover in privacy awareness training customized for an organization's IT security staff?. Sanctions for misuse of personal information. Roles and responsibilities in responding to privacy-related incidents. Requirements for usage and distribution of personal information. Applicable privacy laws, regulations, and policies.

Which of the following is the MOST effective method to obfuscate personal data in a public cloud environment?. Tokenization. Digital hashing. Multi-factor authentication. Access control.

The BEST way to ensure the integrity of an organization's data is to log and review which of the following?. Network access. Patch updates. Data modifications. Data types.

Which of the following controls BEST mitigates the risk of unauthorized access to personal information via brute force attacks through application programming interfaces (APIs)?. Authentication controls. Sufficient logging. Object level authorization. Mass assignment.

Which of the following is MOST important to ensure when reviewing processes associated with the destruction of data?. The destruction of data is performed on site. The destruction of data is witnessed. The destruction is performed by a certified provider. The destruction method is approved by the data owner.

When data processing is performed at a third-party data center, ownership of the risk PRIMARILY rests with the: data custodian. data controller. data processor. data scientist.

Which of the following should be the PRIMARY consideration when evaluating transaction-based cloud solutions?. Service level agreements (SLAs). Joint data protection responsibilities. Data protection capabilities. Elasticity of the service offerings.

A technology company has just launched a mobile application for tracking health symptoms. This application is built on a mobile device technology stack that allows users to share their location and details of their symptoms. Which of the following is the GREATEST privacy concern with collecting this data via mobile devices?. Client-side device ID. Data storage requirements. Encryption of key data elements. Data usage without consent.

Which of the following is the MOST effective use of data flow diagrams when implementing a data privacy compliance program?. Illustrating where personal data resides in systems. Identifying where personal data is in transit. Processing personal data with clarity and ease. Mapping personal data at rest.

Which of the following is MOST important to address in a privacy policy with respect to big data repositories of sales information?. Overall data management strategy. Encryption of data at rest. Transparency with customers. Retention of archived information.

Which of the following is the PRIMARY privacy concern with the use of a data lake containing transaction data, including personal data?. The data lake retains all the organization's data. The data lake supports all operational users. The data lake receives data from all data sources. The data lake supports all types of data structures.

Which of the following is the BEST approach for configuring remote access rules to safeguard personal data within the organization's network?. Encrypting personal data. Using a third-party remote server. Installing endpoint security. Enabling strict authentication.

Notice was provided to everyone visiting a company's website indicating what personal data was being collected and for what purpose it was being used. The IT department recently received a new request to use this personal data. Which of the following should be done FIRST?. Determine who needs to opt in to the new data usage scenario. Request the internal audit function to conduct a privacy audit. Assess whether the use of data is consistent with the original purpose. Determine which department is the data owner and refer to them for approval.

Which of the following is the BEST way to manage privacy risk associated with outsourcing to a third party?. Utilize a variable sourcing strategy. Review and approve the vendor's privacy policies. Require specific controls as part of the contract. Perform privacy audits of the vendor.

Which of the following is the MOST effective approach to identify personal data stored as unstructured data?. Use data discovery tools. Review downloads from databases. Query application developers. Survey users and data owners.

An organization’s new sales application asks for consent to collect consumer personal information. Which foundational privacy by design principle is this organization following?. Respecting user privacy. Maintaining visibility and transparency. Embedding privacy into system requirements. Ensuring end-to-end security.

An enterprise is planning to introduce a new product that involves geolocation tracking of customers. Which of the following is the BEST way to determine the associated risk?. Conduct a third-party application penetration test to identify vulnerabilities. Conduct a business impact assessment (BIA). Evaluate the control environment for the collected data. Require a annual privacy and security assessment.

Which of the following is the BEST information to use as a framework to evaluate an organization's data management practices?. Capability maturity model. Regulatory changes. Privacy policies and procedures. Benchmarking studies.

Which of the following is MOST important to ensure when reviewing strategic customer decisions driven by predictive AI?. Results are verified by a human in the loop. The organization is using a private large language model (LLM). The speed of models can be leveraged to expedite business decisions. Creativity levels are lowered to reduce hallucinations.

Which of the following controls BEST helps to maintain the integrity of customer information?. Encryption. Logging. Hashing. Access control lists.

An organization's privacy office is planning to conduct privacy awareness training for all staff. Which of the following topics is MOST important to include to help improve data privacy protection practices across the organization?. Data security monitoring management. Identity access management (IAM). Encryption key management. Data classification management.

Which of the following should be done FIRST when creating specialized training for employees with key duties to protect personal data?. Identify the key internal and external threats to data protection. Develop metrics to define and measure a successful training program. Benchmark existing training programs against industry standards. Define the roles, responsibilities, and required skills based on job descriptions.

An organization is considering the use of generative AI to create realistic marketing content, such as personalized product descriptions. Which of the following is the MOST important privacy consideration when using generative AI for marketing purposes?. The lack of transparency around the inner workings of the generative AI model. The potential for bias in the generated content. Hallucinations resulting from the use of large customer datasets. The inadvertent disclosure of sensitive information in the generated content.

In a system implementation project where production data must be used for testing, which of the following practices would MOST effectively protect customer data privacy?. Data minimization. Data classification. Data obfuscation. Data cleansing.

Which privacy-enhancing technology (PET) BEST enables third parties to process and manipulate data in its encrypted form?. Federated learning. Secure enclaves. Homomorphic encryption. End-to-end encryption.

Which of the following assurance approaches is MOST effective in identifying vulnerabilities within an application programming interface (API) transferring personal data?. Bug bounty program. Source code review. Security audit. Tabletop simulation.

Zero-knowledge proofs, secure multi-party computation, and homomorphic encryption are examples of: privacy by design concepts. pseudonymization techniques. privacy-enhancing technologies (PETs). Zero Trust security technologies.

Consent MUST be obtained from a data subject when: the data will be used to support the public interest. data will be used for a purpose other than for which it was collected. the organization processing the data has implemented separation of duties. collection includes de-identified personal data obtained from a public domain website.

During which of the following system life cycle stages is it BEST to identify privacy controls for a machine learning (ML) model that consumes personal data?. System security testing. System deployment. Algorithm design. Functional testing.

Of the following, who is BEST suited to verify the quality of personal data following a merger and acquisition integration?. Data owner. Data migration team. Data processor. Database administrator (DBA).

Which type of information requires the HIGHEST level of protection from a privacy perspective?. Fingerprint. Residential address. Salary. Eye color.

A privacy practitioner wants to test an application in pre-production that will be processing sensitive personal data. Which of the following testing methods is BEST used to identify and review the application's runtime modules?. Regression testing. Software composition analysis. Dynamic application security testing (DAST). Static application security testing (SAST).

Which of the following outputs of a privacy audit is MOST likely to trigger remedial action?. Deficiencies in how personal data is shared with third parties. Areas of focus for privacy training. Identification of uses of sensitive personal data. Recommendations to optimize current privacy policy.

A privacy practitioner has been asked to develop a privacy program for a client that has new privacy requirements due to its expansion into a new geographic region. Which of the following is the privacy practitioner's BEST course of action?. Update the operating privacy framework. Document privacy impacts on the organization. Identify relevant regulatory requirements. Conduct employee training on the new requirements.

An organization is planning to implement an IT solution based on Internet of Things (IoT) tracking technology. Which of the following is the GREATEST risk associated with this solution?. The accuracy of collected information could be unreliable. Use or the technology may lead to loss of collected information. Data collected by the solution could be complicated to govern due to its volume. The technology may share personal information from users.

What solution set should an organization implement to BEST ensure its data privacy activities are being centralized. Governance, risk, and compliance (GRC) tools. Cloud access security broker (CASB) tools. Encryption key management software. Data loss prevention (DLP) software.

Which of the following domains is the foundation for the execution of all other security and privacy operations?. Change management. Asset management. Incident management. Vulnerability management.

Which of the following is the PRIMARY reason asset management is important to a privacy program?. It enables effective incident response. It ensures data is deleted when an employee resigns. It ensures employees are working from assigned locations. It enables data to be stored on approved resources.

Which strategy would be MOST effective for an organization to enhance privacy in machine learning (ML) model deployment?. Implementing differential privacy techniques during both model training and inference. Outsourcing model training to third-party vendors specialized in AI and ML. Utilizing pre-trained models without further customization. Sharing model parameters openly with external stakeholders for transparency.

Which of the following provides the MOST useful information when determining the scope of a privacy audit. Data flow mapping. Risk assessment results. Previous audit reports. Business processes.

Which of the following is the BEST source for forensic and analytic information when an organization is investigating suspicious activities from corporate-owned laptops?. Endpoint detection and response (EDR). Web application firewall (WAF). Mobile device management (MDM). Device inventory and classification.

Which of the following is a privacy-enhancing technology (PET)?. Usage of low code platforms. Synthetic data generator. Data normalization software. Scalability planning solution.

Which of the following can BEST identify failures of enterprise architecture (EA) to support privacy by design principles?. Penetration test. Control self-assessment (CSA). Independent audit process. Privacy impact assessment (PIA).

Which of the following artifacts is MOST important for demonstrating compliance with privacy regulations when deploying off-premise cloud solutions?. Third-party audit results. Privacy impact assessment (PIA). Comprehensive data catalog. Lack of data breaches.

Which of the following is MOST important for an organization to include in its website's cookie policy?. Reason for collecting data using cookies. Security controls to protect data. Impact of selecting the option to disable cookies. Data retention period for browsing history.

An organization has an initiative to implement database encryption to strengthen privacy controls. Which of the following is the MOST useful information for prioritizing database selection?. Asset classification scheme. Database administration audit logs. Penetration test results. Historical security incidents.

Which of the following is the MOST important privacy consideration when selecting a system architecture for a human resources information system?. Compliance requirements for system monitoring. Regulatory requirements for data protection. IT requirements for system maintenance and support. Business requirements for system functionality.

A request for consent to collect personal data MUST: be limited to persons of legal age. be separate from general terms and conditions. be a condition or using the service. ask consumers to take steps to opt out.

Which of the following characteristics of a cloud service provider (CSP) poses the GREATEST privacy-related compliance risk?. Compliance-related training materials are developed without direct input from clients. Resources are allocated from geographically dispersed locations. CSP contract terms rarely agree to right-to-audit clauses. Resources are provisioned as self-service without interaction with the CSP.

Which of the following is the BEST way to identify vulnerabilities in an organization's web application that processes personal data?. Implement a web application firewall (WAF). Conduct dynamic application security testing (DAST). Hire a third party to perform blue team exercises. Conduct static application security testing (SAST).

When capturing browsing and purchase data from consumers visiting a corporate website more than once, which of the following metadata-based technologies is typically used to identify a consumer?. HTTP cookie. Server cookie. Supercookie. Flash cookie.

Which of the following BEST enables an organization to manage privacy risk consistently over time?. Inventorying all databases containing personal data. Including privacy risk in the enterprise risk profile. Devising a structured approach to track risk mitigation activities. Appointing the legal team to own privacy risk.

An organization is implementing database servers that will store personal data within a hosting environment. Which of the following is MOST important to incorporate to help ensure the privacy of the data?. Device antivirus protection. System hardening. Host-based firewall. Log monitoring.

Who is ULTIMATELY accountable for the protection of personal data collected by an organization?. Data custodian. Data owner. Data processor. Data protection officer (DPO).

Which of the following strategies BEST mitigates the risks associated with exploiting the capabilities of generative AI for cyberattacks?. Promoting generative AI awareness campaigns. Implementing controls to prevent hallucinations. Reducing the use of generative AI to minimize risks. Implementing robust data validation techniques.

An organization identifies a risk that data subject access requests may not be managed within the regulatory timeline. The organization decides to outsource the data subject access request process to a third party. Which risk response is this an example of?. Risk transfer. Risk acceptance. Risk reduction. Risk avoidance.

Which of the following is the FIRST step to protect data subject privacy when planning the deployment of a public monitoring system?. Inform the public of the project. Draft a privacy breach response plan. Conduct a privacy impact assessment (PIA). Inform data protection authorities.

Which of the following is the MOST important course of action to establish an effective process for identifying and managing privacy risk across an organization?. Document risk management procedures. Raise privacy risk awareness within the organization. Develop a privacy risk register. Implement a risk management framework.

An assessment of an organization's cloud infrastructure has determined that for some services, the metadata of some transactions is transmitted through different jurisdictions. Which of the following should be done FIRST?. Assess the mitigating controls in place to protect metadata. Invoke the privacy incident response plan. Review the organization's risk appetite and tolerance. Assess the risk associated with the metadata being transmitted.

Which of the following is the BEST approach for an organization looking to share privacy risk?. Engaging a third-party audit firm. Implementing service level agreements (SLAs). Implementing privacy notice and consent mechanisms. Signing contracts with third parties accessing personal information.

An enterprise is planning to introduce a new product that involves geolocation tracking of customers. Which of the following is the BEST way to determine the associated risk?. Enforce multi-factor authentication (MFA) for the analysts working on the fraud alerts. Encrypt the customer data and decrypt only in cases of reasonable suspicion. Keep the customer data in clear text to allow for real-time response. Run a reversible hash on the customer data to allow for quick identification.

Which of the following should be done FIRST when responding to a mandate to protect a critical application that was developed in-house?. Apply dynamic application security testing (DAST). Implement the maximum level of protection. Develop a proprietary encryption scheme. Perform a threat assessment.

Following a merger and acquisition deal, an organization wants to integrate all customers into a single customer relationship management (CRM) system. Which of the following is the IT privacy practitioner’s MOST appropriate response?. Personal data processing must adhere to the organization's privacy policy. The organization may proceed as customer consent has already been obtained. The existing data privacy practices should be revised to account for the new database. If the database benefits the customers, it can be done without additional consent.

Which of the following types of employee information requires the STRONGEST protection due to its sensitivity?. Sexual orientation. Salary information. Email addresses. Year of birth.

Which of the following is the BEST way to mitigate privacy risk associated with application programming interfaces (APIs)?. active monitoring of API schema changes. Use only APIs that are developed internally by the organization. Document dependency usage of all APIs. Ensure APIs are included in the scope of the vulnerability management program.

Which of the following is the PRIMARY reason that regulatory authorities would require permission for corporate use of drones with mounted video cameras for visual surveillance?. to prevent compromise of network security. To minimize disruption in wireless networks. To facilitate investigation of privacy incidents. To provide sufficient notice to the public.

Which of the following should be an information security manager's PRIMARY focus when migrating data between two dissimilar systems?. Developing automation to facilitate the migration. Ensuring the integrity of system backups. Ensuring data controls are maintained. Determining the amount of effort required.

Which of the following should an organization do FIRST to mitigate the risk of employees mishandling personal data?. Conduct personal data awareness training. Encrypt all personal data. Establish data classification levels. Implement a data loss prevention (DLP) tool.