CIPM Online Practice Questions and Answers

SCENARIO

Please use the following to answer the next QUESTION:

Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide. The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the

other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.

Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.

In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.

Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eureka. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.

What element of the Privacy by Design (PbD) framework might the Handy Helper violate?

A. Failure to obtain opt-in consent to marketing.

B. Failure to observe data localization requirements.

C. Failure to implement the least privilege access standard.

D. Failure to integrate privacy throughout the system development life cycle.

SCENARIO

Please use the following to answer the next QUESTION:

As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective."

You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection?

A. Brainstorm methods for developing an enhanced privacy framework

B. Develop a strong marketing strategy to communicate the company's privacy practices

C. Focus on improving the incident response plan in preparation for any breaks in protection

D. Shift attention to privacy for emerging technologies as the company begins to use them

SCENARIO Please use the following to answer the next QUESTION: Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on

production ?not data processing ?and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's

relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.

To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth ?his uncle's vice president and longtime confidante ?wants to hold off on Anton's idea in favor of

converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.

Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street

will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years.

After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in

nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.

Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.

Documentation of this analysis will show auditors due diligence.

Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come.

Which important principle of Data Lifecycle Management (DLM) will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?

A. Practicing data minimalism.

B. Ensuring data retrievability.

C. Implementing clear policies.

D. Ensuring adequacy of infrastructure.

What is most critical when outsourcing data destruction service?

A. Obtain a certificate of data destruction.

B. Confirm data destruction must be done on-site.

C. Conduct an annual in-person audit of the provider's facilities.

D. Ensure that they keep an asset inventory of the original data.

What is the key factor that lays the foundation for all other elements of a privacy program?

A. The applicable privacy regulations

B. The structure of a privacy team

C. A privacy mission statement

D. A responsible internal stakeholder

When devising effective employee policies to address a particular issue, which of the following should be included in the first draft?

A. Rationale for the policy.

B. Points of contact for the employee.

C. Roles and responsibilities of the different groups of individuals.

D. of how the policy is applied within the organization.

SCENARIO Please use the following to answer the next QUESTION: As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users

around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective."

You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

The CEO likes what he's seen of the company's improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?

A. An external audit conducted by a panel of industry experts

B. An internal audit team accountable to upper management

C. Creation of a self-certification framework based on company policies

D. Revision of the strategic plan to provide a system of technical controls

SCENARIO

Please use the following to answer the next question:

Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to several emails informing him that an individual cloud server failed due to a flood in its server

room, damaging its hardware and destroying all the data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was being stored there because it was not included

in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.

Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger cloud vendor three years ago. She also advised him that the account was mostly used by

Human Resources (HR) and Accounts Payable (AP). Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive personal data on that drive, including health

and financial related personal data and "other stuff." Jonathan also learns that the data stored in that account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and

learns that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data being stored there.

Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs. Two days later, the company receives 32 data subject access requests and Accounts Payable

confirms Jonathan's worry that these data subjects' personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.

Which step did Jonathan correctly determine most significantly contributed to the issue at hand?

A. Due diligence on the cloud provider that hosted the impacted account had not been performed.

B. Training and awareness around appropriate storage of sensitive personally identifiable data had not been performed.

C. This cloud account and the personal data stored there had not been accounted for in the data mapping or accounted for in the data inventory.

D. Specific instructions on backing up data to human resources and accounts payable had not been given to Human Resources and Accounts Payable.

Under the General Data Protection Regulation (GDPR), what obligation does a data controller or processor have after appointing a Data Protection Officer (DPO)?

A. To submit for approval to the DPO a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

B. To provide resources necessary to carry out the defined tasks of the DPO and to maintain their expert knowledge.

C. To ensure that the DPO acts as the sole point of contact for individuals’ questions about their personal data.

D. To ensure that the DPO receives sufficient instructions regarding the exercise of their defined tasks.

SCENARIO

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue

companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the “reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and

has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams involved in the creation and testing of InStyle

Data Corp.'s products experience significant turnover and do not have well defined roles. There's little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal

data back to its customers, through email, sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security teams are not informed of new personal data flows,

new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment

only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the

ability to alter and delete personal data in both environments regardless of their role or what project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls.

You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the

updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.

What aspect of the data management life cycle have you as Privacy Manager NOT accounted for?

A. Auditability.

B. Minimalism.

C. Enforcement.

D. Retrievability.