IAPP cipm practice test

Certified Information Privacy Manager (CIPM) Exam

Last exam update: Feb 26 ,2024
Page 1 out of 11. Viewing questions 1-15 out of 159

Question 1

Which of the following information must be provided by the data controller when complying with
GDPR right to be informed requirements?
A. The purpose of personal data processing.
B. The data subjects right to withdraw consent
C. The contact details of the Data Protection Officer (DPO).
D. The name of any organizations with whom personal data was shared.

Answer:

C

Discussions
0 / 1000

Question 2

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of
the following are advisable to do EXCEPT?

  • A. Carry out a root cause analysis on each breach to understand why the incident happened.
  • B. Communicate to everyone that breaches must be reported and how they should be reported.
  • C. Provide role-specific training to areas where breaches are happening so they are more aware.
  • D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.
Answer:

C

User Votes:
A
50%
B 1 votes
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

“Respond” in the privacy operational lifecycle includes which of the following?

  • A. Information security practices and functional area integration.
  • B. Privacy awareness training and compliance monitoring.
  • C. Communication to stakeholders and alignment to laws.
  • D. Information requests and privacy rights requests.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

An organization’s internal audit team should do all of the following EXCEPT?

  • A. Implement processes to correct audit failures.
  • B. Verify that technical measures are in place.
  • C. Review how operations work in practice.
  • D. Ensure policies are being adhered to.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

How do privacy audits differ from privacy assessments?

  • A. They are non-binding.
  • B. They are evidence-based.
  • C. They are based on standards.
  • D. They are conducted by external parties.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which of the following is NOT a type of privacy program metric?

  • A. Business enablement metrics.
  • B. Data enhancement metrics.
  • C. Value creation metrics.
  • D. Risk-reduction metrics.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which will best assist you in quickly identifying weaknesses in your network and storage?

  • A. Running vulnerability scanning tools.
  • B. Reviewing your privacy program metrics.
  • C. Reviewing your role-based access controls.
  • D. Establishing a complaint-monitoring process.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

There are different forms of monitoring available for organizations to consider when aligning with
their privacy program goals.
Which of the following forms of monitoring is best described as auditing?

  • A. Evaluating operations, systems, and processes.
  • B. Tracking, reporting and documenting complaints from all sources.
  • C. Assisting in the completion of attesting reporting for SOC2, ISO, or BS7799.
  • D. Ensuring third parties have appropriate security and privacy requirements in place.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?

  • A. Reducing storage costs.
  • B. Ensuring data is kept for no longer than necessary.
  • C. Crafting policies which ensure minimal data is collected.
  • D. Increasing awareness of the importance of confidentiality.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Data retention and destruction policies should meet all of the following requirements EXCEPT?

  • A. Data destruction triggers and methods should be documented.
  • B. Personal information should be retained only for as long as necessary to perform its stated purpose.
  • C. Documentation related to audit controls (third-party or internal) should be saved in a non- permanent format by default.
  • D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

What is most critical when outsourcing data destruction service?

  • A. Obtain a certificate of data destruction.
  • B. Confirm data destruction must be done on-site.
  • C. Conduct an annual in-person audit of the provider’s facilities.
  • D. Ensure that they keep an asset inventory of the original data.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following best supports implementing controls to bring privacy policies into effect?

  • A. The internal audit department establishing the audit controls which test for policy effectiveness.
  • B. The legal department or outside counsel conducting a thorough review of the privacy program and policies.
  • C. The Chief Information Officer as part of the Senior Management Team creating enterprise privacy policies to ensure controls are available.
  • D. The information technology (IT) group supporting and enhancing the privacy program and privacy policy by developing processes and controls.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

A minimum requirement for carrying out a Data Protection Impact Assessment (DPIA) would
include?

  • A. Processing on a large scale of special categories of data.
  • B. Monitoring of a publicly accessible area on a large scale.
  • C. Assessment of the necessity and proportionality.
  • D. Assessment of security measures.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Your company wants to convert paper records that contain customer personal information into
electronic form, upload the records into a new third-party marketing tool and then merge the
customer personal information in the marketing tool with information from other applications.
As the Privacy Officer, which of the following should you complete to effectively make these
changes?

  • A. A Record of Authority.
  • B. A Personal Data Inventory.
  • C. A Privacy Threshold Analysis (PTA).
  • D. A Privacy Impact Assessment (PIA).
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

When devising effective employee policies to address a particular issue, which of the following
should be included in the first draft?

  • A. Rationale for the policy.
  • B. Points of contact for the employee.
  • C. Roles and responsibilities of the different groups of individuals.
  • D. Explanation of how the policy is applied within the organization.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2