IAPP cipm practice test

Question 1

Which of the following information must be provided by the data controller when complying with
GDPR right to be informed requirements?
104/105
Questions & Answers PDF
P-
A. The purpose of personal data processing.
B. The data subjects right to withdraw consent
C. The contact details of the Data Protection Officer (DPO).
D. The name of any organizations with whom personal data was shared.

Answer:

C
105/105

Question 2

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of
the following are advisable to do EXCEPT?

• A. Carry out a root cause analysis on each breach to understand why the incident happened.
• B. Communicate to everyone that breaches must be reported and how they should be reported.
• C. Provide role-specific training to areas where breaches are happening so they are more aware.
• D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.

Answer:

C

Question 3

“Respond” in the privacy operational lifecycle includes which of the following?

• A. Information security practices and functional area integration.
• B. Privacy awareness training and compliance monitoring.
• C. Communication to stakeholders and alignment to laws.
• D. Information requests and privacy rights requests.

Answer:

D

Question 4

An organization’s internal audit team should do all of the following EXCEPT?

• A. Implement processes to correct audit failures.
• B. Verify that technical measures are in place.
• C. Review how operations work in practice.
• D. Ensure policies are being adhered to.

Answer:

B

Question 5

How do privacy audits differ from privacy assessments?
103/105
Questions & Answers PDF
P-

• A. They are non-binding.
• B. They are evidence-based.
• C. They are based on standards.
• D. They are conducted by external parties.

Answer:

C

Question 6

Which of the following is NOT a type of privacy program metric?

• A. Business enablement metrics.
• B. Data enhancement metrics.
• C. Value creation metrics.
• D. Risk-reduction metrics.

Answer:

C

Question 7

Which will best assist you in quickly identifying weaknesses in your network and storage?

• A. Running vulnerability scanning tools.
• B. Reviewing your privacy program metrics.
• C. Reviewing your role-based access controls.
• D. Establishing a complaint-monitoring process.

Answer:

A

Question 8

There are different forms of monitoring available for organizations to consider when aligning with
their privacy program goals.
Which of the following forms of monitoring is best described as auditing?

• A. Evaluating operations, systems, and processes.
• B. Tracking, reporting and documenting complaints from all sources.
• C. Assisting in the completion of attesting reporting for SOC2, ISO, or BS7799.
• D. Ensuring third parties have appropriate security and privacy requirements in place.

Answer:

A

Question 9

What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
102/105
Questions & Answers PDF
P-

• A. Reducing storage costs.
• B. Ensuring data is kept for no longer than necessary.
• C. Crafting policies which ensure minimal data is collected.
• D. Increasing awareness of the importance of confidentiality.

Answer:

C

Question 10

Data retention and destruction policies should meet all of the following requirements EXCEPT?

• A. Data destruction triggers and methods should be documented.
• B. Personal information should be retained only for as long as necessary to perform its stated purpose.
• C. Documentation related to audit controls (third-party or internal) should be saved in a non- permanent format by default.
• D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).

Answer:

C