IAPP cipm practice test

Question 1

Which of the following information must be provided by the data controller when complying with
GDPR right to be informed requirements?
A. The purpose of personal data processing.
B. The data subjects right to withdraw consent
C. The contact details of the Data Protection Officer (DPO).
D. The name of any organizations with whom personal data was shared.

Question 2

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of
the following are advisable to do EXCEPT?

• A. Carry out a root cause analysis on each breach to understand why the incident happened.
• B. Communicate to everyone that breaches must be reported and how they should be reported.
• C. Provide role-specific training to areas where breaches are happening so they are more aware.
• D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.

Question 3

“Respond” in the privacy operational lifecycle includes which of the following?

• A. Information security practices and functional area integration.
• B. Privacy awareness training and compliance monitoring.
• C. Communication to stakeholders and alignment to laws.
• D. Information requests and privacy rights requests.

Question 4

An organization’s internal audit team should do all of the following EXCEPT?

• A. Implement processes to correct audit failures.
• B. Verify that technical measures are in place.
• C. Review how operations work in practice.
• D. Ensure policies are being adhered to.

Question 5

How do privacy audits differ from privacy assessments?

• A. They are non-binding.
• B. They are evidence-based.
• C. They are based on standards.
• D. They are conducted by external parties.

Question 6

Which of the following is NOT a type of privacy program metric?

• A. Business enablement metrics.
• B. Data enhancement metrics.
• C. Value creation metrics.
• D. Risk-reduction metrics.

Question 7

Which will best assist you in quickly identifying weaknesses in your network and storage?

• A. Running vulnerability scanning tools.
• B. Reviewing your privacy program metrics.
• C. Reviewing your role-based access controls.
• D. Establishing a complaint-monitoring process.

Question 8

There are different forms of monitoring available for organizations to consider when aligning with
their privacy program goals.
Which of the following forms of monitoring is best described as auditing?

• A. Evaluating operations, systems, and processes.
• B. Tracking, reporting and documenting complaints from all sources.
• C. Assisting in the completion of attesting reporting for SOC2, ISO, or BS7799.
• D. Ensuring third parties have appropriate security and privacy requirements in place.

Question 9

What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?

• A. Reducing storage costs.
• B. Ensuring data is kept for no longer than necessary.
• C. Crafting policies which ensure minimal data is collected.
• D. Increasing awareness of the importance of confidentiality.

Question 10

Data retention and destruction policies should meet all of the following requirements EXCEPT?

• A. Data destruction triggers and methods should be documented.
• B. Personal information should be retained only for as long as necessary to perform its stated purpose.
• C. Documentation related to audit controls (third-party or internal) should be saved in a non- permanent format by default.
• D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).

Question 11

What is most critical when outsourcing data destruction service?

• A. Obtain a certificate of data destruction.
• B. Confirm data destruction must be done on-site.
• C. Conduct an annual in-person audit of the provider’s facilities.
• D. Ensure that they keep an asset inventory of the original data.

Question 12

Which of the following best supports implementing controls to bring privacy policies into effect?

• A. The internal audit department establishing the audit controls which test for policy effectiveness.
• B. The legal department or outside counsel conducting a thorough review of the privacy program and policies.
• C. The Chief Information Officer as part of the Senior Management Team creating enterprise privacy policies to ensure controls are available.
• D. The information technology (IT) group supporting and enhancing the privacy program and privacy policy by developing processes and controls.

Question 13

A minimum requirement for carrying out a Data Protection Impact Assessment (DPIA) would
include?

• A. Processing on a large scale of special categories of data.
• B. Monitoring of a publicly accessible area on a large scale.
• C. Assessment of the necessity and proportionality.
• D. Assessment of security measures.

Question 14

Your company wants to convert paper records that contain customer personal information into
electronic form, upload the records into a new third-party marketing tool and then merge the
customer personal information in the marketing tool with information from other applications.
As the Privacy Officer, which of the following should you complete to effectively make these
changes?

• A. A Record of Authority.
• B. A Personal Data Inventory.
• C. A Privacy Threshold Analysis (PTA).
• D. A Privacy Impact Assessment (PIA).

Question 15

When devising effective employee policies to address a particular issue, which of the following
should be included in the first draft?

• A. Rationale for the policy.
• B. Points of contact for the employee.
• C. Roles and responsibilities of the different groups of individuals.
• D. Explanation of how the policy is applied within the organization.