IAPP CIPM Exam Dumps

What does it mean to œrationalize data protection requirements? 

œCollection , œaccess and œdestruction are aspects of what privacy management process? 

SCENARIO Please use the following to answer the next QUESTIO N: Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Spaces practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts. Pennys colleague in Marketing is excited by the new sales and the companys plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her œI heard someone in the breakroom talking about some new privacy laws but I really dont think it affects us. Were just a small company. I mean we just sell accessories online, so whats the real risk? He has also told her that he works with a number of small companies that help him get projects completed in a hurry. œWeve got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just dont have. In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Pennys colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team œdidnt know what to do or who should do what. We hadnt been trained on it but were a small team though, so it worked out OK in the end. Penny is concerned that these issues will compromise Ace Spaces privacy and data protection. Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data œshake up . Her mission is to cultivate a strong privacy culture within the company. Penny has a meeting with Ace Spaces CEO today and has been asked to give her first impressions and an overview of her next steps. To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?

SCENARIO Please use the following to answer the next QUESTIO N: For 15 years, Albert has worked at Treasure Box “ a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the 48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change. He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the companys privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the companys outdated policies and procedures. For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Boxs ability to protect personal dat a. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available. Albert does want to show a positive outlook during his interview. He intends to praise the companys commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures. In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover. He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the companys insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail. In addition to his suggestions for improvement, Albert believes that his knowledge of the companys recent business maneuvers will also impress the interviewers. For example, Albert is aware of the companys intention to acquire a medical supply company in the coming weeks. With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job. In consideration of the companys new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team? 

What is the key factor that lays the foundation for all other elements of a privacy program? 

Under the General Data Protection Regulation (GDPR), when would a data subject have the right to require the erasure of his or her data without undue delay? 

What is the main reason to begin with 3-5 key metrics during the program development process? 

Which of the following is NOT typically a function of a Privacy Officer? 

All of the following changes will likely trigger a data inventory update EXCEPT? 

An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law. What would be the most effective resource for the executive to consult?

What is one obligation that the General Data Protection Regulation (GDPR) imposes on data processors? 

In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required? 

How are individual program needs and specific organizational goals identified in privacy framework development? 

Which is NOT an influence on the privacy environment external to an organization? 

In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?

Which of the following controls does the PCI DSS framework NOT require? 

Which of the following indicates you have developed the right privacy framework for your organization? 

If an organization maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence? 

What should be the first major goal of a company developing a new privacy program? 

Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor? 

SCENARIO Please use the following to answer the next QUESTIO N: John is the new privacy officer at the prestigious international law firm “ A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe. During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor “ MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP. John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns. At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off-premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days. Which of the following is the most effective control to enforce MessageSafe's implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework? 

Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), established? 

SCENARIO Please use the following to answer the next QUESTIO N: Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production “ not data processing “ and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information. To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth “ his uncle's vice president and longtime confidante “ wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access. Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored dat D.a. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years. After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe. Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check. Documentation of this analysis will show auditors due diligence. Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come. Which of Anton's plans for improving the data management of the company is most unachievable?

What have experts identified as an important trend in privacy program development?