Single Questions Flashcards

1
Q

What is the best way to understand the location, use and importance of personal data within an organisation?

a. By analysing the data inventory
b. By testing the security of data systems
c. By evaluating methods for collecting data
d. By interviewing employees tasked with data entry

A

By analysing the data inventory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are you doing if you succumb to “overgeneralisation” when analysing data from metrics?

a. Using data that is too broad to capture specific meanings
b. Processing too many types of data to perform a valid analysis
c. Using limited data in an attempt to support broad conclusions
d. Trying to use several measurements to gauge one aspect of a program

A

Using data that is too broad to capture specific meanings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?

a. Monetary exchange
b. Geographic features
c. Political history
d. Cultural norms

A

Cultural norms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What have experts identified as an important trend in privacy program development?

a. The narrowing of regulatory definitions of personal information
b. The rollback of ambitious programs due to budgetary restraints
c. The movement beyond crisis management to proactive prevention
d. The stabilization of programs as the pace of new legal mandates slows

A

The movement beyond crisis management to proactive prevention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which statement is FALSE regarding the use of technical security controls?

a. They are a part of a data governance strategy
b. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction
c. Most privacy legislation lists the types of technical security controls that must be implemented
d. A person with security knowledge should be involved with the deployment of technical security controls

A

Most privacy legislation lists the types of technical security controls that must be implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An organisations privacy officer was just notified by the benefits manager that she accidently sent out the retirement enrolment report of all employees to a wrong vendor. Which of the following actions should the privacy officer take first?

a. Perform a risk of harm analysis
b. Report the incident to law enforcement
c. Contact the recipient to delete the email
d. Send firm-wide email notification to employees

A

Perform a risk of harm analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why were the nongovernmental privacy orgs, Electronic Frontier Foundation and Electronic Privacy Information Centre established?

a. To promote consumer confidence in the internet industry
b. To improve the user experience during online shopping
c. To protect civil liberties and raise consumer awareness
d. To promote security on the internet through strong encryption

A

To protect civil liberties and raise consumer awareness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?

a. Enabling regional data transfers
b. Protecting data from parties outside the region
c. Establishing legal requirements for privacy protection in the region
d. Marketing privacy protection technologies developed in the region

A

Enabling regional data transfers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is TRUE about the Data Protection Impact Assessment process as required under the GDPR?

a. The DPIA result must be reported to the corresponding supervisory authority
b. The DPIA report must be published to demonstrate the transparency of the data processing
c. The DPIA must include a description of the proposed processing operation and its purpose.
d. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual

A

The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

As a DPO, one of your roles entails monitoring changes in laws and regulations and updating policies accordingly. How would you most effectively execute this responsibility?

a. Consult an external lawyer
b. Regularly engage regulators
c. Attend workshops and interact with other professionals
d. Subscribe to email list serves that report on regulatory changes

A

Subscribe to email list serves that report on regulatory changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In privacy protection, what is a “covered entity”?

a. Personal data collected by a privacy organisation
b. An organisation subject to the privacy provisions of HIPAA
c. A privacy office or team fully responsible for protecting personal information
d. Hidden gaps in privacy protection that may go unnoticed without expert analysis

A

An organisation subject to the privacy provisions of HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following best describes proper compliance for an international organisation using Binding Corporate Rules as a controller or processor?

a. Employees must sign an ad hoc contractual agreement each time personal data is exported
b. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
c. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
d. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

A

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What should be the first major goal of a company developing a new privacy program?

a. To survey potential funding sources for privacy team resources
b. To schedule conversations with execs of affected departments
c. To identify potential 3rd party processors of the organisation’s information
d. To create Data Lifecycle Management policies and procedures to limit data collection

A

To identify potential 3rd party processors of the organisation’s information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which is TRUE about the scope and authority of data protection oversight authorities?

a. The Office of the Privacy Commissioner of Canada has the right to impose financial sanctions on violators.
b. All authority in the European Union rests with the Data Protection Commission
c. No one agency officially oversees the enforcement of privacy regulations in the US
d. The Asia-Pacific Econonmic Cooperation Privacy Frameworks require all member nations to designate a nation data protection authority.

A

No one agency officially oversees the enforcement of privacy regulations in the US

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should a privacy professional keep in mind when selecting which metrics to collect?

a. Metrics should be reported to the public
b. The number of metrics should be limited at first
c. Metrics should reveal strategies for increasing company earnings
d. A variety of metrics should be collected before determining their specific functions

A

The number of metrics should be limited at first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

If an organisation maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence?

a. The Board of Directors
b. The Chief Financial Officer
c. The HR Director
d. The org’s General Counsel

A

The Board of Directors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology? (NIST)

a. It provides suggestions about how to collect and measure data
b. It can be tailored to an org’s particular needs
c. It is updated annually to reflect changes in government policy
d. It is focussed on organisations that do business internationally

A

It provides suggestions about how to collect and measure data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What US federal law requires financial institutions to declare their personal data collection practices?

a. The Kennedy-Hatch Disclosure Act of 1997
b. The Gramm-Leach-Bliley Act of 1999
c. SUPCLA, or the federal Superprivacy Act of 2001
d. The Financial Portability and Accountability Act of 2006

A

The Gramm-Leach-Bliley Act of 1999

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What practice would afford the Director the most rigorous way to check on the program’s compliance with laws, regulations and industry best practices?

a. Auditing
b. Monitoring
c. Assessment
d. Forensics

A

Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What analytic can be used to track the financial viability of the program as it develops?

a. Cost basis
b. Gap analysis
c. Return to investment
d. Breach impact modelling

A

Return to investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following indicates you have developed the right privacy framework for your organisation?

a. It includes a privacy assessment of each major system
b. It improves the consistency of the privacy program
c. It works at a different type of organisation
d. It identifies all key stakeholders by name

A

It improves the consistency of the privacy program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Rationalising requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?

a. Harmonising shared obligations and privacy rights across varying legislation and/or regulators
b. Implementing a solution that significantly addresses shared obligations and privacy rights
c. Applying the strictest standard for obligations and privacy rights that doesn’t violate privacy laws elsewhere
d. Addressing requirements that fall outside the common obligations and rights (outliers) on a case by case basis

A

Implementing a solution that significantly addresses shared obligations and privacy rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the name for the privacy strategy model that describes delegated decision making?

a. De-centralised
b. De-functionalised
c. Hybrid
d. Matrix

A

De-centralised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following controls does the PCI DSS framework NOT require?

a. Implement strong asset control protocols
b. Implement strong access control measures
c. Maintain an information security policy
d. Maintain a vulnerability management program

A

Implement strong asset control protocols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following privacy frameworks are legally binding?

a. Binding Corporate Rules
b. Generally Accepted Privacy Principles
c. Asia-Pacific Economic Cooperation Privacy Framework
d. Organisation for Economic Co-Operation and Development Guidelines (OECD)

A

Binding Corporate Rules

26
Q

Which of the following is an example of Privacy by Design?

a. A company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.
b. The HR group develops a training program for employees to become certified in privacy
c. A labour union insists that the details of employers data protection methods be documented in a new contract
d. The information technology group uses privacy considerations to inform the development of new networking software

A

The information technology group uses privacy considerations to inform the development of new networking software

27
Q

In regards to the collection of personal data conducted by an organisation, what must the data subject be allowed to do?

a. Evaluate the qualifications of a 3rd party processor before any data is transferred to that processor?
b. Obtain a guarantee of prompt notification in instances involving unauthorised access of the data
c. Set a time limit as to how long the personal data may be stored by the organisation
d. Challenge the authenticity of the personal data and have it corrected if needed

A

Challenge the authenticity of the personal data and have it corrected if needed

28
Q

Which is NOT an influence on the privacy environment external to an organisation?

a. Management team priorities
b. Regulations
c. Consumer demand
d. Technological advances

A

Management team priorities

29
Q

How are individual program needs and specific organisational goals identified in privacy framework development?

a. By employing metrics to align privacy protection with objectives ??
b. Through conversations with the privacy team
c. By employing an industry standard needs analysis
d. Through creation of the business case ??

A

Through creation of the business case

30
Q

Formosa International operates in 20 different countries including the US and France. What organisational approach would make complying with a number of different regulations easier?

a. Data mapping
b. Fair information practices
c. Rationalising requirements
d. Decentralised privacy management

A

Decentralised privacy management

31
Q

When implementing Privacy by Design, what would NOT be a key consideration?

a. Collection limitation
b. Data minimisation
c. Limitations on liability
d. Purpose specification

A

Limitations on liability

32
Q

For an organsiation that has just experienced a data breach, what might be the least relevant metric for a company’s privacy and governance team?

a. The number of security patches applied to company devices
b. The number of privacy rights requests that have been exercised
c. The number of Privacy Impact Assessments that have been completed
d. The number of employees who have completed data awareness training

A

The number of privacy rights requests that have been exercised

33
Q

In which situation would a Privacy Impact Assessment be the least likely to be required?

a. If a company created a credit-scoring platform 5 years ago
b. If a health-care professional or lawyer processed personal data from a patient’s file
c. If a social media company created a new product compiling personal data to generate user profiles
d. If an after-school club processes children’s data to determine which children might have food allergies

A

If a health-care professional or lawyer processed personal data from a patient’s file

34
Q

Under the GDPR, what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

a. An obligation on the processor to report any personal data breach to the controller within 72 hours
b. An obligation on both parties to report any serious personal data breach to the supervisory authority
c. An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach
d. An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches

A

An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches

35
Q

You would like your organisation to be independently audited to demonstrate compliance with international privacy standards and to identify gaps for remediation. Which type of audit would help you achieve this objective?

a. First party audit
b. Second party audit
c. Third party audit
d. Forth party audit

A

Third party audit

36
Q

An organisation’s business continuity plan or disaster recovery plan does NOT typically include what?

a. Recovery time objectives
b. Emergency response guidelines
c. Statement of organisational responsibilities
d. Retention schedule for storage and destruction of information

A

Retention schedule for storage and destruction of information

37
Q

What is one obligation that the GDPR imposes on data processors?

a. To honour all data access requests from data subjects
b. To inform data subjects about the identity and contact details of the controller
c. To implement appropriate technical and organisational measures that ensure an appropriate level of security
d. To carry out data protection impact assessments in cases where processing is likely to result in high risk to the rights and freedoms of individuals

A

To implement appropriate technical and organisational measures that ensure an appropriate level of security

38
Q

An executive for a multinational online retail company in the US is looking for guidance in developing her company’s privacy program beyond what is specifically required by law. What would be the most effective resource for the executive to consult?

a. Internal auditors
b. Industry frameworks
c. Oversight organisations
d. Breach notifications from competitors

A

Industry frameworks

39
Q

What is one reason the European Union has enacted more comprehensive privacy laws than the US?

a. To ensure adequate enforcement of existing laws
b. To ensure there is adequate funding for enforcement
c. To allow separate industries to set privacy standards
d. To allow the free movement of data between member countries

A

To allow the free movement of data between member countries

40
Q

All of the following changes will likely trigger a data inventory update EXCEPT?

a. Outsourcing the Customer Relationship Management (CRM) function
b. Acquisition of a new subsidiary
c. Onboarding a new vendor
d. Passage of a new privacy regulation

A

Onboarding a new vendor

41
Q

Which of the following is NOT typically a function of a Privacy Officer?

a. Managing an organisation’s information security infrastructure
b. Serving as an interdepartmental liaison for privacy concerns
c. Monitoring an organisation’s compliance with privacy laws
d. Responding to information access requests from the public

A

Managing an organisation’s information security infrastructure

42
Q

What is the main reason to begin with 3-5 key metrics during the program development process?

a. To avoid undue financial costs
b. To keep the focus on the main organisation objectives
c. To minimise selective data use
d. To keep the process limited to as few people as possible

A

To avoid undue financial costs

43
Q

What is the main purpose of a privacy program audit?

a. To mitigate the effects of a privacy breach
b. To justify a privacy department budget increase
c. To make decisions on privacy staff roles and responsibilities
d. To ensure the adequacy of data protection procedures

A

To ensure the adequacy of data protection procedures

44
Q

Under the GDPR, when would a data subject have the right to require the erasure of his or her data without undue delay?

a. When the data subject is a public authority
b. When the erasure is in the public interest
c. When the processing is carried out by automated means
d. When the data is no longer necessary for its original purpose

A

When the data is no longer necessary for its original purpose

45
Q

What is the key factor that lays the foundation for all other elements of a privacy program?

a. The applicable privacy regulations
b. The structure of a privacy team
c. A privacy mission statement
d. A responsible internal stakeholder

A

The applicable privacy regulations

46
Q

Collection, Access and Destruction are aspects of what privacy management process?

a. The data governance strategy
b. The breach response plan
c. The metric lifecycle
d. The business case

A

The data governance strategy

47
Q

What does it mean to “rationalise” data protection requirements?

a. Evaluate the costs and risks of applicable laws and regulations and address those that have the greatest penalties
b. Look for overlaps in laws and regulation from which a common solution can be developed
c. Determine where laws and regulations are redundant in order to eliminate some from requiring compliance
d. Address the less stringent laws and regulations, and inform stakeholders why they are applicable

A

Look for overlaps in laws and regulation from which a common solution can be developed

48
Q

Which terms describes a piece of personal data that alone may not identify an individual?

a. Unbundled data
b. A singularity
c. Non-aggregated infopoint
d. A single attribute

A

A single attribute

49
Q

What is the function of the privacy operational lifecycle?

a. It establishes initial plans for privacy protection and implementation
b. It allows the organisation to respond to ever-changing privacy demands
c. It ensures that outdated privacy policies are retired on a set schedule
d. It allows privacy policies to mature to a fixed form

A

It allows the organisation to respond to ever-changing privacy demands

50
Q

Which is the best way to view an organisation’s privacy framework?

a. As an industry benchmark that can apply to many organisations
b. As a fixed structure that directs changes in the organisation
c. As an aspirational goal that improves the organisation
d. As a living structure that aligns to changes in the organisation

A

As a living structure that aligns to changes in the organisation

51
Q

An organisation is establishing a mission statement for its privacy program. Which of the following statements would be the best to use?

a. This privacy program encourages cross-organisational collaboration which will stop all data breaches
b. Our organisation was founded in 2054 to reduce the change of a future disaster like the one that occurred 10 years ago. All individuals from our area of the country should be concerned about a future disaster. However, with our privacy program they should not be concerned about the misuse of their information.
c. The goal of the privacy program is to protect the privacy of all individuals who support our organisation. To meet this goal, we must work to comply with all applicable privacy laws.
d. In the next 20 years, our privacy program should be able to eliminate 80% of our current breaches. To do this, everyone in our organisation must complete our annual privacy training course and all personally identifiable information must be inventoried

A

The goal of the privacy program is to protect the privacy of all individuals who support our organisation. To meet this goal, we must work to comply with all applicable privacy laws.

52
Q

In a sample metric template, what does “target” mean?

a. The suggested volume of data to collect
b. The percentage of completion
c. The threshold for a satisfactory rating
d. The frequency at which the data is sampled

A

The threshold for a satisfactory rating

53
Q

Under which circumstances would people who work in HR be considered a secondary audience for privacy metrics?

a. They do not receive training on privacy issues
b. They do not interface with the financial office
c. They do not have privacy policy as their main task
d. They do not have frequent interactions with the public

A

They do not have privacy policy as their main task

54
Q

You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?

a. Procedures or processes exist however they are not fully documented and do not cover all relevant aspects
b. Procedures and processes are fully documented and implemented, and cover all relevant aspects.
c. Reviews are conducted to assess the effectiveness of the controls in place
d. Regular review and feedback are used to ensure continuous improvement toward optimisation of the given process.

A

Reviews are conducted to assess the effectiveness of the controls in place

55
Q

Which of the following best demonstrates the effectiveness of a firm’s privacy incident response process?

a. The decrease of security breaches
b. The decrease of notifiable breaches
c. The increase of privacy incidents reported by users
d. The decrease of mean time to resolve privacy incidents

A

The decrease of mean time to resolve privacy incidents

56
Q

Which of the following is TRUE about a PIA?

a. Any project that involves the use of personal data requires a PIA
b. A Data Protection Impact Analysis process includes a PIA
c. The PIA must be conducted at the early stages of the project lifecycle
d. The results from a previous information audit can be leveraged in a PIA process

A

The PIA must be conducted at the early stages of the project lifecycle

57
Q

Read the following steps:
• Perform frequent data back-ups
• Perform test restorations to verify integrity of backed up data
• Maintain backed up data offline or on separate servers.

These steps can help an organisation recover from what?

a) Phishing attacks
b) Authorisation errors
c) Ransomware attacks
d) Stolen encryption keys

A

Ransomware attacks

58
Q

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10,000,000 EUR or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?

a. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing
b. Failure to implement technical and organisational measures to ensure data protection is enshrined by design and default
c. Failure to process personal information in a manner compatible with its original purpose
d. Failure to provide the means for a data subject to rectify inaccuracies in personal data

A

Failure to implement technical and organisational measures to ensure data protection is enshrined by design and default

59
Q

What is the main purpose in notifying data subjects of a data breach?

a. The avoid financial penalties and legal liability
b. To enable regulators to understand trends and developments that may shape the law
c. The ensure organisations have accountability for the sufficiency of their security measures
d. To allow individuals to take any actions required to protect themselves from possible consequences

A

To allow individuals to take any actions required to protect themselves from possible consequences

60
Q

Under the GDPR, which situation would be LEAST likely to require a Data Protection Impact Assessment?

a. A health clinic processing its patients’ genetic and health data
b. The use of a camera system to monitor driving behaviour on highways
c. A HR department using a tool to monitor its employees’ internet activity
d. An online magazine using a mailing list to send a generic daily digest to marketing emails

A

An online magazine using a mailing list to send a generic daily digest to marketing emails

61
Q

Under the GDPR, which of the following situations would LEAST likely require a controller to notify a data subject?

a. An encrypted USB key with sensitive personal data is stolen
b. A direct marketing email is sent with recipients visible in the “cc” field
c. Personal data of a group of individuals is erroneously sent to the wrong mailing list
d. A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack

A

An encrypted USB key with sensitive personal data is stolen