Single Questions Flashcards
What is the best way to understand the location, use and importance of personal data within an organisation?
a. By analysing the data inventory
b. By testing the security of data systems
c. By evaluating methods for collecting data
d. By interviewing employees tasked with data entry
By analysing the data inventory
What are you doing if you succumb to “overgeneralisation” when analysing data from metrics?
a. Using data that is too broad to capture specific meanings
b. Processing too many types of data to perform a valid analysis
c. Using limited data in an attempt to support broad conclusions
d. Trying to use several measurements to gauge one aspect of a program
Using data that is too broad to capture specific meanings
In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?
a. Monetary exchange
b. Geographic features
c. Political history
d. Cultural norms
Cultural norms
What have experts identified as an important trend in privacy program development?
a. The narrowing of regulatory definitions of personal information
b. The rollback of ambitious programs due to budgetary restraints
c. The movement beyond crisis management to proactive prevention
d. The stabilization of programs as the pace of new legal mandates slows
The movement beyond crisis management to proactive prevention
Which statement is FALSE regarding the use of technical security controls?
a. They are a part of a data governance strategy
b. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction
c. Most privacy legislation lists the types of technical security controls that must be implemented
d. A person with security knowledge should be involved with the deployment of technical security controls
Most privacy legislation lists the types of technical security controls that must be implemented
An organisations privacy officer was just notified by the benefits manager that she accidently sent out the retirement enrolment report of all employees to a wrong vendor. Which of the following actions should the privacy officer take first?
a. Perform a risk of harm analysis
b. Report the incident to law enforcement
c. Contact the recipient to delete the email
d. Send firm-wide email notification to employees
Perform a risk of harm analysis
Why were the nongovernmental privacy orgs, Electronic Frontier Foundation and Electronic Privacy Information Centre established?
a. To promote consumer confidence in the internet industry
b. To improve the user experience during online shopping
c. To protect civil liberties and raise consumer awareness
d. To promote security on the internet through strong encryption
To protect civil liberties and raise consumer awareness
What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?
a. Enabling regional data transfers
b. Protecting data from parties outside the region
c. Establishing legal requirements for privacy protection in the region
d. Marketing privacy protection technologies developed in the region
Enabling regional data transfers
Which of the following is TRUE about the Data Protection Impact Assessment process as required under the GDPR?
a. The DPIA result must be reported to the corresponding supervisory authority
b. The DPIA report must be published to demonstrate the transparency of the data processing
c. The DPIA must include a description of the proposed processing operation and its purpose.
d. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual
The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual
As a DPO, one of your roles entails monitoring changes in laws and regulations and updating policies accordingly. How would you most effectively execute this responsibility?
a. Consult an external lawyer
b. Regularly engage regulators
c. Attend workshops and interact with other professionals
d. Subscribe to email list serves that report on regulatory changes
Subscribe to email list serves that report on regulatory changes
In privacy protection, what is a “covered entity”?
a. Personal data collected by a privacy organisation
b. An organisation subject to the privacy provisions of HIPAA
c. A privacy office or team fully responsible for protecting personal information
d. Hidden gaps in privacy protection that may go unnoticed without expert analysis
An organisation subject to the privacy provisions of HIPAA
Which of the following best describes proper compliance for an international organisation using Binding Corporate Rules as a controller or processor?
a. Employees must sign an ad hoc contractual agreement each time personal data is exported
b. All employees are subject to the rules in their entirety, regardless of where the work is taking place.
c. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
d. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
All employees are subject to the rules in their entirety, regardless of where the work is taking place.
What should be the first major goal of a company developing a new privacy program?
a. To survey potential funding sources for privacy team resources
b. To schedule conversations with execs of affected departments
c. To identify potential 3rd party processors of the organisation’s information
d. To create Data Lifecycle Management policies and procedures to limit data collection
To identify potential 3rd party processors of the organisation’s information
Which is TRUE about the scope and authority of data protection oversight authorities?
a. The Office of the Privacy Commissioner of Canada has the right to impose financial sanctions on violators.
b. All authority in the European Union rests with the Data Protection Commission
c. No one agency officially oversees the enforcement of privacy regulations in the US
d. The Asia-Pacific Econonmic Cooperation Privacy Frameworks require all member nations to designate a nation data protection authority.
No one agency officially oversees the enforcement of privacy regulations in the US
What should a privacy professional keep in mind when selecting which metrics to collect?
a. Metrics should be reported to the public
b. The number of metrics should be limited at first
c. Metrics should reveal strategies for increasing company earnings
d. A variety of metrics should be collected before determining their specific functions
The number of metrics should be limited at first
If an organisation maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence?
a. The Board of Directors
b. The Chief Financial Officer
c. The HR Director
d. The org’s General Counsel
The Board of Directors
What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology? (NIST)
a. It provides suggestions about how to collect and measure data
b. It can be tailored to an org’s particular needs
c. It is updated annually to reflect changes in government policy
d. It is focussed on organisations that do business internationally
It provides suggestions about how to collect and measure data
What US federal law requires financial institutions to declare their personal data collection practices?
a. The Kennedy-Hatch Disclosure Act of 1997
b. The Gramm-Leach-Bliley Act of 1999
c. SUPCLA, or the federal Superprivacy Act of 2001
d. The Financial Portability and Accountability Act of 2006
The Gramm-Leach-Bliley Act of 1999
What practice would afford the Director the most rigorous way to check on the program’s compliance with laws, regulations and industry best practices?
a. Auditing
b. Monitoring
c. Assessment
d. Forensics
Monitoring
What analytic can be used to track the financial viability of the program as it develops?
a. Cost basis
b. Gap analysis
c. Return to investment
d. Breach impact modelling
Return to investment
Which of the following indicates you have developed the right privacy framework for your organisation?
a. It includes a privacy assessment of each major system
b. It improves the consistency of the privacy program
c. It works at a different type of organisation
d. It identifies all key stakeholders by name
It improves the consistency of the privacy program
Rationalising requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?
a. Harmonising shared obligations and privacy rights across varying legislation and/or regulators
b. Implementing a solution that significantly addresses shared obligations and privacy rights
c. Applying the strictest standard for obligations and privacy rights that doesn’t violate privacy laws elsewhere
d. Addressing requirements that fall outside the common obligations and rights (outliers) on a case by case basis
Implementing a solution that significantly addresses shared obligations and privacy rights
What is the name for the privacy strategy model that describes delegated decision making?
a. De-centralised
b. De-functionalised
c. Hybrid
d. Matrix
De-centralised
Which of the following controls does the PCI DSS framework NOT require?
a. Implement strong asset control protocols
b. Implement strong access control measures
c. Maintain an information security policy
d. Maintain a vulnerability management program
Implement strong asset control protocols