IAPP CIPM Certified Information Privacy Manager (CIPM) Exam Practice Test

Answer : A

A physical control that can limit privacy risk is keypad or biometric access. This is a type of access control that restricts who can enter or access a physical location or device where personal data is stored or processed. Keypad or biometric access requires a code or a biological feature (such as a fingerprint or a face scan) to authenticate the identity and authorization of the person seeking access. This can prevent unauthorized access, theft, loss, or damage of personal data by outsiders or insiders, .Reference:[CIPM - International Association of Privacy Professionals], [Free CIPM Study Guide - International Association of Privacy Professionals]

Answer : C

Crafting policies which ensure minimal data is collected is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program, as it is more related to the data collection stage, not the data management stage. A DLM program focuses on how to handle the data after it has been collected, such as how to store, use, share, and dispose of it. The other options are more likely to be achieved by implementing a DLM program, as they help to optimize the data storage costs, comply with the data retention obligations, and protect the data confidentiality.Reference:CIPM Body of Knowledge, Domain III: Privacy Program Management Activities, Task 1: Manage data inventory.

Answer : D

A Privacy Impact Assessment (PIA) is a process that helps an organization identify and evaluate the potential privacy risks and impacts of a new or existing project, program, system, or service that involves the collection, use, disclosure, or retention of personal information. A PIA also helps an organization identify and implement appropriate measures to mitigate or eliminate those risks and impacts, and ensure compliance with applicable privacy laws, regulations, and standards. A PIA should be completed to effectively make changes that involve customer personal information, such as converting paper records into electronic form, uploading the records into a new third-party marketing tool, and merging the customer personal information in the marketing tool with information from other applications. A PIA can help an organization assess the necessity, proportionality, and legality of the proposed changes, as well as the potential privacy risks to the customers and the organization, such as unauthorized access, disclosure, modification, or loss of personal information, identity theft, fraud, reputational damage, or legal liability. A PIA can also help an organization implement appropriate measures to mitigate or eliminate those risks, such as data minimization, encryption, anonymization, pseudonymization, consent management, access control, security safeguards, contractual clauses, data protection impact assessments (DPIAs), data subject rights, breach notification procedures, and privacy policies.

CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section C: Monitoring and Managing Program Performance Subsection 1: Privacy Impact Assessments1

CIPM Study Guide (2021), Chapter 9: Monitoring and Managing Program Performance Section 9.1: Privacy Impact Assessments2

CIPM Textbook (2019), Chapter 9: Monitoring and Managing Program Performance Section 9.1: Privacy Impact Assessments3

CIPM Practice Exam (2021), Question 1464

Answer : C

A data inventory is a good starting point to understand the scope of privacy program needs, as it provides a comprehensive overview of what personal data is collected, processed, stored, shared, and disposed of by the organization. A data inventory can help identify the legal obligations, risks, and gaps in the privacy program, as well as the opportunities for improvement and optimization. The other options are also important components of a privacy program, but they are more effective when based on a data inventory.Reference:CIPM Body of Knowledge, Domain II: Privacy Program Operational Life Cycle, Task 1: Assess the current state of the privacy program.

Answer : B

When expanding into a new jurisdiction, it is not necessary to appoint a new Privacy Officer (PO) for that jurisdiction, unless the local law requires it. The other options are important steps to ensure compliance with the new jurisdiction's privacy laws and regulations, as well as to align the privacy program with the business objectives and culture of the new market.Reference:CIPM Body of Knowledge, Domain I: Privacy Program Governance, Task 1: Establish the privacy program vision and strategy.

Answer : B

The GDPR specifies fines that may be levied against data controllers for certain infringements. According to Article 83(4)(a) of the GDPR, failure to implement technical and organizational measures to ensure data protection is enshrined by design and default will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Data protection by design and default is a principle that requires data controllers to integrate data protection considerations into every stage of the processing activities, from the conception to the execution, and to adopt appropriate measures to safeguard the rights and interests of the data subjects by default, such as minimizing the amount and retention period of personal data, pseudonymizing or encrypting personal data, ensuring transparency and accountability, and enabling data subject rights.

CIPM Body of Knowledge (2021), Domain I: Privacy Program Governance, Section A: Privacy Governance Models, Subsection 2: Privacy by Design

CIPM Study Guide (2021), Chapter 2: Privacy Governance Models, Section 2.2: Privacy by Design

CIPM Textbook (2019), Chapter 2: Privacy Governance Models, Section 2.2: Privacy by Design

CIPM Practice Exam (2021), Question 130

GDPR Article 83(4)(a) and Article 25

Answer : D

The company should perform a multi-factor risk analysis immediately after discovering the loss of the laptop containing employee payroll data. A multi-factor risk analysis is a process of assessing the potential impact and likelihood of a data breach, taking into account various factors such as the nature, scope, context, and purpose of the processing, the type and severity of the harm that may result from the breach, the number and categories of data subjects and personal data affected, the measures taken to mitigate the risk, and any relevant legal obligations or codes of conduct.A multi-factor risk analysis can help the company determine whether the breach poses a high risk to the rights and freedoms of the data subjects, and whether it needs to notify them and/or the relevant supervisory authority without undue delay, as required by Article 33 and 34 of the GDPR1. A multi-factor risk analysis can also help the company identify the root cause of the breach, evaluate the effectiveness of its existing security measures, and implement appropriate corrective actions to prevent or minimize similar incidents in the future.

CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B: Protecting Personal Information, Subsection 2: Data Breach Incident Planning and Management2

CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management3

CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management4

CIPM Practice Exam (2021), Question 1285

GDPR Article 33 and 341