CIPM Pratice Test 1 - 30
29. Which of the following is most likely to trigger the need to update the data inventory? A. A new Data Protection Officer being hired B. A new Chief Information Security Officer being hired C. A change in the organization D. A data breach
A change in the organization
16. A company is subject to a certain law and assigned employees responsibility for compliance and developed Excel sheets for monitoring and reporting. What could this be called? A. An auditable system B. The compliance landscape C. A comprehensive approach D. A framework
A framework
8. What is "the authority aims to safeguard the balance between the right to privacy and other rights"? A. A goal statement B. A Data Protection Authority guarantee C. A mission or vision (correct) D. The Data Protection Authority's legally required statement
A mission or vision
4. What can be considered to be the essence of an organization's privacy notice communicated to the outside world? A. A layered explanation B. A promise on handling C. Icons properly displayed D. Opt-in instead of opt-out
A promise on handling
15. How can a privacy standard that an organization uses be most appropriately described? A. An approach to privacy compliance B. Getting a sponsor or champion privacy C. An approach to getting the organization to handle personal information correctly D. Getting the right people in the right place
An approach to getting the organization to handle personal information correctly
6. Which of the following is the best description of an accountable organization? A. An organization that reprimands staff for violations of procedure B. An organization that states the Chief Executive Officer and Chief Financial Officer are responsible for privacy C. An organization with the necessary policies and procedures D. An organization that handles personal information correctly
An organization with the necessary policies and procedures
28. Why can multiple departments most likely be involved in the process of creating a data inventory? A. A sponsor is usually the Chief Executive Officer B. Because the privacy manager is assigned to make the entire organization compliant C. The sponsor is responsible for the entire organization D. Because processes run through the entire organization
Because processes run through the entire organization
A popular music venue hosts an event at least twice a week. It sells a certain amount of tickets for each event, so the number of people that can enter is limited. At the events photographs are taken, which is indicated at the entrance of the venue (after the ticket check). One day, an angry visitor shows up, demanding to speak to the manager. It turned out his wife saw him on the photos that were published on the internet, and he had told her that he was working overtime whilst instead he went to see his favorite band. The manager assured the visitor that they have every right to take photos and publish them, as it is their venue and there was a sign before entering, so the visitor could have known and could have chosen to leave. In return the visitor responds that he did not see the sign, and when checking the sign he notices that there is no warning that the photos will be published on the internet. 19. When should the photo notice ideally have been provided? A. After purchase of the ticket B. Before the purchase of the ticket C. Before publishing the photos online D. Before the ticket is checked at the entrance so the customer has the choice to leave 20. In the European Union, if the processing of the photo was indeed illegal, what could the data subject have done? A. Request access to the photo B. Sue the company for damages C. Get a refundD. Divorce his wife for stalking 21. If the photographer is an external party, what would the photographer most likely be in this context? A. A data subject B. A data controller C. A co-controller D. A data processor
Before the purchase of the ticket ,Sue the company for damages, A data processor
22. Which of the following is NOT an example of self-regulation? A. DMA guidelines for ethical business practices B. Binding Corporate Rules C. Children's advertising review unit guidelines D. Network Advertising Initiative Code of Conduct
Binding Corporate Rules
23. When designing business processes, what is the most elaborate aspect to take into account? A. Consent B. Right to be forgotten C. Processing on a legal processing criterion D. Informing of automated decision making
Consent
17. Which type of organization has loose policies and managers that control small groups of employees? A. Hybrid B. Decentralized C. Centralized D. Diffused
Decentralized
27. Once a data inventory has finished, how would you most likely use the results? A. Judge the Data Protection Officer's performance B. Judge the Chief Information Security Officer's performance C. Determine privacy priorities D. Show the fault of a processor in case of a data breach
Determine privacy priorities
2. Which of the following is least likely a goal of an organization's privacy program? A. Legal compliance B. Meeting customer expectations C. Hiring a privacy officer or manager D. Reducing risk
Hiring a privacy officer or manager
12. How can you best describe metadata? A. Information about data B. The file types used C. The time files are stored D. The contact person for the data inventory
Information about data
24. Which of the following is not a country with its regulatory authority? A. Indonesia - Minister of Communication and Informatics B. South Korea - Minister of the Interior and Safety C. Japan - Personal Information Protection Agency D. New Zealand - Office of the Privacy Commissioner
Japan - Personal Information Protection Agency
A manufacturing company has placed computers all around the manufacturing area to help machine operators to relax during their lunch break and check their e-mails or social media. The company is doing so in an attempt to stop the machine operators from being distracted by their phones during their work and all the dangers that come with being distracted in a manufacturing area. All the computers are connected to both the intranet and the internet. This allows an internal news bulletin and all policies and procedures to be displayed easily. There are regular updates, for example on family events, updates of procedures, bonus-related information and news on the employee of the month. In addition to involving employees by sharing company news with them, all procedures are on the intranet. Anything from safe work practice guidelines to social media guidelines can be found on the intranet. To use the computer, no login is needed. All computers are configured to be accessible to anyone, with ease. A downside of this is a shared hard-drive, and the older employees do not know that whatever they open on the computer is stored (temporarily). 9. In the scenario provided, where is the organization on the Privacy Maturity Model? A. Defined. B. Ad hoc C. Repeatable D. Managed (correct) 10. What is likely the biggest danger of a shared computer without user accounts? A. It cannot be traced in case an illegal action takes place B. There is a shift in responsibility regarding what a person does on social media C. Employees can access each other's personal data (correct) D. Every time someone uses the computer it constitutes a data breach 11. Given that the employees potentially see each other's data, a notice is visible on a piece of paper next to the computer. What can this be called? A. A layered privacy notice B. An opt-in notice C. A just-in-time notice D. An opt-out noticeMore information:
Managed , Employees can access each other's personal data, A Just in Time Notice
Which of the following is not a metric an organization would use? A. Data breaches B. Return on investment C. DDOS attacks D. Minimize security threats
Minimize Security Threats
7. Which step is likely not part of a privacy program with the goal to protect an organization's brand? A. Prevent phishing e-mails using the company logo from being sent B. Determine whether customers regard the company as transparent C. See which regulations may not be complied withD. Identify weaknesses in security
Prevent phishing e-mails using the company logo from being sent
3. In which of the following ways can internal audit most likely help a privacy program? A. Being in contact with the Data Protection Authority B. Providing consultancy services C. Reporting to the Chief Executive Officer D. Approving privacy controls after testing them
Providing Consultancy Services
5. Which of the following is most true about privacy by design? A. The option to reject cookies is privacy by design B. Results, partly, in compliance with the General Data Protection Regulation C. The automatic popup window asking to stop sending user analytics is privacy by design D. Privacy by design is part of a privacy program
Results, partly, in compliance with the General Data Protection Regulation
14. A group of petrochemical companies set up guidelines and audit each other on its compliance and individual companies report their findings to the authorities if they find a law broken, what is this most likely? A. Co-regulation B. Self-regulation C. Mutual auditing D. Risk based auditing
Self-regulation
13. Which of the following countries is least likely or latest to implement a comprehensive privacy law? A. The United Kingdom B. Belgium C. South Africa D. The United States
The United States
26. Which of the following is most likely not an element of a data inventory? A. Information format B. The requirement of contacting the Data Protection Authority in case of a data breach (correct) C. Who receives the data D. How information is used
The requirement of contacting the Data Protection Authority in case of a data breach
25. What is the most likely reason for an organization to perform a data assessment? A. To determine how the organization needs to handle the data B. To figure out whether a Data Protection Officer is required C. To assign responsibilities within the organization D. To determine the storage requirements of an organization's data processing
To determine how the organization needs to handle the data
30. What is most likely the biggest benefit for an organization of buying an online data inventory software package? A. A shift in responsibility for completeness of the data inventory B. Updates with law changes C. A data breach management module is included D. Cloud backups of the data inventory
Updates with law changes
18. When is a data protection Officer not necessarily required in the European Union? A. For public authorities or bodies B. When processing sensitive personal data on a large scale is the company's core activity C. When a group of large office buildings and hospitals, including the persons inside, are systematically monitored D. When processing the data of 10 000 employees
When processing the data of 10 000 employees