Privacy Practices and Compliance, Exams of Auditing

Various aspects of privacy practices and compliance, including the differences between privacy notices and policies, the concept of a privacy dashboard, the top causes of data breaches, the role of the privacy office and legal office in declaring a breach, the differences between a breach and an incident, the purpose of privacy audits, the elements of data lifecycle management, the steps involved in the metric lifecycle, and the obligations of data processors under the general data protection regulation (gdpr). It also covers topics related to technical security controls, the use of personal data, data inventory analysis, privacy regulation enforcement, and the asia-pacific economic cooperation privacy framework. Insights into the importance of privacy practices, the legal and regulatory requirements, and the strategies for ensuring data protection and compliance.

Typology: Exams

2024/2025

Available from 10/22/2024

nancy-kimani
nancy-kimani šŸ‡¬šŸ‡§

4.1

(40)

2.9K documents

1 / 83

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPM Exam Study Guide {159 Questions and Answers}
1.What are the 5 phases of a privacy program audit:
Planning, Preparation, Audit, Report, Followup
2. What happens during the audit planning phase of PPARF?:
Risk assess- ment, schedule, selecting auditor, pre-audit
questionnaire, preparatory meet- ing/visit and checklist
3. What happens during the Audit Preparation phase of
PPARF?: Confirm schedule, confirm and prepare
checklists, sampling criteria and audit plan
4. What Happens during the Audit phase of PPARF?:
Meeting and audit exe- cution
5. What happens during the report phase of PPARF?:
Noncompliance records and categories
(major/minor), audit report, closing meeting and
distribution
6.What happens during the followup phase of PPARF?:
Confirm scope, sched- ule, methodology and closure
7. What are the three types of privacy governance
models? (privacy gover- nance may be " , , or
.": Centralized, Localized, or Hybrid
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53

Partial preview of the text

Download Privacy Practices and Compliance and more Exams Auditing in PDF only on Docsity!

CIPM Exam Study Guide {159 Questions and Answers} 1.What are the 5 phases of a privacy program audit: Planning, Preparation, Audit, Report, Followup

  1. What happens during the audit planning phase of PPARF?: Risk assess- ment, schedule, selecting auditor, pre-audit questionnaire, preparatory meet- ing/visit and checklist
  2. What happens during the Audit Preparation phase of PPARF?: Confirm schedule, confirm and prepare checklists, sampling criteria and audit plan
  3. What Happens during the Audit phase of PPARF?: Meeting and audit exe- cution
  4. What happens during the report phase of PPARF?: Noncompliance records and categories (major/minor), audit report, closing meeting and distribution 6.What happens during the followup phase of PPARF?: Confirm scope, sched- ule, methodology and closure
  5. What are the three types of privacy governance models? (privacy gover- nance may be " , , or .": Centralized, Localized, or Hybrid
  1. When creating your privacy office governance model, you should consider what 4 factors?: 1. existing organisational structure,
  2. position and authority of the privacy team,
  3. involvement level of senior leadership and internal stakeholder
  4. The development of internal partnerships. 9.What are the advantages/disadvantages of the hybrid governance model?- : Advantage: Resources of larger centralized org Disadvantage: Decentralized decision making provides less big picture vision
  5. What are the 5 maturity levels of the GAPP Privacy Maturity Model?: 1. Ad Hoc
  6. Repeatable
  7. Defined
  8. Managed
  9. Optimized (ARDMO)
  10. What are the 5 mechanisms that allow organizations to transfer data across borders? (there is something else you must also have): 1. Adequacy Decisions
  1. Defined - Process & procedures: Fully Documented, implemented, cover all relevant aspects
  2. Managed - Reviews conducted to assess effectiveness of controls in place
  3. Optimized - Regular Reviews / Feedback are used to ensure continual improve- ment toward optimisation of a given process
  4. Describe Adequacy Decisions: "Adequacy" means that one country (or ju- risdiction, such as the EU) has deemed another country's data protection laws "adequate" to safeguard its own data.
  5. Describe Ad Hoc Contracts: Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus are potentially a less attractive option for controllers.
  6. Describe Standard Contractual Clauses: A standard contractual clause (lan- guage written into a contract) may be a way for organisations to facilitate cross-bor- der transfers

(these have been challenged recently and decisions are pending in the EUCJ)

ownership and responsibility of privacy within the business objectives.

(For example, within a U.S. healthcare organisation, a metrics audience may include a HIPAA privacy officer, medical interdisciplinary readiness team (MIRT), senior executive staff and covered entity workforce.)

  1. What kinds of roles typically fill the Primary Metric Audience for a privacy program?: Legal and privacy officers Senior leadership Chief information officer (CIO) Chief security officer (CSO) Program managers (PM) Information system owner (ISO) Information security officer (ISO), Others considered users and managers
  2. What kinds of roles typically fill the Secondary Metric Audience for a privacy program?: Chief financial officer (CFO) Training organisations Human resources (HR) Inspectors general (IG) HIPAA security officials
  3. Who typically makes up the tertiary Metric audience for a privacy pro- gram?: External watchdog groups

It provides funds for legal defense in court, presents amicus curiae briefs, defends individuals and new technologies from what it considers abusive legal threats, works to expose government malfeasance, provides guidance to the government and courts, organizes political action and mass mailings, supports some new tech- nologies which it believes preserve personal freedoms and online civil liberties, maintains a database and web sites of related news and information, monitors and challenges potential legislation that it believes would infringe on personal liberties and fair use and solicits a list of what it considers abusive patents with intentions to defeat those that it considers without merit.

  1. What is the higher of the 2 types of GDPR fines and what triggers it?: 20 Million Euros or 4% of total turnover. Fine is triggered by infringement of the GDPR principles Examples being Fairness, Lawfulness, Transparency, Refusing Data Subject Rights, Unlawful International Transfers
  2. What is the Lower of the 2 types of GDPR fines and what triggers it?: 10 Million Euros or 2% of total turnover.

Triggered by Data Security Breaches

  1. A company has 30 subsidiaries across the globe. What is the best strat- egy you can recommend?: Rationalize Requirements (Manuel's notes - revisit modules to verify) 33. In which scenario do data subjects have a right to delete their data?- : When the data is no longer needed for the original purpose for which it was collected.
  2. How should an international organization that has a binding corporate rule in place behave?: All employees must follow the rule no matter where they are located.
  3. Which type of organizational system for a privacy management program do you have when you delegate privacy related decisions?: Decentralized (localized/decentralized - This model included delegation of decisions and infor- mation from bottom to top levels of the company)
  • 6 /
  1. What are the top three Privacy TEAM responsibilities::
  1. meet regulatory compliance obligations (like GDPR)
  2. Meet expectations of business clients & partners
  3. Safeguard data against attacks and threats 41. Customer Service Employees for a health INS company are granted access to subscriber's sensitive personal information so they can assist with inquiries regarding coverage and billing. What business function is most likely responsible which employees may access subsribers' sensitive personal info? A) Legal B) HR C) IT D) Information Security: Information Security

(Remember Info Security would be responsible for items like an information access policy where IT would actually be enabling systems access)

  1. True or False: When positioning privacy within an organization, you may wish to consider Influence, Global Scope, Budget, Project Management, and Support?: True
  2. What is true about the APEC privacy framework?: It is a standard that enables Asia-Pacific Data transfers to benefit consumers, businesses, & govern- ments
  3. Describe Privacy by Design (PbD) solutions....: PbD Solutions are built by organizations to ensure consumers' privacy protections at every stage in develop- ing their products. (These protections include reasonable security for consumer data, limited col- lection & retention of such data, and reasonable procedures to promote data accuracy)
  4. What are the five stages of the policy lifecycle?: 1) Draft
  1. Get approval

**so that they can order prescriptions online. Their team want to sell it in Europe. The European models are going to communicate with a data centre in Finland.

  1. What should Kate have done before selling the product in Europe?
  2. What is one of the problems they will have in the EU?:**
  3. Kate should have considered European Legislation (prior to selling in europe)
  4. The type of data that the device stores (Themes: Cross Border Data Transfers, US vs EU Privacy Law, Special Cases of Data (medical)

49. Case Study SuperHotel Chain Training: SuperHotel are a mega hotel and hospitality group (which seem very similar to that huge hotel group that have a name beginning with M and ending in

T that suffered a breach recently). They have hotels all over the world. Mike who works for SuperHotel was tasked with delivering training to new hires. Mike quickly realised that it would be more efficient to deilver the training electronically given that they have hotels all over the world so put together an online course. This was fiercely popular in the hotel group. With this success the team decided to sell the training external to the hotel. They developed the offering to be available externally and it was even more popular for many years. Their public facing offering captured users data including their credit card details to pay for their training. On their sign up page the option to have SuperHotel save their credit card details permanently was enabled by default. (Thus this was an opt out option). The training company then became its own separate entity from the hotel. Over the years the training market declined due to increased competition and the training company slowly went out of business. However, all their customer data (including credit card information) was kept on an archive server at SuperHotel group. SuperHotel group then got hacked, information about hotel guests was compromised AND the hackers managed to get into the training companies archive