Pass4itsure shares a valid IAPP CIPM practice test to help pass the IAPP CIPM exam! The latest IAPP CIPM VCE dumps and IAPP CIPM PDF dumps, Pass4itsure IAPP CIPM exam questions have been updated https://www.pass4itsure.com/cipm.html (90 Q&As Dumps)
free IAPP CIPM exam pdf dumps https://drive.google.com/file/d/1DOQm_CpyBIg6nYYdY8YOV0bohSc50d__/view?usp=sharing
Share free IAPP CIPM exam questions – Pass4itsure
Free IAPP CIPM exam pdf dumps download from Google Drive
[q1-q13, free pdf] IAPP CIPM exam pdf dumps https://drive.google.com/file/d/1DOQm_CpyBIg6nYYdY8YOV0bohSc50d__/view?usp=sharing
Practice IAPP CIPM exam question 1-13
QUESTION 1
Which is the best way to view an organization\\’s privacy framework?
A. As an industry benchmark that can apply to many organizations
B. As a fixed structure that directs changes in the organization
C. As an aspirational goal that improves the organization
D. As a living structure that aligns to changes in the organization
Correct Answer: B
QUESTION 2
SCENARIO
Please use the following to answer the next question:
You lead the privacy office for a company that handles information from individuals living in several countries throughout
Europe and the Americas. You begin that morning\\’s privacy review when a contracts officer sends you a message
asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.
When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the
vendor improperly shared information about your customers. He called the vendor and confirmed that your company
recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the
vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a
result, the vendor has lost control of the data.
The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they
set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is
limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on
hold and begin to develop the text around the space constraints. You are content to let the vendor\\’s logo be associated
with
the notification.
The notification explains that your company recently hired a vendor to store information about their most recent
experience at St. Sebastian Hospital\\’s Clinic for Infectious Diseases. The vendor did not encrypt the information and
no longer
has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They
simply need to go to your company\\’s website and watch a quick advertisement, then provide their name, email
address,
and month and year of birth.
You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want
to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth.
The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in
other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to
veer
off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote
and use the vendor\\’s postcards.
Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen, and make the decision
to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a
convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000
people, but develops a proposal in about a day which says CRUDLOK will:
1.
Send an enrollment invitation to everyone the day after the contract is signed.
2.
Enroll someone with just their first name and the last-4 of their national identifier.
3.
Monitor each enrollee\\’s credit for two years from the date of enrollment.
4.
Send a monthly email with their credit rating and offers for credit-related services at market rates.
5.
Charge your company 20% of the cost of any credit restoration.
You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit
down and document all that went well and all that could have gone better. You put it in a file to reference the next time
an
incident occurs.
Which of the following was done CORRECTLY during the above incident?
A. The process by which affected individuals sign up for email notifications
B. Your assessment of which credit monitoring company you should hire
C. The speed at which you sat down to reflect and document the incident
D. Finding a vendor who will offer the affected individuals additional services
Correct Answer: C
QUESTION 3
An organization\\’s privacy officer was just notified by the benefits manager that she accidentally sent out the retirement
enrollment report of all employees to a wrong vendor. Which of the following actions should the privacy officer take
FIRST?
A. Perform a risk of harm analysis
B. Report the incident to law enforcement
C. Contact the recipient to delete the email
D. Send firm-wide email notification to employees
Correct Answer: A
QUESTION 4
Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy
Information Center (EPIC), established?
A. To promote consumer confidence in the Internet industry
B. To improve the user experience during online shopping
C. To protect civil liberties and raise consumer awareness
D. To promote security on the Internet through strong encryption
Correct Answer: C
Reference: https://en.wikipedia.org/wiki/Electronic_Privacy_Information_Center
QUESTION 5
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has
become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several
thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the
centerpiece of the company\\’s product rollout schedule and a great training opportunity for current users. The sales
force also encourages prospective clients to attend to get a better sense of the ways in which the system can be
customized to meet diverse needs and understand that when they buy into this system, they are joining a community
that feels like family.
This year\\’s conference is only three weeks away, and you have just heard news of a new initiative supporting it: a
smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a
mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the
areas featured. “It\\’s going to be great,” the developer, Deidre Hoffman, tells you, “if, that is, we actually get it working!”
She laughs nervously but explains that because of the tight time frame she\\’d been given to build the app, she
outsourced the job to a local firm. “It\\’s just three young people,” she says, “but they do great work.” She describes
some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. “They do good
work, so I chose them.”
Deidre is a terrific employee with a strong track record. That\\’s why she\\’s been charged to deliver this rushed project.
You\\’re sure she has the best interests of the company at heart, and you don\\’t doubt that she\\’s under pressure to
meet a deadline that cannot be pushed back. However, you have concerns about the app\\’s handling of personal data
and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to
reassure you, “I\\’m sure with your help we can fix any security issues if we have to, but I doubt there\\’ll be any. These
people build apps for a living, and they know what they\\’re doing. You worry too much, but that\\’s why you\\’re so good
at your job!”
What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?
A. Include appropriate language about privacy protection in vendor contracts
B. Perform a privacy audit on any vendor under consideration
C. Require that a person trained in privacy protection be part of all vendor selection teams
D. Do business only with vendors who are members of privacy trade associations
Correct Answer: C
QUESTION 6
A Human Resources director at a company reported that a laptop containing employee payroll data was lost on the
train. Which action should the company take IMMEDIATELY?
A. Report the theft to law enforcement
B. Wipe the hard drive remotely
C. Report the theft to the senior management
D. Perform a multi-factor risk analysis
Correct Answer: D
QUESTION 7
In a sample metric template, what does “target” mean?
A. The suggested volume of data to collect
B. The percentage of completion
C. The threshold for a satisfactory rating
D. The frequency at which the data is sampled
Correct Answer: A
QUESTION 8
SCENARIO
Please use the following to answer the next question:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found
some degree of disorganization after touring the company headquarters. His uncle Henry has always focused on
production ?not data processing ?and Anton is concerned. In several storage rooms, he has found paper files, disks,
and old computers that appear to contain the personal data of current and former employees and customers. Anton
knows
that a single break-in could irrevocably damage the company\\’s relationship with its loyal customers. He intends to set a
goal of guaranteed zero loss of personal information. To this end, Anton originally planned to place restrictions on who
was admitted to the physical premises of the company. However, Kenneth ?his uncle\\’s vice president and longtime
confidante ?wants to hold off on Anton\\’s idea in favor of converting any paper records held at the company to
electronic
storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a passwordprotected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will
simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down
the street
will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton\\’s
possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth
insists that two lost hard drives in question are not cause for concern; all of the data was encrypted and not sensitive in
nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and
customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy
protection. Kenneth oversaw the development of the company\\’s online presence about ten years ago, but Anton is not
confident
about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law
background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be
safe for
another five years, at which time he can order another check. Documentation of this analysis will show auditors due
diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it.
Anton wants his uncle\\’s legacy to continue for many years to come.
Which of Anton\\’s plans for improving the data management of the company is most unachievable?
A. His initiative to achieve regulatory compliance
B. His intention to transition to electronic storage
C. His objective for zero loss of personal information
D. His intention to send notice letters to customers and employees
Correct Answer: A
QUESTION 9
Under the General Data Protection Regulation (GDPR), when would a data subject have the right to require the erasure
of his or her data without undue delay?
A. When the data subject is a public authority
B. When the erasure is in the public interest
C. When the processing is carried out by automated means
D. When the data is no longer necessary for its original purpose
Correct Answer: A
Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulationgdpr/individual-rights/right-to-erasure/
QUESTION 10
SCENARIO
Please use the following to answer the next question:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer.
The company is based in California but thanks to some great publicity from a social media influencer last year, the
company
has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To
become familiar with Ace Space\\’s practices and assess what her privacy priorities will be, Penny has set up meetings
with a
number of colleagues to hear about the work that they have been doing and their compliance efforts.
Penny\\’s colleague in Marketing is excited by the new sales and the company\\’s plans, but is also concerned that
Penny may curtail some of the growth opportunities he has planned. He tells her “I heard someone in the breakroom
talking
about some new privacy laws but I really don\\’t think it affects us. We\\’re just a small company. I mean we just sell
accessories online, so what\\’s the real risk?” He has also told her that he works with a number of small companies that
help him
get projects completed in a hurry. “We\\’ve got to meet our deadlines otherwise we lose money. I just sign the contracts
and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don\\’t have.”
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of
precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or
internal
infrastructure. Penny\\’s colleague in IT has told her that a former employee lost an encrypted USB key with financial
data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing
attack. Penny is told by her IT colleague that the IT team “didn\\’t know what to do or who should do what. We hadn\\’t
been trained on it but we\\’re a small team though, so it worked out OK in the end.” Penny is concerned that these
issues will
compromise Ace Space\\’s privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO
to give the organization a data “shake up”. Her mission is to cultivate a strong privacy culture within the company.
Penny has a meeting with Ace Space\\’s CEO today and has been asked to give her first impressions and an overview
of her next steps.
What is the best way for Penny to understand the location, classification and processing purpose of the personal data
Ace Space has?
A. Analyze the data inventory to map data flows
B. Audit all vendors\\’ privacy practices and safeguards
C. Conduct a Privacy Impact Assessment for the company
D. Review all cloud contracts to identify the location of data servers used
Correct Answer: B
QUESTION 11
SCENARIO
Please use the following to answer the next question:
You lead the privacy office for a company that handles information from individuals living in several countries throughout
Europe and the Americas. You begin that morning\\’s privacy review when a contracts officer sends you a message
asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.
When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the
vendor improperly shared information about your customers. He called the vendor and confirmed that your company
recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the
vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a
result, the vendor has lost control of the data.
The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they
set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is
limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on
hold and begin to develop the text around the space constraints. You are content to let the vendor\\’s logo be associated
with
the notification.
The notification explains that your company recently hired a vendor to store information about their most recent
experience at St. Sebastian Hospital\\’s Clinic for Infectious Diseases. The vendor did not encrypt the information and
no longer
has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They
simply need to go to your company\\’s website and watch a quick advertisement, then provide their name, email
address,
and month and year of birth.
You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want
to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth.
The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in
other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to
veer
off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote
and use the vendor\\’s postcards.
Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen, and make the decision
to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a
convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000
people, but develops a proposal in about a day which says CRUDLOK will:
1.
Send an enrollment invitation to everyone the day after the contract is signed.
2.
Enroll someone with just their first name and the last-4 of their national identifier.
3.
Monitor each enrollee\\’s credit for two years from the date of enrollment.
4.
Send a monthly email with their credit rating and offers for credit-related services at market rates.
5.
Charge your company 20% of the cost of any credit restoration.
You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit
down and document all that went well and all that could have gone better. You put it in a file to reference the next time
an incident occurs.
Which of the following elements of the incident did you adequately determine?
A. The nature of the data elements impacted
B. The likelihood the incident may lead to harm
C. The likelihood that the information is accessible and usable
D. The number of individuals whose information was affected
Correct Answer: B
QUESTION 12
The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain
infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an
undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?
A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is
used as the basis for processing
B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and
default
C. Failure to process personal information in a manner compatible with its original purpose
D. Failure to provide the means for a data subject to rectify inaccuracies in personal data
Correct Answer: A
Reference: https://gdpr-info.eu/art-8-gdpr/
QUESTION 13
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has
become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several
thousand
attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of
the company\\’s product rollout schedule and a great training opportunity for current users. The sales force also
encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to
meet diverse needs and understand that when they buy into this system, they are joining a community that feels like
family.
This year\\’s conference is only three weeks away, and you have just heard news of a new initiative supporting it: a
smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a
mobile
version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas
featured. “It\\’s going to be great,” the developer, Deidre Hoffman, tells you, “if, that is, we actually get it working!” She
laughs
nervously but explains that because of the tight time frame she\\’d been given to build the app, she outsourced the job to
a local firm. “It\\’s just three young people,” she says, “but they do great work.” She describes some of the other apps
they have built. When asked how they were selected for this job, Deidre shrugs. “They do good work, so I chose them.”
Deidre is a terrific employee with a strong track record. That\\’s why she\\’s been charged to deliver this rushed project.
You\\’re sure she has the best interests of the company at heart, and you don\\’t doubt that she\\’s under pressure to
meet a
deadline that cannot be pushed back. However, you have concerns about the app\\’s handling of personal data and its
security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you,
“I\\’m
sure with your help we can fix any security issues if we have to, but I doubt there\\’ll be any. These people build apps for
a living, and they know what they\\’re doing. You worry too much, but that\\’s why you\\’re so good at your job!”
You see evidence that company employees routinely circumvent the privacy officer in developing new initiatives. How
can you best draw attention to the scope of this problem?
A. Insist upon one-on-one consultation with each person who works around the privacy officer.
B. Develop a metric showing the number of initiatives launched without consultation and include it in reports,
presentations, and consultation.
C. Hold discussions with the department head of anyone who fails to consult with the privacy officer.
D. Take your concerns straight to the Chief Executive Officer.
Correct Answer: C
The last sentence:
Latest update Pass4itsure IAPP CIPM exam dumps: https://www.pass4itsure.com/cipm.html
Free IAPP CIPM pdf dumps: https://drive.google.com/file/d/1DOQm_CpyBIg6nYYdY8YOV0bohSc50d__/view?usp=sharing
The latest IAPP CIPM exam questions can help you pass the exam! Trust Pass4itsure to help you pass the exam 100%!