Online Access Free CIPM Practice Test

SCENARIO
Please use the following to answer the next QUESTION:
It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it.
The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
In order to determine the best course of action, how should this incident most productively be viewed?

• A.As an incident that requires the abrupt initiation of a notification campaign.
• B.As the accidental loss of personal property containing data that must be restored.
• C.As a potential compromise of personal information through unauthorized access.
• D.As the premeditated theft of company data, until shown otherwise.

While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee with the same name at a different company. Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?

• A.Remediation offers to data subjects.
• B.Notification to the Information Commissioner's Office (ICO).
• C.Notification to data subjects.
• D.Containment of impact of breach.

What is the main purpose of a privacy program audit?

• A.To ensure the adequacy of data protection procedures.
• B.To make decisions on privacy staff roles and responsibilities.
• C.To justify a privacy department budget increase.
• D.To mitigate the effects of a privacy breach.

Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?

• A.An obligation on the processor to report any personal data breach to the controller within 72 hours.
• B.An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.
• C.An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
• D.An obligation on both parties to report any serious personal data breach to the supervisory authority.

What is one obligation that the General Data Protection Regulation (GDPR) imposes on data processors?

• A.To inform data subjects about the identity and contact details of the controller.
• B.To honor all data access requests from data subjects.
• C.To implement appropriate technical and organizational measures that ensure an appropriate level of security.
• D.To carry out data protection impact assessments in cases where processing is likely to result in high risk to the rights and freedoms of individuals.