IAPP cipm practice test

Certified Information Privacy Manager (CIPM) Exam

Last exam update: May 17 ,2024
Page 1 out of 10. Viewing questions 1-15 out of 159

Question 1

What is most critical when outsourcing data destruction service?

  • A. Obtain a certificate of data destruction.
  • B. Confirm data destruction must be done on-site.
  • C. Conduct an annual in-person audit of the provider’s facilities.
  • D. Ensure that they keep an asset inventory of the original data.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following best supports implementing controls to bring privacy policies into effect?

  • A. The internal audit department establishing the audit controls which test for policy effectiveness.
  • B. The legal department or outside counsel conducting a thorough review of the privacy program and policies.
  • C. The Chief Information Officer as part of the Senior Management Team creating enterprise privacy policies to ensure controls are available.
  • D. The information technology (IT) group supporting and enhancing the privacy program and privacy policy by developing processes and controls.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

A minimum requirement for carrying out a Data Protection Impact Assessment (DPIA) would
include?

  • A. Processing on a large scale of special categories of data.
  • B. Monitoring of a publicly accessible area on a large scale.
  • C. Assessment of the necessity and proportionality.
  • D. Assessment of security measures.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Your company wants to convert paper records that contain customer personal information into
electronic form, upload the records into a new third-party marketing tool and then merge the
customer personal information in the marketing tool with information from other applications.
As the Privacy Officer, which of the following should you complete to effectively make these
changes?

  • A. A Record of Authority.
  • B. A Personal Data Inventory.
  • C. A Privacy Threshold Analysis (PTA).
  • D. A Privacy Impact Assessment (PIA).
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

When devising effective employee policies to address a particular issue, which of the following
should be included in the first draft?

  • A. Rationale for the policy.
  • B. Points of contact for the employee.
  • C. Roles and responsibilities of the different groups of individuals.
  • D. Explanation of how the policy is applied within the organization.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which of the following actions is NOT required during a data privacy diligence process for Merger &
Acquisition (M&A) deals?

  • A. Revise inventory of applications that house personal data and data mapping.
  • B. Update business processes to handle Data Subject Requests (DSRs).
  • C. Compare the original use of personal data to post-merger use.
  • D. Perform a privacy readiness assessment before the deal.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

When building a data privacy program, what is a good starting point to understand the scope of
privacy program needs?

  • A. Perform Data Protection Impact Assessments (DPIAs).
  • B. Perform Risk Assessments
  • C. Complete a Data Inventory.
  • D. Review Audits.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

When supporting the business and data privacy program expanding into a new jurisdiction, it is
important to do all of the following EXCEPT?

  • A. Identify the stakeholders.
  • B. Appoint a new Privacy Officer (PO) for that jurisdiction.
  • C. Perform an assessment of the laws applicable in that new jurisdiction.
  • D. Consider culture and whether the privacy framework will need to account for changes in culture.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is NOT an important factor to consider when developing a data retention
policy?

  • A. Technology resource.
  • B. Business requirement.
  • C. Organizational culture.
  • D. Compliance requirement
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following helps build trust with customers and stakeholders?

  • A. Only publish what is legally necessary to reduce your liability.
  • B. Enable customers to view and change their own personal information within a dedicated portal.
  • C. Publish your privacy policy using broad language to ensure all of your organizations activities are captured.
  • D. Provide a dedicated privacy space with the privacy policy, explanatory documents and operation frameworks.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following is the optimum first step to take when creating a Privacy Officer governance
model?

  • A. Involve senior leadership.
  • B. Provide flexibility to the General Counsel Office.
  • C. Develop internal partnerships with IT and information security.
  • D. Leverage communications and collaboration with public affairs teams.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the documents below assists the Privacy Manager in identifying and responding to a
request from an individual about what personal information the organization holds about then with
whom the information is shared?

  • A. Risk register
  • B. Privacy policy
  • C. Records retention schedule
  • D. Personal information inventory
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

SCENARIO
Please use the following to answer the next QUESTION:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new
privacy officer. The company is based in California but thanks to some great publicity from a social
media influencer last year, the company has received an influx of sales from the EU and has set up a
regional office in Ireland to support this expansion. To become familiar with Ace Spaces practices
and assess what her privacy priorities will be, Penny has set up meetings with a number of
colleagues to hear about the work that they have been doing and their compliance efforts.
Pennys colleague in Marketing is excited by the new sales and the companys plans, but is also
concerned that Penny may curtail some of the growth opportunities he has planned. He tells her I
heard someone in the breakroom talking about some new privacy laws but I really dont think it
affects us. Were just a small company. I mean we just sell accessories online, so whats the real
risk? He has also told her that he works with a number of small companies that help him get
projects completed in a hurry. Weve got to meet our deadlines otherwise we lose money. I just sign
the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes
time that we just dont have.
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken
a number of precautions to protect its website from malicious activity, it has not taken the same level
of care of its physical files or internal infrastructure. Pennys colleague in IT has told her that a former
employee lost an encrypted USB key with financial data on it when he left. The company nearly lost
access to their customer database last year after they fell victim to a phishing attack. Penny is told by
her IT colleague that the IT team didnt know what to do or who should do what. We hadnt been
trained on it but were a small team though, so it worked out OK in the end. Penny is concerned that

these issues will compromise Ace Spaces privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working
closely with the CEO to give the organization a data shake up. Her mission is to cultivate a strong
privacy culture within the company.
Penny has a meeting with Ace Spaces CEO today and has been asked to give her first impressions
and an overview of her next steps.
What information will be LEAST crucial from a privacy perspective in Pennys review of vendor
contracts?

  • A. Audit rights
  • B. Liability for a data breach
  • C. Pricing for data security protections
  • D. The data a vendor will have access to
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

SCENARIO
Please use the following to answer the next QUESTION:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new
privacy officer. The company is based in California but thanks to some great publicity from a social
media influencer last year, the company has received an influx of sales from the EU and has set up a
regional office in Ireland to support this expansion. To become familiar with Ace Spaces practices
and assess what her privacy priorities will be, Penny has set up meetings with a number of
colleagues to hear about the work that they have been doing and their compliance efforts.
Pennys colleague in Marketing is excited by the new sales and the companys plans, but is also
concerned that Penny may curtail some of the growth opportunities he has planned. He tells her I
heard someone in the breakroom talking about some new privacy laws but I really dont think it
affects us. Were just a small company. I mean we just sell accessories online, so whats the real
risk? He has also told her that he works with a number of small companies that help him get
projects completed in a hurry. Weve got to meet our deadlines otherwise we lose money. I just sign
the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes
time that we just dont have.
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken
a number of precautions to protect its website from malicious activity, it has not taken the same level
of care of its physical files or internal infrastructure. Pennys colleague in IT has told her that a former

employee lost an encrypted USB key with financial data on it when he left. The company nearly lost
access to their customer database last year after they fell victim to a phishing attack. Penny is told by
her IT colleague that the IT team didnt know what to do or who should do what. We hadnt been
trained on it but were a small team though, so it worked out OK in the end. Penny is concerned that
these issues will compromise Ace Spaces privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working
closely with the CEO to give the organization a data shake up. Her mission is to cultivate a strong
privacy culture within the company.
Penny has a meeting with Ace Spaces CEO today and has been asked to give her first impressions
and an overview of her next steps.
What is the best way for Penny to understand the location, classification and processing purpose of
the personal data Ace Space has?

  • A. Analyze the data inventory to map data flows
  • B. Audit all vendors’ privacy practices and safeguards
  • C. Conduct a Privacy Impact Assessment for the company
  • D. Review all cloud contracts to identify the location of data servers used
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

SCENARIO
Please use the following to answer the next QUESTION:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new
privacy officer. The company is based in California but thanks to some great publicity from a social
media influencer last year, the company has received an influx of sales from the EU and has set up a
regional office in Ireland to support this expansion. To become familiar with Ace Spaces practices
and assess what her privacy priorities will be, Penny has set up meetings with a number of
colleagues to hear about the work that they have been doing and their compliance efforts.
Pennys colleague in Marketing is excited by the new sales and the companys plans, but is also
concerned that Penny may curtail some of the growth opportunities he has planned. He tells her I
heard someone in the breakroom talking about some new privacy laws but I really dont think it
affects us. Were just a small company. I mean we just sell accessories online, so whats the real
risk? He has also told her that he works with a number of small companies that help him get
projects completed in a hurry. Weve got to meet our deadlines otherwise we lose money. I just sign
the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes
time that we just dont have.
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken
a number of precautions to protect its website from malicious activity, it has not taken the same level
of care of its physical files or internal infrastructure. Pennys colleague in IT has told her that a former
employee lost an encrypted USB key with financial data on it when he left. The company nearly lost

access to their customer database last year after they fell victim to a phishing attack. Penny is told by
her IT colleague that the IT team didnt know what to do or who should do what. We hadnt been
trained on it but were a small team though, so
it worked out OK in the end. Penny is concerned that these issues will compromise Ace Spaces
privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working
closely with the CEO to give the organization a data shake up. Her mission is to cultivate a strong
privacy culture within the company.
Penny has a meeting with Ace Spaces CEO today and has been asked to give her first impressions
and an overview of her next steps.
To establish the current baseline of Ace Spaces privacy maturity, Penny should consider all of the
following factors EXCEPT?

  • A. Ace Space’s documented procedures
  • B. Ace Space’s employee training program
  • C. Ace Space’s vendor engagement protocols
  • D. Ace Space’s content sharing practices on social media
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2