Which of the following is NOT a type of privacy program metric?

A. Business enablement metrics.

B. Data enhancement metrics.

C. Value creation metrics.

D. Commercial metrics.

SCENARIO

Please use the following to answer the next QUESTION:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.

You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change. Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?

What are the next action steps?

What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?

A. Privacy by Design.

B. Privacy Step Assessment.

C. Information Security Planning.

D. Innovation Privacy Standards.

What does it mean to "rationalize" data protection requirements?

A. Evaluate the costs and risks of applicable laws and regulations and address those that have the greatest penalties

B. Look for overlaps in laws and regulations from which a common solution can be developed

C. Determine where laws and regulations are redundant in order to eliminate some from requiring compliance

D. Address the less stringent laws and regulations, and inform stakeholders why they are applicable

An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law.

What would be the most effective resource for the executive to consult?

A. Internal auditors.

B. Industry frameworks.

C. Oversight organizations.

D. Breach notifications from competitors.

As a Data Protection Officer, one of your roles entails monitoring changes in laws and regulations and updating policies accordingly.

How would you most effectively execute this responsibility?

A. Consult an external lawyer.

B. Regularly engage regulators.

C. Attend workshops and interact with other professionals.

D. Subscribe to email list-serves that report on regulatory changes.

Which of the following is TRUE about a PIA (Privacy Impact Analysis)?

A. Any project that involves the use of personal data requires a PIA

B. A Data Protection Impact Analysis (DPIA) process includes a PIA

C. The PIA must be conducted at the early stages of the project lifecycle

D. The results from a previous information audit can be leveraged in a PIA process

SCENARIO

Please use the following to answer the next QUESTION:

Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space's practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.

Penny's colleague in Marketing is excited by the new sales and the company's plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her "I heard someone in the breakroom talking about some new privacy laws but I really don't think it affects us. We're just a small company. I mean we just sell accessories online, so what's the real risk?" He has also told her that he works with a number of small companies that help him get projects completed in a hurry. "We've got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don't have."

In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Penny's colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team "didn't know what to do or who should do what. We hadn't been trained on it but we're a small team though, so it worked out OK in the end." Penny is concerned that these issues will compromise Ace Space's privacy and data protection.

Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data "shake up". Her mission is to cultivate a strong privacy culture within the company.

Penny has a meeting with Ace Space's CEO today and has been asked to give her first impressions and an overview of her next steps.

What information will be LEAST crucial from a privacy perspective in Penny's review of vendor contracts?

A. Audit rights

B. Liability for a data breach

C. Pricing for data security protections

D. The data a vendor will have access to

SCENARIO

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's

leadership, the company was highly successful due its higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is looking to cut costs across all

departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has taken several notes on ways she believes the company can spend less money trying to uphold its

privacy mission. First, Felicity intends to discuss the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the purview of the company's Information Technology

(IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the

amount. She cannot understand why so much time has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for documenting employee compliance with the company's privacy policy. She hopes Jin can

propose cheaper, more efficient ways of monitoring compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance of the company's privacy policy. New staff

members seem especially overwhelmed. Despite the consistent monitoring, two years ago the company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources (HR) department. Felicity believes that much company time could be saved if the Ethics Officer

position were done away with, and that any ethical concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected throughout the company, will help the company save money. Felicity believes that austerity is the only

way forward.

Based on the scenario, Felicity is in danger of NOT exercising enough caution regarding?

A. The company's acceptance of advanced technology.

B. The company's ongoing relationship with outside vendors.

C. The allocation of duties to a Chief Information Officer (CIO).

D. The staff charged with assisting with Privacy Impact Assessments (PIAs).

SCENARIO

Please use the following to answer the next question:

Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to several emails informing him that an individual cloud server failed due to a flood in its server

room, damaging its hardware and destroying all the data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was being stored there because it was not included

in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.

Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger cloud vendor three years ago. She also advised him that the account was mostly used by

Human Resources (HR) and Accounts Payable (AP). Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive personal data on that drive, including health

and financial related personal data and "other stuff." Jonathan also learns that the data stored in that account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and

learns that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data being stored there.

Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs. Two days later, the company receives 32 data subject access requests and Accounts Payable

confirms Jonathan's worry that these data subjects' personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.

Based on the scenario above, what is the most appropriate next step Jonathan should take?

A. Consult with the legal team to determine how to address the data subjects' requests and determine the risk of noncompliance.

B. Consult with other key stakeholders to create a presentation on the incident and lessons learned for the board of directors.

C. Consult with the public relations team to discuss potential brand impact of not responding to the data subjects' requests.

D. Consult with the IT team to understand how and why this cloud account was not disabled.

What is the Privacy Officer's first action after being told that her firm is planning to sell its credit card processing business?

A. Perform a Record of Processing Activity (ROPA).

B. Review technical security controls.

C. Review contractual obligations.

D. Review data mapping.