Free IAPP CIPM Exam Questions
Absolute Free CIPM Exam Practice for Comprehensive Preparation
-
IAPP CIPM Exam Questions
-
Provided By: IAPP
- Exam: Certified Information Privacy Manager
- Certification: Certified Information Privacy Manager
-
Total Questions: 278
-
Updated On: Apr 09, 2025
-
Rated: 4.9 |
-
Online Users: 556
-
Question 1
-
SCENARIOPlease use the following to answer the next question:You lead the privacy office for a company that handles information from individuals living in several countriesthroughout Europe and the Americas. You begin that morning’s privacy review when a contracts officer sendsyou a message asking for a phone call. The message lacks clarity and detail, but you presume that data waslost.When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor statingthat the vendor improperly shared information about your customers. He called the vendor and confirmed thatyour company recently surveyed exactly 2000 individuals about their most recent healthcare experience andsent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the databaseas promised in the contract. As a result, the vendor has lost control of the data.The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tellyou they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in themail. One side is limited to their logo, but the other side is blank and they will accept whatever you want to write.You put their offer on hold and begin to develop the text around the space constraints. You are content to letthe vendor’s logo be associated with the notification.The notification explains that your company recently hired a vendor to store information about their most recentexperience at St. Sebastian Hospital’s Clinic for Infectious Diseases. The vendor did not encrypt the informationand no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications abouttheir information. They simply need to go to your company’s website and watch a quick advertisement, thenprovide their name, email address, and month and year of birth.You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation,you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails theircomments back and forth. The consultant who leads the incident-response team notes that it is his first day withthe company, but he has been in other industries for 45 years and will do his best. One of the three lawyers onthe council causes the conversation to veer off course, but it eventually gets back on track. At the end of theday, they vote to proceed with the notification you wrote and use the vendor’s postcards.Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen, and make thedecision to have your company offer credit monitoring services. A quick internet search finds a credit monitoringcompany with a convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handleda contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will:1. Send an enrollment invitation to everyone the day after the contract is signed.2. Enroll someone with just their first name and the last-4 of their national identifier.3. Monitor each enrollee’s credit for two years from the date of enrollment.4. Send a monthly email with their credit rating and offers for credit-related services at market rates.5. Charge your company 20% of the cost of any credit restoration.You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days lateryou sit down and document all that went well and all that could have gone better. You put it in a file to referencethe next time an incident occurs.Regarding the credit monitoring, which of the following would be the greatest concern?
Answer: C
-
-
Question 2
-
The most direct way to ensure you are effectively communicating your privacy mission throughout your organization is to?
Answer: B,C
-
The most direct way to ensure you are effectively communicating your privacy mission throughout your organization is to?
-
Question 3
-
SCENARIOPlease use the following to answer the next question:Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with herlong-time business partner Sadie, Amira has watched the company grow into a major competitor in the greenenergy market. The current line of products includes wind turbines, solar energy panels, and equipment forgeothermal systems. A talented team of developers means that NatGen's line of products will only continue togrow.With the expansion, Amira and Sadie have received advice from new senior staff members brought on to helpmanage the company's growth. One recent suggestion has been to combine the legal and security functions ofthe company to ensure observance of privacy laws and the company's own privacy policy. This sounds overlycomplicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data inways that will best suit their needs. She does not want administrative oversight and complex structuring to getin the way of people doing innovative work.Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is anunnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will usethe best possible equipment for electronic storage of customer and employee data. She simply needs a list ofequipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider beforethe company gets to that stage.Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust themonitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers canadjust the company privacy policy according to what works best for their particular departments. NatGen'sCEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would behighly unlikely to raise any concerns with their customer base, as long as the data is always used in course ofnormal business activities.Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute aprivacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise byallowing employees to take turns handling reports of privacy policy violations. The implementation will be easybecause the employees need no special preparation. They will simply have to document any concerns theyhear.Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporateculture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying aunique approach.What Data Lifecycle Management (DLM) principle should the company follow if they end up allowingdepartments to interpret the privacy policy differently?
Answer: C
-
-
Question 4
-
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data
Protection Impact Assessment (DPIA)?
Answer: D
-
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data
Protection Impact Assessment (DPIA)?
-
Question 5
-
What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST)?
Answer: B
-