A.  

Privacy rights advocate

B.  

Outside privacy counsel

C.  

Data protection authorities

D.  

The organization’s chief privacy officer (CPO)

A.  

Encrypt the data at rest and in motion

B.  

Remove the identifiers during the data transfer

C.  

Determine the categories of personal data collected

D.  

Ensure logging is turned on for the database

A.  

Co-regulatory

B.  

Sectoral

C.  

Comprehensive

D.  

Self-regulatory

A.  

Provide periodic user awareness training on data encryption.

B.  

Implement a data loss prevention (DLP) tool.

C.  

Conduct regular control self-assessments (CSAs).

D.  

Enforce annual attestation to policy compliance.

A.  

Video surveillance recordings may only be viewed by the organization.

B.  

Those affected must be informed of the video surveillance_

C.  

There is no limitation for retention of this data.

D.  

Video surveillance data must be stored in encrypted format.

A.  

Server details of the hosting environment

B.  

Last logins of privileged users

C.  

Last user who accessed personal data

D.  

Application error events

A.  

Data encryption

B.  

Data sanitization

C.  

Data scrambling

D.  

Data masking

A.  

Data loss prevention (DLP) tools

B.  

Data discovery and mapping tools

C.  

Data log file monitoring tools

D.  

Data profiling tools

A.  

Anonymize personal data.

B.  

Discontinue the creation of profiles.

C.  

Implement strong access controls.

D.  

Encrypt data at rest.

A.  

Conduct an audit.

B.  

Report performance metrics.

C.  

Perform a control self-assessment (CSA).

D.  

Conduct a benchmarking analysis.

A.  

Tokenization

B.  

Aggregation

C.  

Anonymization

D.  

Encryption

A.  

Data masking

B.  

Data truncation

C.  

Data encryption

D.  

Data minimization

A.  

Develop and communicate a data security plan.

B.  

Perform a privacy impact assessment (PIA).

C.  

Ensure strong encryption is used.

D.  

Conduct a security risk assessment.

A.  

Data custodian

B.  

Privacy data analyst

C.  

Data processor

D.  

Data owner

A.  

Cross-border data transfer

B.  

Support staff availability and skill set

C.  

User notification

D.  

Global public interest

A.  

Email filtering system

B.  

Intrusion monitoring

C.  

Mobile device management (MDM)

D.  

User behavior analytics

A.  

To identify controls to mitigate data privacy risks

B.  

To classify personal data according to the data classification scheme

C.  

To assess the risk associated with personal data usage

D.  

To determine the service provider’s ability to maintain data protection controls

A.  

Enable whole disk encryption on remote devices.

B.  

Purchase an endpoint detection and response (EDR) tool.

C.  

Implement multi-factor authentication.

D.  

Deploy single sign-on with complex password requirements.

A.  

Develop a service level agreement (SLA) with the third party

B.  

Implement encryption for the data transmission

C.  

Obtain consent from the data subjects

D.  

Review the specification document of the open API.

A.  

Data integrity and confidentiality

B.  

System use requirements

C.  

Data use limitation

D.  

Lawfulness and fairness

A.  

De-identifying the data to be analyzed

B.  

Verifying the data subjects have consented to the processing

C.  

Defining the intended objectives

D.  

Ensuring proper data sets are used to train the models

A.  

The system architecture is clearly defined.

B.  

A risk assessment has been completed.

C.  

Security controls are clearly defined.

D.  

Data protection requirements are included.

A.  

general counsel.

B.  

database administrator.

C.  

business application owner

D.  

chief information officer (CIO)

A.  

Require security management to validate data privacy security practices.

B.  

Involve the privacy office in an organizational review of the incident response plan.

C.  

Hire a third party to perform a review of data privacy processes.

D.  

Conduct annual data privacy tabletop exercises.

A.  

Risk tolerance

B.  

Implementation cost

C.  

Industry standards

D.  

Storage type

A.  

Perform a business impact analysis (BIA).

B.  

Implement remediation actions to mitigate privacy risk.

C.  

Conduct a privacy Impact assessment (PIA).

D.  

Create a system of records notice (SORN).

A.  

encrypted.

B.  

incremental.

C.  

differential.

D.  

pseudonymized

A.  

To comply with consumer regulatory requirements

B.  

To establish privacy breach response procedures

C.  

To classify personal data

D.  

To understand privacy risks

A.  

APIs are costly to assess and monitor.

B.  

API keys could be stored insecurely.

C.  

APIs are complex to build and test

D.  

APIS could create an unstable environment

A.  

Data process flow diagrams

B.  

Data inventory

C.  

Data classification

D.  

Data collection standards

A.  

Review self-attestations of compliance provided by vendor management.

B.  

Obtain independent assessments of the vendors’ data management processes.

C.  

Perform penetration tests of the vendors’ data security.

D.  

Compare contract requirements against vendor deliverables.

A.  

Monitoring data retention periods

B.  

Authorizing access rights

C.  

Serving as primary contact with regulators

D.  

Implementing appropriate technical controls

A.  

Identify the data owner.

B.  

Define data quality rules.

C.  

Establish business thresholds-

D.  

Assess completeness of the data inventory.

A.  

Possession factor authentication

B.  

Knowledge-based credential authentication

C.  

Multi-factor authentication

D.  

Biometric authentication

A.  

The key must be kept separate and distinct from the data it protects.

B.  

The data must be protected by multi-factor authentication.

C.  

The key must be a combination of alpha and numeric characters.

D.  

The data must be stored in locations protected by data loss prevention (DLP) technology.

A.  

Encryption of customer data

B.  

Removal of customer data

C.  

De-identification of customer data

D.  

Destruction of customer data

A.  

Discretionary access control (DAC)

B.  

Attribute-based access control (ABAC)

C.  

Provision-based access control (PBAC)

D.  

Mandatory access control (MAC)

A.  

Developing a clear privacy statement with documented objectives

B.  

Incorporating data privacy regulations from all jurisdictions

C.  

Aligning regulatory requirements with business needs

D.  

Providing a comprehensive review of the policy for all business units

A.  

Offline backup availability

B.  

Recovery time objective (RTO)

C.  

Recovery point objective (RPO)

D.  

Online backup frequency

A.  

Approving privacy impact assessments (PIAs)

B.  

Validating the privacy framework

C.  

Managing privacy notices provided to customers

D.  

Establishing employee privacy rights and consent

A.  

It increases system resiliency.

B.  

It reduces external threats to data.

C.  

It reduces exposure of data.

D.  

It eliminates attack motivation for data.

A.  

Input reference controls

B.  

Access controls

C.  

Input validation controls

D.  

Reconciliation controls

A.  

Accuracy

B.  

Consent

C.  

Transparency

D.  

Integrity

A.  

Data is pseudonymized when being backed up.

B.  

Data is encrypted before storage.

C.  

Data is only accessible on a need-to-know basis.

D.  

Data is regularly reviewed tor its relevance

A.  

Archived data is used for future analytics.

B.  

The legal department has approved the retention policy.

C.  

All sensitive data has been tagged.

D.  

A retention schedule is in place.

A.  

Online behavioral tracking

B.  

Radio frequency identification (RFID)

C.  

Website cookies

D.  

Beacon-based tracking

A.  

Privacy policy

B.  

Network security standard

C.  

Multi-factor authentication

D.  

Virtual private network (VPN)

A.  

Perform a privacy risk audit.

B.  

Conduct a privacy risk assessment.

C.  

Validate a privacy risk attestation.

D.  

Conduct a privacy risk remediation exercise.

A.  

Transmission Control Protocol (TCP)

B.  

Transport Layer Security Protocol (TLS)

C.  

Secure File Transfer Protocol (SFTP)

D.  

Hypertext Transfer Protocol (HTTP)

A.  

Data privacy is about data segmentation, while data security prevents unauthorized access.

B.  

Data privacy protects the data subjects, while data security is about protecting critical assets.

C.  

Data privacy stems from regulatory requirements, while data security focuses on consumer rights.

D.  

Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

A.  

Source code review

B.  

Security audit

C.  

Bug bounty program

D.  

Tabletop simulation

A.  

Data classification schemes

B.  

Automated data deletion schedules

C.  

Cloud vendor agreements

D.  

Service level agreements (SLAs)

A.  

Detecting malicious access through endpoints

B.  

Implementing network traffic filtering on endpoint devices

C.  

Managing remote access and control

D.  

Hardening the operating systems of endpoint devices

A.  

Conducting a PIA requires significant funding and resources.

B.  

PIAs need to be performed many times in a year.

C.  

The organization lacks knowledge of PIA methodology.

D.  

The value proposition of a PIA is not understood by management.

A.  

Low-level formatting

B.  

Remote partitioning

C.  

Degaussing

D.  

Hammer strike

A.  

Data minimization

B.  

Data anonymization

C.  

Data security

D.  

Data normalization

A.  

protect against unauthorized access.

B.  

detect changes to the data.

C.  

ensure data indexing performance.

D.  

tag the data with classification information

A.  

Mandatory access control

B.  

Network segmentation

C.  

Dedicated access system

D.  

Role-based access control