Which of the following is MOST important when developing an organizational data privacy program?
Correct Answer: C
Explanation Following an established privacy framework is the most important step when developing an organizational data privacy program because it provides a structured and consistent approach to identify, assess, and manage privacy risks and compliance obligations. A privacy framework can also help to align the privacy program with the organization's strategic goals, values, and culture, as well as to communicate and demonstrate the privacy program's effectiveness to internal and external stakeholders. Some examples of established privacy frameworks are the NIST Privacy Framework, the ISO/IEC 27701:2019, and the AICPA Privacy Maturity Model. References: * NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, NIST * ISO/IEC 27701:2019 Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines, ISO * Privacy Maturity Model, AICPA
Question 57
A software development organization with remote personnel has implemented a third-party virtualized workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?
Correct Answer: C
Question 58
An organization is planning a new implementation for tracking consumer web browser activity. Which of the following should be done FIRST?
Correct Answer: B
Explanation A privacy impact assessment (PIA) is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be done first when planning a new implementation for tracking consumer web browser activity, as it would help to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA would also help to ensure compliance with privacy principles, laws and regulations, and alignment with consumer expectations and preferences. The other options are not as important as conducting a PIA when planning a new implementation for tracking consumer web browser activity. Seeking approval from regulatory authorities may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Obtaining consent from the organization's clients may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Reviewing and updating the cookie policy may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction1, p. 67 References: 1: CDPSE Review Manual (Digital Version)
Question 59
Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?
Correct Answer: A
Explanation Before an organization can respond to data subject access requests (DSARs), it needs to have a clear understanding of the data in its possession, such as what types of personal data are collected, where they are stored, how they are processed, who has access to them, and how long they are retained. This will help the organization to locate and retrieve the relevant data for each DSAR, and to ensure that the data are accurate, complete and up to date. Understanding the data in its possession will also help the organization to comply with other data protection principles and obligations, such as data minimization, purpose limitation, security and accountability. The other options are less important or irrelevant to do first. Investing in a platform to automate data review may help to speed up the response process, but it does not guarantee that the organization has identified all the data sources and categories that are subject to DSARs. Confirming what is required for disclosure is also important, but it depends on the specific request and the applicable law or regulation. Creating a policy for handling access requests is a good practice, but it should be based on a thorough understanding of the data in its possession. References: * Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 2: "It is important to understand what personal information is collected and processed by an organization." * Introduction to Data Subject Access Requests - Everlaw, section 3: "The first step in responding to a DSAR is identifying where the relevant personal data reside within your organization." * Guidelines 01/2022 on data subject rights - Right of access Version 1, section 2.1: "The controller should have a clear overview of all processing activities involving personal data."
Question 60
Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?
