Which of the following features should be incorporated into an organization's technology stack to meet privacy requirements related to the rights of data subjects to control their personal data?
Correct Answer: B
Any organization collecting information about EU residents is required to operate with transparency in collecting and using their personal information. Chapter III of the GDPR defines eight data subject rights that have become foundational for other privacy regulations around the world: Right to access personal data. Data subjects can access the data collected on them.
Question 12
Which of the following BEST enables an organization to ensure consumer credit card numbers are accurately captured?
Correct Answer: C
Explanation Input validation controls are the best way to ensure consumer credit card numbers are accurately captured. Input validation controls are methods that check the format, type, range, and length of the input data before accepting, processing, or storing it. Input validation controls can help prevent errors, fraud, or data loss by rejecting invalid, incomplete, or malicious input. For example, input validation controls can verify that a credit card number follows the Luhn algorithm1, has the correct number of digits2, and matches the card issuer's prefix3. Input validation controls can also prevent SQL injection attacks4 or cross-site scripting attacks5 that may compromise the security and privacy of the data. Input reference controls, access controls, and reconciliation controls are also important for data quality and security, but they do not directly ensure the accuracy of consumer credit card numbers. Input reference controls are methods that compare the input data with a predefined list of values or a reference table to ensure consistency and validity. For example, input reference controls can check if a country name or a postal code is valid by looking up a database of valid values. Access controls are methods that restrict who can access, modify, or delete the data based on their roles, permissions, or credentials. For example, access controls can prevent unauthorized users from accessing or tampering with consumer credit card numbers. Reconciliation controls are methods that compare the data from different sources or systems to ensure completeness and accuracy. For example, reconciliation controls can check if the transactions recorded in the accounting system match the transactions processed by the payment gateway. References: Luhn algorithm, Credit card number, Bank card number, SQL injection, Cross-site scripting
Question 13
As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?
Correct Answer: B
Explanation Classifying sensitive unstructured data should be done first to address the situation of the proliferation of personal data held as unstructured data, as it helps to identify the types, locations, and owners of the data, and to apply the appropriate privacy controls and measures based on the data classification level. Classifying sensitive unstructured data also facilitates the data discovery, data minimization, data retention, and data disposal processes. References: 2 Domain 3, Task 2; 5 Page 9
Question 14
An organization's work-from-home policy allows employees to access corporate IT assets remotely Which of the following controls is MOST important to mitigate the risk of potential personal data compromise?
Correct Answer: A
Explanation Encryption of network traffic is the most important control to mitigate the risk of potential personal data compromise when employees access corporate IT assets remotely. Encryption is a process that transforms data into an unreadable form, making it difficult for unauthorized parties to intercept, modify, or steal it. Encryption of network traffic ensures that the data transmitted between the remote employees and the corporate network is protected from eavesdropping, tampering, or leakage. Intrusion prevention system (IPS), firewall rules review, and intrusion detection system (IDS) are also useful controls for network security, but they are not as effective as encryption for protecting personal data in transit. IPS and IDS can monitor and block malicious or suspicious network traffic, but they cannot prevent data exposure if the traffic is intercepted by a third party. Firewall rules review can help optimize and secure the firewall configuration, but it cannot guarantee that the firewall will not be bypassed or compromised by an attacker. Therefore, encryption of network traffic is the best option among the choices given.
Question 15
What should be the PRIMARY consideration of a multinational organization deploying a user and entity behavior analytics (UEBA) tool to centralize the monitoring of anomalous employee behavior?
Correct Answer: A
Explanation The primary consideration of a multinational organization deploying a user and entity behavior analytics (UEBA) tool to centralize the monitoring of anomalous employee behavior is cross-border data transfer, because it may involve the transfer of personal data across different jurisdictions with different privacy laws and regulations. The organization needs to ensure that it complies with the applicable legal requirements and safeguards the privacy rights of its employees when transferring their data to a central location for analysis. The other options are secondary or operational considerations that may not have a significant impact on the privacy of the employees. References: * CDPSE Exam Content Outline, Domain 2 - Privacy Architecture (Privacy Architecture Implementation), Task 3: Implement privacy solutions1. * CDPSE Review Manual, Chapter 2 - Privacy Architecture, Section 2.4 - Cross-Border Data Transfer2. * CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2 - Privacy Architecture, Section 2.5 - Cross-Border Data Transfer3.
