Which of the following has the GREATEST impact on the treatment of data within the scope of an organization's privacy policy?
Correct Answer: C
Explanation Data classification is the process of categorizing data according to its sensitivity, value, and criticality for the organization and the data subjects. Data classification has the greatest impact on the treatment of data within the scope of an organization's privacy policy, as it determines the appropriate level of protection, access, retention, and disposal for each type of data. Data classification also helps to comply with the privacy principles and regulations, such as data minimization, purpose limitation, accuracy, security, and accountability. References: CDPSE Review Manual, 2021, p. 80
Question 72
Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?
Correct Answer: A
Explanation The vulnerability that would have the greatest impact on the privacy of information is private key exposure, because it would compromise the encryption and decryption of the information, as well as the authentication and integrity of the communicating parties. A private key is a secret and unique value that is used to encrypt or decrypt data, or to sign or verify digital signatures. If an attacker gains access to the private key, they can read, modify, or impersonate the data or the sender, which would violate the confidentiality, integrity, and authenticity of the information12. References: * CDPSE Review Manual, Chapter 2 - Privacy Architecture, Section 2.3 - Privacy Architecture Implementation3. * CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2 - Privacy * Architecture, Section 2.4 - Remote Access4.
Question 73
Who is ULTIMATELY accountable for the protection of personal data collected by an organization?
Correct Answer: B
Explanation The data owner is the person or entity who has the ultimate authority and responsibility for the protection of personal data collected by an organization. The data owner defines the purpose, scope, classification, and retention of the personal data, as well as the rights and obligations of the data subjects and other parties involved in the data processing. The data owner also ensures that the personal data is handled in compliance with the applicable privacy laws and regulations, as well as the organization's privacy policies and standards. The data owner may delegate some of the operational tasks to the data processor, data custodian, or data protection officer, but the accountability remains with the data owner. References: CDPSE Review Manual, 2021, p. 81
Question 74
A new marketing application needs to use data from the organization's customer database. Prior to the application using the data, which of the following should be done FIRST?
Correct Answer: C
Explanation Before using data from the organization's customer database for a new marketing application, the first step should be to determine what data is required by the application and for what purpose. This will help to ensure that the data collection and processing are relevant, necessary, and proportionate to the intended use, and that the data minimization principle is followed. Data minimization means that only the minimum amount of personal data needed to achieve a specific purpose should be collected and processed, and that any excess or irrelevant data should be deleted or anonymized1. This will also help to comply with the data privacy laws and regulations that apply to the organization, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which require organizations to inform data subjects about the types and purposes of data processing, and to obtain their consent if needed23. References: * ISACA, Data Privacy Audit/Assurance Program, Control Objective 2: Data Minimization, p. 61 * ISACA, GDPR Data Protection Impact Assessments, p. 4-52 * ISACA, CCPA vs. GDPR: Similarities and Differences, p. 1-23
Question 75
Which of the following is the BEST approach for a local office of a global organization faced with multiple privacy-related compliance requirements?
