When configuring information systems for the communication and transport of personal data, an organization should:
Correct Answer: D
Question 107
Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?
Correct Answer: B
Question 108
An organization is planning a new implementation for tracking consumer web browser activity. Which of the following should be done FIRST?
Correct Answer: B
Explanation A privacy impact assessment (PIA) is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be done first when planning a new implementation for tracking consumer web browser activity, as it would help to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA would also help to ensure compliance with privacy principles, laws and regulations, and alignment with consumer expectations and preferences. The other options are not as important as conducting a PIA when planning a new implementation for tracking consumer web browser activity. Seeking approval from regulatory authorities may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Obtaining consent from the organization's clients may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Reviewing and updating the cookie policy may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction1, p. 67 References: 1: CDPSE Review Manual (Digital Version)
Question 109
Which of the following is MOST important to include in a data use policy?
Correct Answer: A
Explanation A data use policy is a document that defines the rules and guidelines for how personal data are collected, used, stored, shared and deleted by an organization. It is an important part of data governance and compliance, as it helps to ensure that personal data are handled in a lawful, fair and transparent manner, respecting the rights and preferences of data subjects. A data use policy should include the requirements for collecting and using personal data, such as the legal basis, the purpose, the scope, the consent, the data minimization, the accuracy, the security and the accountability. These requirements help to establish the legitimacy and necessity of data processing activities, and to prevent unauthorized or excessive use of personal data. References: ISACA Privacy Notice & Usage Disclosures, section 2.1: "We collect Personal Information from you when you provide it to us directly or through a third party who has assured us that they have obtained your consent." Chapter Privacy Policy - Singapore Chapter - ISACA, section 2: "We will collect your personal data in accordance with the PDPA either directly from you or your authorized representatives, and/or through our third party service providers." Data Minimization-A Practical Approach - ISACA, section 2: "Enterprises may only collect as much data as are necessary for the purposes defined at the time of collection, which may also be set out in a privacy notice (sometimes referred to as a privacy statement, a fair processing statement or a privacy policy)." Establishing Enterprise Roles for Data Protection - ISACA, section 3: "Data governance is typically implemented in organizations through policies, guidelines, tools and access controls."
Question 110
Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?
Correct Answer: D
Explanation A virtual private network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the internet. A VPN should be established first before authorizing remote access to a data store containing personal data, as it protects the data from unauthorized interception, modification, or disclosure by third parties. A VPN also helps to ensure the identity and authenticity of the remote users and devices accessing the data store. References: 2 Domain 2, Task 8
