Which of the following MUST be available to facilitate a robust data breach management response?
Correct Answer: A
Question 32
Which of the following is the FIRST step toward the effective management of personal data assets?
Correct Answer: C
Explanation The first step toward the effective management of personal data assets is to create a personal data inventory, which is a comprehensive list of the personal data that an organization collects, processes, stores, transfers, and disposes of. A personal data inventory helps an organization to understand the types, sources, locations, owners, purposes, and retention periods of the personal data it holds, as well as the risks and obligations associated with them. A personal data inventory is essential for complying with data privacy laws and regulations, such as the GDPR or the PDPA, which require organizations to implement data protection principles and practices, such as obtaining consent, providing notice, ensuring data quality and security, respecting data subject rights, and reporting data breaches. A personal data inventory also helps an organization to identify and mitigate data privacy risks and gaps, and to implement data minimization and data security controls. References: * ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and Classification1 * ISACA, Simplify and Contextualize Your Data Classification Efforts2 * PDPC, Managing Personal Data3 * PDPC, PDPA Assessment Tool for Organisations4
Question 33
Which type of data is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people?
Correct Answer: B
Explanation Inferred data is the type of data that is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people. Inferred data is not directly observed or collected from the data subjects, but rather derived from other sources of data, such as behavioral, transactional, or demographic data. Inferred data can be used to make assumptions or predictions about the data subjects' preferences, interests, behaviors, or characteristics12. References: * CDPSE Review Manual, Chapter 3 - Data Lifecycle, Section 3.1 - Data Classification3. * CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 3 - Data Lifecycle, Section 3.2 - Data Classification4.
Question 34
Which of the following is the MOST important consideration when determining retention periods for personal data?
Correct Answer: B
Explanation The notice provided to customers during data collection is the most important consideration when determining retention periods for personal data, as it reflects the transparency and accountability principles of privacy and the expectations and preferences of the data subjects. The notice should inform the customers about the purposes and legal bases of the data processing, the rights and choices of the customers, and the safeguards and measures to protect the data, including how long the data will be kept and when it will be deleted or disposed of. The notice should also be consistent with the applicable laws and regulations that may prescribe or limit the retention periods for certain types of personal data. The other options are not as important as the notice provided to customers during data collection when determining retention periods for personal data. Sectoral best practices for the industry may provide some guidance or benchmarks for retention periods, but they may not reflect the specific context or needs of the organization or the customers. Data classification standards may help to categorize data according to its sensitivity and value, but they may not indicate how long the data should be retained or deleted. Storage capacity available for retained data may affect the feasibility or cost of retaining data, but it should not determine or override the retention periods based on privacy principles, laws or customer expectations1, p. 99-100 References: 1: CDPSE Review Manual (Digital Version)
Question 35
Which of the following is the BEST method to ensure the security of encryption keys when transferring data containing personal information between cloud applications?
Correct Answer: B
Explanation Asymmetric encryption is a method of encrypting and decrypting data using two different keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. Data encrypted with the public key can only be decrypted with the private key, and vice versa. Asymmetric encryption ensures the security of encryption keys when transferring data containing personal information between cloud applications, by providing the following benefits: * It can prevent unauthorized access or use of the data, as only the intended recipient who has the matching private key can decrypt the data sent by the sender who has the public key. * It can prevent man-in-the-middle attacks, where an attacker intercepts and modifies the data or keys in transit, as any tampering with the data or keys will result in decryption failure or error. * It can enable digital signatures, where the sender encrypts a message digest of the data with their private key, and the recipient verifies it with the sender's public key. Digital signatures can ensure the authenticity and integrity of the data and the sender. The other options are less effective or irrelevant for ensuring the security of encryption keys when transferring data containing personal information between cloud applications. Whole disk encryption is a method of encrypting all the data on a disk or device, such as a laptop or a smartphone. It does not protect the data when they are transferred over a network or stored on a cloud server. Symmetric encryption is a method of encrypting and decrypting data using the same key. It requires both parties to securely exchange and store the key, which may be difficult or risky in a cloud environment. Digital signature is not a method of encryption, but an application of asymmetric encryption that can provide additional security features for data transmission.
