Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?
Correct Answer: B
Explanation A privacy impact assessment (PIA) is a process of analyzing the potential privacy risks and impacts of collecting, using, and disclosing personal data. A PIA should be conducted when there is a change in the data processing activities that may affect the privacy of individuals or the compliance with data protection laws and regulations. One of the scenarios that should trigger the completion of a PIA is when there are new inter-organizational data flows, which means that personal data is shared or transferred between different entities or jurisdictions. This may introduce new privacy risks, such as unauthorized access, misuse, or breach of data, as well as new legal obligations, such as obtaining consent, ensuring adequate safeguards, or notifying authorities. References: * PIA Triggers - International Association of Privacy Professionals * Privacy Impact Assessment - International Association of Privacy Professionals * GDPR Privacy Impact Assessment * Data Protection Impact Assessment triggers: Clarity or confusion?
Question 37
Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?
Correct Answer: A
Explanation Before an organization can respond to data subject access requests (DSARs), it needs to have a clear understanding of the data in its possession, such as what types of personal data are collected, where they are stored, how they are processed, who has access to them, and how long they are retained. This will help the organization to locate and retrieve the relevant data for each DSAR, and to ensure that the data are accurate, complete and up to date. Understanding the data in its possession will also help the organization to comply with other data protection principles and obligations, such as data minimization, purpose limitation, security and accountability. The other options are less important or irrelevant to do first. Investing in a platform to automate data review may help to speed up the response process, but it does not guarantee that the organization has identified all the data sources and categories that are subject to DSARs. Confirming what is required for disclosure is also important, but it depends on the specific request and the applicable law or regulation. Creating a policy for handling access requests is a good practice, but it should be based on a thorough understanding of the data in its possession. References: Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 2: "It is important to understand what personal information is collected and processed by an organization." Introduction to Data Subject Access Requests - Everlaw, section 3: "The first step in responding to a DSAR is identifying where the relevant personal data reside within your organization." Guidelines 01/2022 on data subject rights - Right of access Version 1, section 2.1: "The controller should have a clear overview of all processing activities involving personal data."
Question 38
Which of the following helps to ensure the identities of individuals in a two-way communication are verified?
Correct Answer: D
Explanation The best answer is D. Mutual certificate authentication. A comprehensive explanation is: Mutual certificate authentication is a method of mutual authentication that uses public key certificates to verify the identities of both parties in a two-way communication. A public key certificate is a digital document that contains information about the identity of the certificate holder, such as their name, organization, domain name, etc., as well as their public key, which is used for encryption and digital signature. A public key certificate is issued and signed by a trusted authority, called a certificate authority (CA), that vouches for the validity of the certificate. Mutual certificate authentication works as follows: * Both parties have a public key certificate issued by a CA that they trust. * When they initiate a communication, they exchange their certificates with each other. * They verify the signatures on the certificates using the CA's public key, which they already have or can obtain from a trusted source. * They check that the certificates are not expired, revoked, or tampered with. * They extract the public keys from the certificates and use them to encrypt and decrypt messages or to generate and verify digital signatures. * They confirm that the identities in the certificates match their expectations and intentions. By using mutual certificate authentication, both parties can be confident that they are communicating with the intended and legitimate party, and that their communication is secure and confidential. Mutual certificate authentication is often used in conjunction with Transport Layer Security (TLS), a protocol that provides encryption and authentication for network communications. TLS supports both one-way and two-way authentication. In one-way authentication, only the server presents a certificate to the client, and the client verifies it. In two-way authentication, also known as mutual TLS or mTLS, both the server and the client present certificates to each other, and they both verify them. Mutual TLS is commonly used for secure web services, such as APIs or webhooks, that require both parties to authenticate each other. Virtual private network (VPN), Secure Shell (SSH), and Transport Layer Security (TLS) are all technologies that can help to ensure the identities of individuals in a two-way communication are verified, but they are not methods of mutual authentication by themselves. They can use mutual certificate authentication as one of their options, but they can also use other methods, such as username and password, pre-shared keys, or tokens. Therefore, they are not as specific or accurate as mutual certificate authentication. References: * What is mutual authentication? | Two-way authentication1 * How to prove and verify someone's identity2 * Identity verification - Information Security & Policy3
Question 39
Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?
Correct Answer: A
Question 40
Which types of controls need to be applied to ensure accuracy at all stages of processing, storage, and deletion throughout the data life cycle?
