A multinational corporation is planning a big data initiative to help with critical business decisions. Which of the following is the BEST way to ensure personal data usage is standardized across the entire organization?
Correct Answer: B
Explanation A data dictionary is a document that defines and describes the data elements, attributes, formats, sources, destinations, purposes and relationships of a data set or system. A data dictionary would be the best way to ensure personal data usage is standardized across the entire organization, as it would provide a common and consistent understanding and reference for how personal data is collected, used, disclosed and transferred within and outside the organization. A data dictionary would also help to ensure compliance with privacy principles, such as accuracy, transparency and accountability. The other options are not as effective as developing a data dictionary in ensuring personal data usage is standardized across the entire organization. De-identify all data is a technique that removes or modifies direct and indirect identifiers in a data set to prevent or limit the identification of the data subjects, but it does not ensure standardization or consistency of personal data usage across the organization. Encrypt all sensitive data is a technique that transforms plain text data into cipher text using an algorithm and a key, making it unreadable by unauthorized parties, but it does not ensure standardization or consistency of personal data usage across the organization. Perform data discovery is a process of identifying and locating personal data within an organization's systems, databases, applications or files, but it does not ensure standardization or consistency of personal data usage across the organization1, p. 69-70 References: 1: CDPSE Review Manual (Digital Version)
Question 12
Which of the following features should be incorporated into an organization's technology stack to meet privacy requirements related to the rights of data subjects to control their personal data?
Correct Answer: B
Any organization collecting information about EU residents is required to operate with transparency in collecting and using their personal information. Chapter III of the GDPR defines eight data subject rights that have become foundational for other privacy regulations around the world: Right to access personal data. Data subjects can access the data collected on them. One of the privacy requirements related to the rights of data subjects is the right to access, which means that individuals have the right to obtain a copy of their personal data, as well as information about how their data is processed, by whom, for what purposes, and for how long. To meet this requirement, an organization's technology stack should incorporate features that allow individuals to have direct access to their data, such as self-service portals, dashboards, or applications. This way, individuals can exercise their right to access without relying on intermediaries or manual processes, which can be inefficient, error-prone, or insecure. Reference: : CDPSE Review Manual (Digital Version), page 137
Question 13
Which of the following is the MOST important consideration when choosing a method for data destruction?
Correct Answer: B
Explanation Validation and certification of data destruction is the most important consideration when choosing a method for data destruction, because it provides evidence that the data has been destroyed beyond recovery and that the organization has complied with the applicable information security frameworks and legal requirements. Validation and certification can also help to prevent data breaches, avoid legal liabilities, and enhance the organization's reputation and trustworthiness. Different methods of data destruction may have different levels of validation and certification, depending on the type of media, the sensitivity of the data, and the standards and guidelines followed. For example, some methods may require a third-party verification or audit, while others may generate a certificate of destruction or a report of erasure. Therefore, the organization should choose a method that can provide sufficient validation and certification for its specific needs and obligations. References: * Secure Data Disposal and Destruction: 6 Methods to Follow, KirkpatrickPrice * Data Destruction Standards and Guidelines, BitRaser * Best Practices for Data Destruction, U.S. Department of Education
Question 14
Which of the following is a foundational goal of data privacy laws?
Correct Answer: D
One of the foundational goals of data privacy laws is to give people rights over the collection of personal data, such as the right to access, correct, delete, or object to the processing of their dat a. Privacy laws also aim to protect people's dignity, autonomy, and self-determination in relation to their personal data. The other options are not accurate or complete descriptions of the purpose of data privacy laws. Reference: CDPSE Review Manual, Chapter 1 - Privacy Governance, Section 1.1 - Privacy Principles1. CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 1 - Privacy Governance, Section 1.2 - Data Privacy Laws and Regulations2.
Question 15
Which of the following is the PRIMARY benefit of implementing policies and procedures for system hardening?
Correct Answer: A
System hardening is a process of applying security measures and configurations to a system to reduce its attack surface and enhance its resistance to threats. System hardening can include disabling unnecessary services, removing default accounts, applying patches and updates, enforcing strong passwords and encryption, and implementing firewalls and antivirus software. The primary benefit of system hardening is that it increases system resiliency, which is the ability of a system to withstand or recover from adverse events that could affect its functionality or performance. The other options are not the primary benefits of system hardening, although they may be secondary benefits or outcomes. System hardening does not necessarily reduce external threats to data, as threats can originate from various sources and vectors. System hardening may reduce exposure of data, but only if the data is stored or processed by the system. System hardening does not eliminate attack motivation for data, as attackers may have different motives and incentives for targeting data. , p. 91-92 Reference: : CDPSE Review Manual (Digital Version)
