Which of the following would BEST support an organization in fulfilling data subject rights?
Correct Answer: D
A current and accurate data map enables organizations to locate personal data across systems, which is essential for responding to access, rectification, erasure, and portability requests. DLP (A) prevents leakage, not rights fulfillment; breach handling (B) addresses incidents, not rights; contact forms (C) provide intake but not fulfillment. "Data maps provide visibility into where and how personal data is processed, enabling rights fulfillment."
Question 27
Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?
Correct Answer: A
The best way to validate that privacy practices align to the published enterprise privacy management program is to conduct an audit. An audit is an independent and objective examination of evidence to provide assurance that privacy practices are effective and compliant with the enterprise privacy management program. An audit can also identify any gaps or weaknesses in the privacy practices and provide recommendations for improvement. An audit can be conducted internally or externally, depending on the scope, objectives, and standards of the audit. Reference: : CDPSE Review Manual (Digital Version), page 83
Question 28
Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?
Correct Answer: A
Explanation The first consideration when conducting a privacy impact assessment (PIA) is the applicable privacy legislation that governs the collection, processing, storage, transfer, and disposal of personal data within the scope of the assessment. The applicable privacy legislation may vary depending on the jurisdiction, sector, or purpose of the data processing activity. The PIA should identify and comply with the relevant legal requirements and obligations for data protection and privacy, such as obtaining consent, providing notice, ensuring data quality and security, respecting data subject rights, and reporting data breaches. The applicable privacy legislation also determines the criteria, methodology, and documentation for conducting the PIA. References: * ISACA, Performing an Information Security and Privacy Risk Assessment1 * ISACA, Best Practices for Privacy Audits2 * ISACA, GDPR Data Protection Impact Assessments3 * ISACA, GDPR Data Protection Impact Assessment Template4
Question 29
Which of the following MOST effectively ensures data privacy when sharing datasets for machine learning (ML) model training?
Correct Answer: B
Anonymization (de-identification) is the PET that removes or irreversibly transforms identifiers so individuals are not identifiable, enabling safer secondary use and sharing. Controls like encryption in transit (D) and attribute-based access (C) restrict access or protect data in motion but do not prevent reidentification once data are accessed. Integrity checks (A) protect correctness, not privacy. Key CDPSE-aligned phrasing (short extract): "Anonymization... renders personal data not identifiable to a data subject."
Question 30
An organization has a policy requiring the encryption of personal data if transmitted through email. Which of the following is the BEST control to ensure the effectiveness of this policy?
Correct Answer: B
A data loss prevention (DLP) tool is a software solution that monitors, detects and prevents the unauthorized transmission or leakage of sensitive data, such as personal data, from an organization's network or devices. A DLP tool can help to ensure the effectiveness of a policy requiring the encryption of personal data if transmitted through email, by applying the following controls: Scanning the content and attachments of outgoing emails for personal data, such as names, email addresses, biometric data, IP addresses, etc. Blocking or quarantining emails that contain unencrypted personal data, and alerting the sender and/or the administrator of the policy violation. Encrypting personal data automatically before sending them through email, using encryption standards and algorithms that are compliant with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Generating audit logs and reports of email activities and incidents involving personal data, and providing visibility and accountability for policy compliance. The other options are less effective or irrelevant to ensure the effectiveness of the policy. Providing periodic user awareness training on data encryption is a good practice, but it does not guarantee that users will follow the policy or know how to encrypt personal data properly. Conducting regular control self-assessments (CSAs) is a useful method to evaluate the design and operation of the policy, but it does not prevent or detect policy violations in real time. Enforcing annual attestation to policy compliance is a formal way to demonstrate user commitment to the policy, but it does not verify or measure the actual level of compliance. Reference: The Complexity Conundrum: Simplifying Data Security - ISACA, section 3: "Data loss prevention (DLP) solutions can help prevent unauthorized access to sensitive information by monitoring network traffic for specific keywords or patterns." Guide to Securing Personal Data in Electronic Medium, section 3.2: "Organisations should consider implementing DLP solutions to prevent unauthorised disclosure of personal data via email." Encryption in the Hands of End Users - ISACA, section 2: "A key goal of encryption is to protect the file even when direct access is possible or the transfer is intercepted."
