Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?
Correct Answer: A
Explanation The scenario that poses the greatest risk to an organization from a privacy perspective is that the organization lacks a hardware disposal policy. A hardware disposal policy is a policy that defines how the organization should dispose of or destroy hardware devices that contain or process personal data, such as laptops, servers, hard drives, USBs, etc. A hardware disposal policy should ensure that personal data is securely erased or overwritten before the hardware device is discarded, recycled, donated, or sold. A hardware disposal policy should also comply with the applicable privacy regulations and standards that govern data retention and destruction. By lacking a hardware disposal policy, the organization exposes personal data to potential threats, such as theft, loss, or unauthorized access, use, disclosure, or transfer. References: : CDPSE Review Manual (Digital Version), page 123
Question 62
Which of the following principles is MOST important to apply when granting access to an enterprise resource planning (ERP) system that contains a significant amount of personal data?
Correct Answer: B
The principle of least privilege is the most important principle to apply when granting access to an ERP system that contains a significant amount of personal dat a. The principle of least privilege states that users should only have the minimum level of access and permissions necessary to perform their legitimate tasks and functions, and no more. Applying the principle of least privilege helps to protect the privacy and security of the personal data in the ERP system, as it reduces the risk of unauthorized or inappropriate access, disclosure, modification, or deletion of the data. It also helps to comply with the privacy laws and regulations, such as the GDPR, that require data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Question 63
An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?
Correct Answer: C
Explanation The data protection principle that is applied when an online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities is lawfulness and fairness. Lawfulness and fairness are two of the core principles of data protection under various laws and regulations, such as the GDPR or the CCPA. They state that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. By posting a customer data protection notice that informs customers about what information is collected and for what purpose, the online business demonstrates its compliance with these principles. System use requirements, data integrity and confidentiality, or data use limitation are not the correct names of the data protection principles that are applied in this case. System use requirements are not a specific principle of data protection, but rather a general term that refers to the rules or policies that govern how users can access and use a system or service. Data integrity and confidentiality are two aspects of the security principle of data protection, which states that personal data should be processed in a manner that ensures appropriate security of the personal data. Data use limitation is not a specific principle of data protection either, but rather a concept that relates to the purpose limitation principle, which states that personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. References: A guide to the data protection principles | ICO, Data Protection Principles: Core Principles of the GDPR - Cloudian, Data Protection Basics: The 7 data protection principles
Question 64
The MOST effective way to incorporate privacy by design principles into applications is to include privacy requirements in.
Correct Answer: C
The most effective way to incorporate privacy by design principles into applications is to include privacy requirements in software development practices, because this ensures that privacy is considered and integrated from the early stages of the design process and throughout the entire lifecycle of the application. Software development practices include activities such as defining the scope, objectives, and specifications of the application, identifying and analyzing the privacy risks and impacts, selecting and implementing the appropriate privacy-enhancing technologies and controls, testing and validating the privacy functionality and performance, and monitoring and reviewing the privacy compliance and effectiveness of the application. By including privacy requirements in software development practices, the organization can achieve a proactive, preventive, and embedded approach to privacy that aligns with the privacy by design principles. Reference: CDPSE Review Manual, 2023 Edition, Domain 2: Privacy Architecture, Section 2.1.2: Privacy Requirements, p. 75 CDPSE Review Manual, 2023 Edition, Domain 2: Privacy Architecture, Section 2.2.1: Privacy by Design Methodology, p. 79-80 The 7 Principles of Privacy by Design | Blog | OneTrust1
Question 65
An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?
