Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?
Correct Answer: A
Explanation Before an organization can respond to data subject access requests (DSARs), it needs to have a clear understanding of the data in its possession, such as what types of personal data are collected, where they are stored, how they are processed, who has access to them, and how long they are retained. This will help the organization to locate and retrieve the relevant data for each DSAR, and to ensure that the data are accurate, complete and up to date. Understanding the data in its possession will also help the organization to comply with other data protection principles and obligations, such as data minimization, purpose limitation, security and accountability. The other options are less important or irrelevant to do first. Investing in a platform to automate data review may help to speed up the response process, but it does not guarantee that the organization has identified all the data sources and categories that are subject to DSARs. Confirming what is required for disclosure is also important, but it depends on the specific request and the applicable law or regulation. Creating a policy for handling access requests is a good practice, but it should be based on a thorough understanding of the data in its possession. References: * Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 2: "It is important to understand what personal information is collected and processed by an organization." * Introduction to Data Subject Access Requests - Everlaw, section 3: "The first step in responding to a DSAR is identifying where the relevant personal data reside within your organization." * Guidelines 01/2022 on data subject rights - Right of access Version 1, section 2.1: "The controller should have a clear overview of all processing activities involving personal data."
Question 87
Which of the following MOST effectively ensures data privacy when sharing datasets for machine learning (ML) model training?
Correct Answer: B
Anonymization (de-identification) is the PET that removes or irreversibly transforms identifiers so individuals are not identifiable, enabling safer secondary use and sharing. Controls like encryption in transit (D) and attribute-based access (C) restrict access or protect data in motion but do not prevent reidentification once data are accessed. Integrity checks (A) protect correctness, not privacy. Key CDPSE-aligned phrasing (short extract): "Anonymization... renders personal data not identifiable to a data subject."
Question 88
When configuring information systems for the communication and transport of personal data, an organization should:
Correct Answer: D
Question 89
Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?
Correct Answer: A
Authentication is a process of verifying the identity of a user or device that requests access to a system or resource. Authentication can be based on one or more factors, such as something the user knows (e.g., password), something the user has (e.g., token), something the user is (e.g., fingerprint) or something the user does (e.g., signature). When an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase, it is using possession factor authentication, which relies on something the user has as proof of identity. The other options are not applicable in this scenario1, p. 81 Reference: 1: CDPSE Review Manual (Digital Version)
Question 90
Which of the following should be done FIRST when a data collection process is deemed to be a high-level risk?
Correct Answer: C
Explanation The first thing to do when a data collection process is deemed to be a high-level risk is to conduct a privacy impact assessment (PIA). A PIA is a systematic process that identifies and evaluates the potential effects of personal data processing operations on the privacy of individuals and the organization. A PIA helps to identify privacy risks and mitigation strategies at an early stage of the data collection process and ensures compliance with legal and regulatory requirements. A PIA also helps to demonstrate accountability and transparency to stakeholders and data subjects regarding how their personal data are collected, used, shared, stored, or deleted. Performing a business impact analysis (BIA), implementing remediation actions to mitigate privacy risk, or creating a system of records notice (SORN) are also important steps for managing privacy risk, but they are not the first thing to do. Performing a BIA is a process of analyzing the potential impacts of disruptive events on the organization's critical functions, processes, resources, or objectives. A BIA helps to determine the recovery priorities, strategies, and objectives for the organization in case of a disaster or crisis. Implementing remediation actions is a process of applying corrective or preventive measures to reduce or eliminate the privacy risks identified by the PIA or other methods. Remediation actions may include technical, organizational, or legal solutions, such as encryption, access control, consent management, or contractual clauses. Creating a SORN is a process of publishing a public notice that describes the existence and purpose of a system of records that contains personal data under the control of a federal agency. A SORN helps to inform the public about how their personal data are collected and maintained by the agency and what rights they have regarding their data. References: Privacy Impact Assessment (PIA) - European Commission, Privacy Impact Assessment (PIA) | ICO, Privacy Impact Assessments | HHS.gov
