Which of the following is the MOST important consideration when processing personal data for an AI project?
Correct Answer: A
Before any processing, CDPSE stresses lawfulness: identify and document the appropriate legal basis and processing purpose(s). Security controls (C), algorithmic techniques (B), and aggregation (D) are important but secondary to establishing a lawful basis and purpose limitation. Key CDPSE-aligned phrasing (short extract): "Processing requires a lawful basis and defined purposes prior to collection/use."
Question 112
Which of the following is the GREATEST benefit of adopting data minimization practices?
Correct Answer: B
Unfortunately, the financial liability portion of retained personal information rarely shows up on an organization's financial balance sheet. And yet it is indeed a liability: the impact on an organization when cybercriminals steal that information or when the information is misused is real, in the form of breach response costs, the costs related to reducing harm inflicted on affected parties (think of credit monitoring services, a frequent remedy for stolen credit card numbers), fines from governmental regulators, and the occasional class-action lawsuit.
Question 113
It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?
Correct Answer: A
Explanation Requirements definition is a phase of the software development life cycle (SDLC) that involves gathering, analyzing and documenting the functional and non-functional requirements of the software system or application, such as features, performance, security and usability. It is most important to consider privacy by design principles during this phase, as it would help to ensure that privacy is embedded and integrated into the software system or application from the outset, rather than as an afterthought or an add-on. Considering privacy by design principles during requirements definition would also help to avoid costly rework or delays later in the SDLC, as well as to enhance customer trust and satisfaction, and comply with privacy laws and regulations. The other options are not as important as requirements definition in considering privacy by design principles. Application design is a phase of the SDLC that involves creating and specifying the architecture, components, interfaces and data models of the software system or application, based on the requirements defined in the previous phase. Implementation is a phase of the SDLC that involves coding, testing and debugging the software system or application, based on the design specifications created in the previous phase. Testing is a phase of the SDLC that involves verifying and validating that the software system or application meets the requirements and expectations of the users and stakeholders, as well as identifying and fixing any defects or errors1, p. 88-89 References: 1: CDPSE Review Manual (Digital Version)
Question 114
Which of the following is the BEST indication of a highly effective privacy training program?
Correct Answer: A
The best indication of a highly effective privacy training program is that members of the workforce understand their roles in protecting data privacy, because this shows that the training program has successfully raised the awareness and knowledge of the workforce on the importance, principles and practices of data privacy, and how they can contribute to the organization's privacy objectives and compliance. According to ISACA, one of the key elements of a privacy training program is to define and communicate the roles and responsibilities of the workforce in relation to data privacy1. Members of the workforce who understand their roles in protecting data privacy are more likely to follow the privacy policies and procedures, report any privacy incidents or issues, and support the privacy culture of the organization2. Recent audits have no findings or recommendations related to data privacy, no privacy incidents have been reported in the last year, and HR has made privacy training an annual mandate for the organization are not as reliable as members of the workforce understand their roles in protecting data privacy, as they do not necessarily reflect the effectiveness of the privacy training program, but rather the performance of other factors such as audit processes, incident management systems, or HR policies.
Question 115
Which of the following is the GREATEST benefit of adopting data minimization practices?
Correct Answer: C
Explanation The greatest benefit of adopting data minimization practices is that the associated threat surface is reduced. Data minimization is a privacy principle that states that personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. Data minimization helps to protect data privacy by reducing the amount and type of personal data that are collected, stored, processed, or shared by an organization. This in turn reduces the exposure of personal data to potential threats, such as unauthorized access, use, disclosure, modification, or loss. References: : CDPSE Review Manual (Digital Version), page 29
