IAPP CIPT Exam Questions Instant Access - No Installation Required

Question 1

What is the main function of a breach response center?

ADetecting internal security attacks.

BAddressing privacy incidents.

CProviding training to internal constituencies.

DInterfacing with privacy regulators and governmental bodies.

Answer : B

The main function of a breach response center is to address privacy incidents by managing the response to data breaches and other security incidents. This includes identifying, containing, and mitigating the impact of breaches, as well as coordinating communication with affected parties and regulatory bodies.

IAPP CIPT Study Guide: Incident Response and Breach Management.

IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on Incident Management and Breach Response.

Question 2

An EU marketing company is planning to make use of personal data captured to make automated decisions based on profiling. In some cases, processing and automated decisions may have a legal effect on individuals, such as credit worthiness.

When evaluating the implementation of systems making automated decisions, in which situation would the company have to accommodate an individual's right NOT to be subject to such processing to ensure compliance under the General Data Protection Regulation (GDPR)?

AWhen an individual's legal status or rights are not affected by the decision.

BWhen there is no human intervention or influence in the decision-making process.

CWhen the individual has given explicit consent to such processing and suitable safeguards exist.

DWhen the decision is necessary for entering into a contract and the individual can contest the decision.

Answer : C

Under the GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects concerning them or significantly affects them. This right applies particularly when there is no human intervention in the decision-making process. The GDPR Article 22 specifies that individuals can object to automated decisions that have significant consequences unless the decision is necessary for entering into a contract, authorized by law, or based on explicit consent with appropriate safeguards. Therefore, the company's systems making automated decisions without human involvement must accommodate individuals' rights to opt out to ensure compliance. This interpretation is aligned with GDPR regulations as explained in IAPP's Information Privacy Technologist materials.

Question 3

SCENARIO

Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.

As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in the studio. Sam was a natural salesperson, and business doubled. Carol told Sam, ''I don't know what you are doing, but keep doing it!"

But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.

At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say. ''Carol, I know that he doesn't realize it, but some of Sam's efforts to increase sales have put you in a vulnerable position. You are not protecting customers' personal information like you should.''

Sam said, ''I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers' names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece that I think they would like. That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase.''

Carol replied, ''Jane, that doesn't sound so bad. Could you just fix things and help us to post even more online?"

'I can," said Jane. ''But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their personal information. We also should develop a social media strategy.''

Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. ''Sam and Jane, you have done such a great job that one of the biggest names in the glass business wants to buy us out! And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand."

Which regulator has jurisdiction over the shop's data management practices?

AThe Federal Trade Commission.

BThe Department of Commerce.

CThe Data Protection Authority.

DThe Federal Communications Commission.

Answer : A

The Federal Trade Commission (FTC) is responsible for protecting consumers in the U.S. by preventing fraudulent, deceptive, and unfair business practices. It has jurisdiction over commercial data privacy and security practices, including those of Carol's shop. The FTC enforces data protection and privacy standards to ensure consumer information is handled appropriately.

IAPP CIPT Study Guide: Regulatory Environment.

IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on U.S. Privacy Laws and Regulations.

Question 4

What is the main reason a company relies on implied consent instead of explicit consent from a user to process her data?

AThe implied consent model provides the user with more detailed data collection information.

BTo secure explicit consent, a user's website browsing would be significantly disrupted.

CAn explicit consent model is more expensive to implement.

DRegulators prefer the implied consent model.

Answer : B

Implied consent is often used instead of explicit consent in certain contexts because obtaining explicit consent can be disruptive to the user experience. Explicit consent usually requires the user to perform an additional action, such as clicking a checkbox or filling out a form, which can interrupt their activity on the website. This disruption can lead to a negative user experience and potentially a decrease in user engagement. The IAPP guidelines emphasize the balance between user experience and the need for consent, noting that implied consent can be sufficient in situations where it is clear that the user understands and agrees to the data processing (IAPP, 'Privacy by Design and Default').

Question 5

A key principle of an effective privacy policy is that it should be?

AWritten in enough detail to cover the majority of likely scenarios.

BMade general enough to maximize flexibility in its application.

CPresented with external parties as the intended audience.

DDesigned primarily by the organization's lawyers.

Answer : A

A key principle of an effective privacy policy is that it should be written in enough detail to cover the majority of likely scenarios. This ensures that the policy provides clear guidance on how personal data is to be handled, making it easier for employees to understand and follow, and for customers to know how their data is being used. According to the IAPP, privacy policies need to be sufficiently detailed to address the range of situations that the organization may encounter, which helps in maintaining compliance with privacy laws and regulations.

Question 6

How does k-anonymity help to protect privacy in micro data sets?

ABy ensuring that every record in a set is part of a group of 'k' records having similar identifying information.

BBy switching values between records in order to preserve most statistics while still maintaining privacy.

CBy adding sufficient noise to the data in order to hide the impact of any one individual.

DBy top-coding all age data above a value of 'k.'

Answer : A

K-anonymity is a privacy protection technique that ensures each individual data record cannot be distinguished from at least k1k-1k1 other records with respect to certain identifying information. This means that each record in the data set is made to look like at least k1k-1k1 other records, making it difficult to identify individuals. The primary goal of k-anonymity is to prevent re-identification of individuals in microdata by ensuring that personal records are indistinguishable within a group of size kkk. This concept is widely discussed in IAPP materials related to data de-identification and anonymization (IAPP, 'Anonymization and Pseudonymization').

Question 7

Which of the following is a stage in the data life cycle?

AData classification.

BData inventory.

CData masking.

DData retention.

Answer : D

Option A: Data classification is a process used to categorize data based on sensitivity and other criteria, but it is not a stage in the data lifecycle.

Option B: Data inventory involves cataloging data assets, which is part of data management practices rather than a lifecycle stage.

Option C: Data masking is a technique used to protect data but is not a lifecycle stage.

Option D: Data retention is a stage in the data lifecycle that involves keeping data for a specified period according to legal, regulatory, and business requirements.

IAPP CIPT Study Guide

Data lifecycle management frameworks and best practices

IAPP Certified Information Privacy Technologist CIPT Exam Questions