• Home
  • Articles
  • CIPM Practice Test Questions Updated 203 Questions [Q119-Q137]

CIPM Practice Test Questions Updated 203 Questions [Q119-Q137]

Share

CIPM Practice Test Questions Updated 203 Questions

IAPP CIPM Dumps - Secret To Pass in First Attempt


More Details about Actual Test

The exam is accredited under the ANSI/ISO standard 17024:2012 and will test if candidates are capable of making privacy regulations that work for their organization through implementation in their daily operations. To be tested as well are issues regarding the creation of a vision belonging to a company, structuring a team for data protection, creating and executing system frameworks, communicating to stakeholders, and checking for performance, among others. What concerns the CIPM exam, it goes for 2.5 hours and carries 90 questions. Plus, it is offered remotely in more than 6000 testing centers across the world. The application fee when undertaking it for the first time is $550. For retakes, however, the payment is $375. Every two years, a professional has to part with $250, which is a maintenance fee. Members have this amount linked with the membership fee. To know more, the test is computer-delivered via Pearson VUE. Once the candidate pays for the final exam on the IAPP official website, they are directed to the Pearson VUE website to get a HOST location. There, the candidate will get an exam date as well as time through their My Purchases tab on the IAPP website. All candidates are encouraged to go through the Certification Handbook before they book the test so that they can be aware of the IAPP exam policies and relevant procedures. There is also the BoK for the CIPM that outlines the essential concepts as well as topics that a candidate ought to be familiar with as they seek for the designation.


IAPP CIPM certification is an essential credential for professionals who handle privacy-related matters in an organization. Certified Information Privacy Manager (CIPM) certification demonstrates that the individual has a thorough understanding of privacy program management and can effectively manage and implement privacy policies and procedures. Certified Information Privacy Manager (CIPM) certification is highly valued in the industry and can enhance an individual's career opportunities and earning potential.

 

NEW QUESTION # 119
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?

  • A. An online magazine using a mailing list to send a generic daily digest to marketing emails
  • B. A health clinic processing its patients' genetic and health data
  • C. A Human Resources department using a tool to monitor its employees' internet activity
  • D. The use of a camera system to monitor driving behavior on highways

Answer: A

Explanation:
Explanation
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. Under the GDPR, a DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of individuals, especially when using new technologies. The GDPR provides some examples of high-risk processing activities, such as systematic and extensive evaluation of personal aspects, large-scale processing of special categories of data, or systematic monitoring of public areas. The other options are more likely to require a DPIA than the online magazine using a mailing list to send a generic daily digest to marketing emails, as they involve more sensitive or intrusive types of processing. References:
* [Data protection impact assessments | ICO]
* [Art. 35 GDPR - Data protection impact assessment - GDPR.eu]


NEW QUESTION # 120
Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?

  • A. An encrypted USB key with sensitive personal data is stolen
  • B. A direct marketing email is sent with recipients visible in the 'cc' field
  • C. Personal data of a group of individuals is erroneously sent to the wrong mailing list
  • D. A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack

Answer: B


NEW QUESTION # 121
Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?

  • A. The DPIA must include a description of the proposed processing operation and its purpose.
  • B. The DPIA result must be reported to the corresponding supervisory authority.
  • C. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.
  • D. The DPIA report must be published to demonstrate the transparency of the data processing.

Answer: A

Explanation:
Explanation
The statement that is true about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR) is that the DPIA must include a description of the proposed processing operation and its purpose. According to Article 35(7) of the GDPR, a DPIA shall contain at least:
* "a systematic description of the envisaged processing operations and the purposes of the processing";
* "an assessment of the necessity and proportionality of the processing operations in relation to the purposes";
* "an assessment of the risks to the rights and freedoms of data subjects";
* "the measures envisaged to address the risks";
* "safeguards", "security measures";
* "mechanisms to ensure the protection of personal data";
* "to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned"5 Therefore, a DPIA must include a description of what data processing activities are planned and why they are needed as part of its content. This helps to provide a clear overview of the processing operation and its objectives as well as to assess its necessity and proportionality in relation to its purposes6 References: 5:
[General Data Protection Regulation (GDPR) - Official Legal Text], Article 35(7); 6: Data protection impact assessments | ICO


NEW QUESTION # 122
Which of the following privacy frameworks are legally binding?

  • A. Organization for Economic Co-Operation and Development (OECD) Guidelines.
  • B. Generally Accepted Privacy Principles (GAPP).
  • C. Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
  • D. Binding Corporate Rules (BCRs).

Answer: D

Explanation:
Explanation
Binding Corporate Rules (BCRs) are a set of legally binding rules that allow multinational corporations or groups of companies to transfer personal data across borders within their organization in compliance with the EU data protection law1 BCRs are approved by the competent data protection authorities in the EU and are enforceable by data subjects and the authorities2 BCRs are one of the mechanisms recognized by the EU General Data Protection Regulation (GDPR) to ensure an adequate level of protection for personal data transferred outside the European Economic Area (EEA)3


NEW QUESTION # 123
A new business crafting its privacy policy is struggling with how it will define the term "personal data." Which of the following should inform this decision?

  • A. The types of special categories of data being processed.
  • B. The amount of data the business expects to collect.
  • C. The privacy laws to which the business is subject.
  • D. The business's requirements for storing collected data.

Answer: C

Explanation:
Comprehensive and Detailed Explanation:
The definition of "personal data" must be based on applicable privacy laws (e.g., GDPR, CCPA, or LGPD), as different regulations define personal data differently.


NEW QUESTION # 124
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?

  • A. An online magazine using a mailing list to send a generic daily digest to marketing emails
  • B. A health clinic processing its patients' genetic and health data
  • C. A Human Resources department using a tool to monitor its employees' internet activity
  • D. The use of a camera system to monitor driving behavior on highways

Answer: A

Explanation:
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. Under the GDPR, a DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of individuals, especially when using new technologies. The GDPR provides some examples of high-risk processing activities, such as systematic and extensive evaluation of personal aspects, large-scale processing of special categories of data, or systematic monitoring of public areas. The other options are more likely to require a DPIA than the online magazine using a mailing list to send a generic daily digest to marketing emails, as they involve more sensitive or intrusive types of processing. Reference:
[Data protection impact assessments | ICO]
[Art. 35 GDPR - Data protection impact assessment - GDPR.eu]


NEW QUESTION # 125
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing.
You worry too much, but that's why you're so good at your job!"
Which is the best first step in understanding the data security practices of a potential vendor?

  • A. Conducting a physical audit of the vendor's facilities.
  • B. Requiring the vendor to complete a questionaire assessing International Organization for Standardization (ISO) 27001 compliance.
  • C. Examining investigation records of any breaches the vendor has experienced.
  • D. Conducting a penetration test of the vendor's data security structure.

Answer: C


NEW QUESTION # 126
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
Based on the scenario, Nationwide Grill needs to create better employee awareness of the company's privacy program by doing what?

  • A. Improving inter-departmental cooperation.
  • B. Requiring acknowledgment of company memos.
  • C. Communicating to the staff more often.
  • D. Varying the modes of communication.

Answer: B


NEW QUESTION # 127
Read the following steps:
* Perform frequent data back-ups.
* Perform test restorations to verify integrity of backed-up data.
* Maintain backed-up data offline or on separate servers.
These steps can help an organization recover from what?

  • A. Phishing attacks
  • B. Authorization errors
  • C. Ransomware attacks
  • D. Stolen encryption keys

Answer: C

Explanation:
Explanation


NEW QUESTION # 128
Which is TRUE about the scope and authority of data protection oversight authorities?

  • A. No one agency officially oversees the enforcement of privacy regulations in the United States
  • B. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators
  • C. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority
  • D. All authority in the European Union rests with the Data Protection Commission (DPC)

Answer: B


NEW QUESTION # 129
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program?
How can you build on your success?
What are the next action steps?
What stage of the privacy operational life cycle best describes Consolidated's current privacy program?

  • A. Sustain.
  • B. Assess.
  • C. Respond.
  • D. Protect.

Answer: A


NEW QUESTION # 130
Which of the following is NOT typically a function of a Privacy Officer?

  • A. Responding to information access requests from the public.
  • B. Monitoring an organization's compliance with privacy laws.
  • C. Managing an organization's information security infrastructure.
  • D. Serving as an interdepartmental liaison for privacy concerns.

Answer: C

Explanation:
Explanation
This answer is not typically a function of a Privacy Officer, as it is usually performed by a separate role or department that is responsible for the technical aspects of data protection, such as the Chief Information Security Officer (CISO) or the Information Security Manager. A Privacy Officer is more focused on the legal, regulatory and ethical aspects of data protection, such as ensuring compliance with privacy laws and regulations, developing and implementing privacy policies and procedures, conducting privacy impact assessments and audits, providing privacy training and awareness, and handling privacy incidents or breaches.


NEW QUESTION # 131
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
How could the objection to Spencer's training suggestion be addressed?

  • A. By introducing a system of periodic refresher trainings.
  • B. By customizing training based on length of employee tenure.
  • C. By offering alternative delivery methods for trainings.
  • D. By requiring training only on an as-needed basis.

Answer: C

Explanation:
Explanation
This answer is the best way to address the objection to Spencer's training suggestion, as it can provide flexibility and convenience for employees who work in different locations or have different schedules.
Alternative delivery methods for trainings can include online courses, webinars, podcasts, videos or self-paced modules that can be accessed anytime and anywhere by employees. Alternative delivery methods can also reduce the cost and time required for in-person trainings, while still ensuring that employees receive consistent and relevant information on the company's privacy program. References: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2


NEW QUESTION # 132
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
What is the most realistic step the organization can take to help diminish liability in the event of another incident?

  • A. Specifying mandatory data protection practices in vendor contracts.
  • B. Requiring the vendor to perform periodic internal audits.
  • C. Obtaining customer consent for any third-party processing of personal data.
  • D. Keeping the majority of processing activities within the organization.

Answer: A


NEW QUESTION # 133
All of the following are access control measures required by the Payment Card Industry Data Security Standard (PCI DSS) EXCEPT?

  • A. Restrict physical access to cardholder data.
  • B. Assign a unique ID to each person with computer access.
  • C. Update antivirus software before granting access.
  • D. Restrict access to cardholder data by business need-to-know.

Answer: C

Explanation:
Comprehensive and Detailed Explanation:
The PCI DSS establishes security measures for protecting cardholder data. While updating antivirus software is a security best practice, it is not an access control requirement under PCI DSS.
Option A (Restrict physical access to cardholder data) is required to prevent unauthorized access.
Option C (Assign a unique ID to each person with computer access) is required to track user actions.
Option D (Restrict access to cardholder data by business need-to-know) ensures only authorized individuals access sensitive information.
Option B (Update antivirus software before granting access) is a security measure but is not classified as an access control requirement under PCI DSS.


NEW QUESTION # 134
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee dat a. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What Data Lifecycle Management (DLM) principle should the company follow if they end up allowing departments to interpret the privacy policy differently?

  • A. Arrange for official credentials for staff members.
  • B. Create categories to reflect degrees of data importance.
  • C. Prove the authenticity of the company's records.
  • D. Adequately document reasons for inconsistencies.

Answer: D

Explanation:
If the company ends up allowing departments to interpret the privacy policy differently, they should follow the Data Lifecycle Management (DLM) principle of adequately documenting reasons for inconsistencies. This principle requires that data should be accurate, complete, and consistent throughout its lifecycle and that any deviations or discrepancies should be justified and recorded1 This would help the company to maintain data quality and integrity, as well as to demonstrate accountability and compliance with data protection regulations2 The other options are not DLM principles that the company should follow if they allow departments to interpret the privacy policy differently. Proving the authenticity of the company's records is a principle related to data preservation and archiving, not data interpretation3 Arranging for official credentials for staff members is a principle related to data access and security, not data interpretation4 Creating categories to reflect degrees of data importance is a principle related to data classification and retention, not data interpretation5 Reference: 1: Data Lifecycle Management: A Complete Guide | Splunk; 2: Data Lifecycle Management | IBM; 3: Data Preservation | Digital Preservation Handbook; 4: Data Access Management Best Practices | Smartsheet; 5: Data Classification: What It Is And How To Do It | Varonis


NEW QUESTION # 135
Which of the documents below assists the Privacy Manager in identifying and responding to a request from an individual about what personal information the organization holds about then with whom the information is shared?

  • A. Personal information inventory
  • B. Privacy policy
  • C. Records retention schedule
  • D. Risk register

Answer: A

Explanation:
A personal information inventory is a document that assists the Privacy Manager in identifying and responding to a request from an individual about what personal information the organization holds about them and with whom the information is shared. A personal information inventory is a comprehensive and detailed record of all personal information that an organization collects, uses, discloses, stores, and disposes of. It helps an organization map its data flows, assess its privacy risks, comply with its legal obligations, and respond to data subject requests. A personal information inventory should include information such as: the categories and sources of personal information; the purposes and legal bases for processing; the recipients and transfers of personal information; the retention periods and disposal methods; and the security measures and safeguards.
Reference:
CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B: Protecting Personal Information, Subsection 3: Data Inventory CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.3: Data Inventory CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.3: Data Inventory CIPM Practice Exam (2021), Question 138


NEW QUESTION # 136
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseno decided to change the hotel's on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online.
As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including the user's name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and
2008, PHT issued more than 700,000 professional certifications.
PHT's profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved.
The training program's systems and records remained in Pacific Suites' digital archives, un-accessed and unused. Briseno and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training's customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.
What key mistake set the company up to be vulnerable to a security breach?

  • A. Neglecting to make a backup copy of archived electronic files
  • B. Collecting too much information and keeping it for too long
  • C. Overlooking the need to organize and categorize data
  • D. Failing to outsource training and data management to professionals

Answer: C


NEW QUESTION # 137
......


The CIPM certification is highly valued by employers and is often required for privacy management positions. It is also a great way for privacy professionals to advance their careers and demonstrate their commitment to the privacy profession. CIPM exam is available in multiple languages and can be taken online or in person at a testing center. Overall, the CIPM exam is a challenging but rewarding certification that is highly respected in the privacy industry.

 

IAPP CIPM Exam Dumps [2025] Practice Valid Exam Dumps Question: https://www.dumpsreview.com/CIPM-exam-dumps-review.html

CIPM Dumps - Grab Out For [NEW-2025] IAPP Exam: https://drive.google.com/open?id=1f2XzpjeM9ShF_kMAofwDcUh2YzD6T_RW

Related Articles

more
IAPP CIPM Certification Practice Exam

DumpsReview are the best company in providing valid dumps vce & exam review. We can provide the dumps vce & exam review of all largest companies including Cisco SAP Oracle HP IBM and so on..

Latest Dumps Review

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 DumpsReview NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
DumpsReview doesn't offer Real ISC Exam Questions. DumpsReview doesn't offer Real CompTIA Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
DumpsReview material do not contain actual actual Oracle Exam Questions or material.
DumpsReview doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
DumpsReview Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
DumpsReview.com does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. DumpsReview does not own or claim any ownership on any of the brands.