IAPP Certified Information Privacy Manager (CIPM) Exam Questions

Types of privacy program metrics include business enablement metrics, data enhancement metrics, and commercial metrics. Business enablement metrics measure the effectiveness of the privacy program in enabling the business to function without compromising privacy. Data enhancement metrics measure the effectiveness of the privacy program in enhancing data protection, such as through data minimization, access controls, and data security. Commercial metrics measure the effectiveness of the privacy program in creating value, such as through the development of new products, services, and customer experiences.

Privacy program metrics are used to assess the effectiveness of a privacy program and measure its progress. These metrics can include business enablement metrics, data enhancement metrics, and commercial metrics. Value creation metrics, however, are not typically used as privacy program metrics.

A Privacy Impact Assessment (PIA) is a process that helps an organization identify and evaluate the potential privacy risks and impacts of a new or existing project, program, system, or service that involves the collection, use, disclosure, or retention of personal information. A PIA also helps an organization identify and implement appropriate measures to mitigate or eliminate those risks and impacts, and ensure compliance with applicable privacy laws, regulations, and standards. A PIA should be completed to effectively make changes that involve customer personal information, such as converting paper records into electronic form, uploading the records into a new third-party marketing tool, and merging the customer personal information in the marketing tool with information from other applications. A PIA can help an organization assess the necessity, proportionality, and legality of the proposed changes, as well as the potential privacy risks to the customers and the organization, such as unauthorized access, disclosure, modification, or loss of personal information, identity theft, fraud, reputational damage, or legal liability. A PIA can also help an organization implement appropriate measures to mitigate or eliminate those risks, such as data minimization, encryption, anonymization, pseudonymization, consent management, access control, security safeguards, contractual clauses, data protection impact assessments (DPIAs), data subject rights, breach notification procedures, and privacy policies.

CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section C: Monitoring and Managing Program Performance Subsection 1: Privacy Impact Assessments1

CIPM Study Guide (2021), Chapter 9: Monitoring and Managing Program Performance Section 9.1: Privacy Impact Assessments2

CIPM Textbook (2019), Chapter 9: Monitoring and Managing Program Performance Section 9.1: Privacy Impact Assessments3

CIPM Practice Exam (2021), Question 1464

A physical control that can limit privacy risk is keypad or biometric access. This is a type of access control that restricts who can enter or access a physical location or device where personal data is stored or processed. Keypad or biometric access requires a code or a biological feature (such as a fingerprint or a face scan) to authenticate the identity and authorization of the person seeking access. This can prevent unauthorized access, theft, loss, or damage of personal data by outsiders or insiders, .Reference:[CIPM - International Association of Privacy Professionals], [Free CIPM Study Guide - International Association of Privacy Professionals]

Under the GDPR, when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply, the data subject can exercise the right to restriction. This means that the data subject can request the controller to limit the processing of their personal data in certain circumstances, such as when they contest the accuracy or lawfulness of the processing. The other rights are not applicable in this case, as they are either dependent on consent (right to withdraw consent and right to data portability) or subject to exceptions (right to erasure).Reference:GDPR, Articles 6(1), 18, 21(1).

Under the GDPR, a written agreement between the controller and processor in relation to processing conducted on the controller's behalf must include an obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches. This is one of the requirements under Article 28(3)(f) of the GDPR, which specifies the minimum content of such an agreement. The other options are not required by the GDPR, although they may be agreed upon by the parties as additional terms.Reference:GDPR, Article 28(3)(f).