Free IAPP CIPP-C Exam Questions

Question 1

SCENARIO

Please use the following to answer the next QUESTION

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend

Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of

security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard

against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission,

Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She

intends to read applicants’ postings on social media, ask QUESTION NO:s about drug addiction, and solicit

character references. Felicia believes that if potential employees are serious about becoming part of a dynamic

new business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to

prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check

the company vehicle’s GPS for locations visited by employees. She also believes that employees who use their

own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that

many types of background checks are not allowed under California law. Her friend Celeste thinks these

worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.

Nor does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be

costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would

hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive

documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her

concerns will be put to rest next month when their new business consultant (who is also a privacy

professional) arrives from North Carolina.

Based on Felicia’s Bring Your Own Device (BYOD) plan, the business consultant will most likely advise

Felicia and Celeste to do what?

A : consider the plan in favor of a policy of dedicated work devices.

B : opt the same kind of monitoring policies used for work-issued devices.

C : igh any productivity benefits of the plan against the risk of privacy issues.

D : ke employment decisions based on those willing to consent to the plan in writing.

Answer: D

Question 2

Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer

Protection Act?

A : nancial institutions must avoid collecting a customer’s sensitive personal information

B : Financial institutions must help ensure a customer’s understanding of products and services

C : nancial institutions must use a prescribed level of encryption for most types of customer records

D : nancial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing

Answer: B

Question 3

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives

an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an

EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data

handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in

the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her

withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup

company, was never informed of this request for erasure by the EU-based retail partner. The supervisory

authority investigating the complaint has threatened the suspension of data flows if the parties involved do not

cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by

identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe;

and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Upon review, the data privacy leader discovers that the Company’s documented data inventory is obsolete.

What is the data privacy leader’s next best source of information to aid the investigation?

A : ports on recent purchase histories

B : tabase schemas held by the retailer

C : ts of all customers, sorted by country

D : terviews with key marketing personnel

Answer: C

Question 4

Which entities must comply with the Telemarketing Sales Rule?

A : r-profit organizations and for-profit telefunders regarding charitable solicitations

B : nprofit organizations calling on their own behalf

C : r-profit organizations calling businesses when a binding contract exists between them

D : r-profit and not-for-profit organizations when selling additional services to establish customers

Answer: D

Question 5

Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an

individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely

to default will receive frequent payment reminder calls, while those who are less likely to default will not

receive payment reminders.

Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using

artificial intelligence in this manner?

A : If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that thealgorithm does not have a disparate impact on protected classes in the output.

B : If the algorithm makes automated decisions based on risk factors and public information, Acme need notdetermine if the algorithm has a disparate impact on protected classes.

C : If the algorithm’s methodology is disclosed to consumers, then it is acceptable for Acme to have adisparate impact on protected classes.

D : If the algorithm uses information about protected classes to make automated decisions, Acme mustensure that the algorithm does not have a disparate impact on protected classes in the output.

Answer: B