CIPM EXAM 2024 QUESTIONS & ANSWERS
(GRADED A+), EXAMS OF
ORGANIZATIONAL DEVELOPMENT
What is Privacy Governance and What are the Components?
Correct Answer Guiding a privacy function towards compliance
and enabling it to support the business
1. Vision/Mission
2. Scope
3. Framework
4. Strategy
5. Structure Team
Describe a Vision and Mission Statement for Privacy Governance
Correct Answer Concisely communicates the organization's
privacy stance to stakeholders.
Provides the purpose and ideas of a privacy program in just a few
sentences to communicate to all LOBs. Should be revised as
needed.
Internal and external stakeholder consensus is important
Describe Scope for Privacy Governance Correct Answer 1.
Identify type of information, and the metadata about that
information (how it's stored and used).
2. Identify regulations and laws that apply. This requires
customizing approach from global and local perspectives.
Including cultural expectations
Sectoral Laws for Scope Correct Answer Address a particular
industry sector (USA)
,Comprehensive Laws for Scope Correct Answer Official
oversight for governing collection, use, dissemination of PI (EU,
CAN)
What is a Privacy Framework? Correct Answer THE WHAT - A
manageable approach to operationalizing the controls needed to
address scope.
An Implementation roadmap, provide checklists
1. Principles and Standards
2. Laws, Regulations, Programs
3. Solutions (such as PbD, Privacy Engineering)
What is a Privacy Strategy? Correct Answer THE WHY: The
approach to communication and obtaining support for the privacy
program. This may involve stakeholders with potentially disparate
objectives. Need consensus & champions across management,
as well as exec level to advocate privacy as a core business
concept
1. Business Alignment
2. Data governance of PI
3. Inquiry/Complaint Handling
Consider a workshop to get everyone on the same page
Centralized Governance Model? Pro/Con? Correct Answer
Single-channel functions, direction flows from a single source,
with planning and decision making from one group, often CPO.
Pro: Consistency
Con: Employees must constantly seek approval from a higher
lever
Localized or Decentralized Governance Model? Pro/Con? Correct
Answer Flat Approach, bottom to top flow of information
,Pro: efforts are well informed on operations
Con: often duplication of efforts
Hybrid Governance Model? Pro/Con? Correct Answer
Combination of centralized and localized. One individual is
responsible for privacy related affairs, local entities then fulfill
support.
Pro: Dictate core values but let employee decide which practice to
use to obtain the goals. More resources
Con: Less big picture vision
Requirements for a DPO Correct Answer As set out by GPDR:
Experience assessing risk and mitigation
Knowledge of laws
Effective communication with LOBs
Project Management
Handle Complaints - answer data subject ?s
No roles that conflict with the role of DPO
Internal Audit Process Correct Answer Tasks
Evaluate the organization's risk management culture
Identify risk factors
Evaluate control design and implementation
Tests controls to ensure operations
Independent of management - ensure unbiased reporting
Privacy Tech Vendors - PPM tools vs. EPM tools Correct Answer
PPM Tools: work directly with the privacy office on privacy
assessment management, consent management, IR, Cookie
Compliance
, EPM: require buy in from privacy, IT, C-Suite for data discovery,
activity monitoring, encryption, communications etc.
Data Mapping = BOTH
Define GRC Correct Answer Governance, Risk Management,
Compliance
references the critical capabilities that must work together to
achieve principled performance
Before a third-party acquisition the Privacy Program Manager
should do what to ensure compliance with all applicable laws,
regulations, and standards. Correct Answer 1. Identify all
applicable laws and regulations
2. Create a data inventory/map of current data assets, data
collection, use, and processing
Prior to an acquisition to ensure compliance with all applicable
laws, regulations, and standards what should the Privacy
Program Manager do? Correct Answer 1. Identify all applicable
laws, regulations and standards
2. Create data inventory/map of current data assets, data
collection, usage, processing
3. Identify cross-border transfers
4. Determine current privacy practices of potential acquisition
5. Perform complete enterprise Privacy Impact Assessment (PIA)
6. Consider contractual requirements and notices already existing
GDPR: What Consumers Can Do Correct Answer Withdraw
consent, request a copy of their personal information to move to
another organization or have data deleted, object to automated
decision-making processing of PII, Influence regulators