CIPM Exam Questions

A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all employees to view. What is the first...

While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee with the same name at a different c...

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon team that...

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon team that...

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon team that...

When developing a privacy program and selecting a program sponsor or "champion" the most important consideration should be that they?

Implementation of a Privacy Program Framework (PPF) requires that you do all of the following EXCEPT?

Which of the following is least relevant to establishing a culture of data privacy at a company?

The following are examples of Privacy by Design (PbD) EXCEPT?

Which of the following helps build trust with customers and stakeholders?

Which of the following is the most likely way an independent privacy organization might work to promote sound privacy practices?

Which is the best first step in establishing a baseline regarding privacy in an organization?

What are the advantages for a company that chooses a hybrid of centralized and decentralized management practices?

Which of the following is least likely to address individual program needs and specific organizational goals identified in privacy framework development?

Creating a privacy governance model for an organization that is required to appoint data protection officers under the GDPR poses what additional challenge?

When developing a privacy program and selecting a program sponsor or "champion" the least important consideration should be that they?

In the European Union, the GDPR gives Supervisory Authorities the right to which of the following actions?

Understanding the sensitivity of personal data that an organization holds is a crucial step for a privacy professional attempting to do what?

All of the following are components of a data collection notice EXCEPT identification of?

When implementing an organization's privacy program, what right should be granted to the data subject?

All of the following are environmental controls EXCEPT?

Which of the following is an example of Privacy by Design (PhD)?

What is the key privacy objective in undertaking an evaluation of technical controls?

The purpose of a data flow map is to help an organization do all of the following EXCEPT?

Which of the following is NOT recommended for effective Identity Access Management?

Which of the following is NOT a main technical data control area?

Which of the following is a physical control that can limit privacy risk?

SCENARIO Please use the following to answer the next question: Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce...

Under the General Data Protection Regulation (GDPR), what are the obligations of a processor that engages a sub-processor?

When conducting due diligence during an acquisition, what should a privacy professional avoid?

SCENARIO Please use the following to answer the next question: You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a...

SCENARIO Please use the following to answer the next question: You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a...

Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?

Under the GDPR, when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply, which right can the data subject e...

Under the European Data Protection Board, which Processing operation would require a Data Protection Impact Assessment (DPIA)?

Under Article 35 of the GDPR, a data controller must take a risk-based approach to determine whether to complete?

As the Data Protection Officer (DPO) for the growing company, Vision 7165, what would be the most cost effective way to monitor changes in laws and regulations?

After an incident, all of the following are potential objectives for improvements to the way an organization handles breach management, EXCEPT?

Your company provides a SaaS tool for B2B services and does not interact with individual consumers. A client's current employee reaches out with a right to delete request, what is...

In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?

Your marketing team wants to know why they need a check box for their SMS opt-in. You explain it is part of the consumer's right to?

Which of the following information is NOT required to be provided by the data controller when complying with GDPR "right to access" requirements?

You're managing the internal privacy mailbox and are notified that a sales team member recently sent emails to their clients that included an excel spreadsheet of their client data...

When a data breach incident has occurred, the first priority is to determine?

An online retailer detects an incident involving customer shopping history but no keys have been compromised. The Privacy Office is most concerned when it also involves?