CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-E

Free CIPP-E Exam Braindumps (page: 20)

Page 20 of 68
PDF with 283 Questions

What is true if an employee makes an access request to his employer for any personal data held about him?

  1. The employer can automatically decline the request if it contains personal data about a third person.
  2. The employer can decline the request if the information is only held electronically.
  3. The employer must supply all the information held about the employee.
  4. The employer must supply any information held about an employee unless an exemption applies.

Answer(s): D

Explanation:

: According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data.


Reference:

Right of access | ICO
Subject access request Q and As for employers | ICO
Data Subject Access Request (Employers' Guide) | DavidsonMorris



Read the following steps:
Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
Monitor and analyze the apps and devices for compliance Manage application life cycles
Monitor data sharing

An organization should perform these steps to do which of the following?

  1. Pursue a GDPR-compliant Privacy by Design process.
  2. Institute a GDPR-compliant employee monitoring process.
  3. Maintain a secure Bring Your Own Device (BYOD) program.
  4. Ensure cloud vendors are complying with internal data use policies.

Answer(s): C

Explanation:

The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR

requirements for data protection by design and by default, data security, accountability, and data breach notification.


Reference:

Free CIPP/E Study Guide, page 15, section 2.3.3
CIPP/E Certification, page 10, section 1.1.2
Cipp-e Study guides, Class notes & Summaries, document "CIPP/E Exam Summary 2023", page 42, section 2.3.3


https://www.itproportal.com/features/heading-off-the-spectre-of-gdpr-compliance-with- secure-byod/



If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

  1. Notify the appropriate data protection authority.
  2. Perform a data protection impact assessment (DPIA).
  3. Create an information retention policy for those who operate the system.
  4. Ensure that safeguards are in place to prevent unauthorized access to the footage.

Answer(s): A

Explanation:

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:
Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large- scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.
Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented. Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage.


Reference:

GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant



SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees' computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees' computers.

Since these measures would potentially impact employees, Building Block's Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees' computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company's computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

  1. Assessed potential privacy risks by conducting a data protection impact assessment.
  2. Consulted with the relevant data protection authority about potential privacy violations.
  3. Distributed a more comprehensive notice to employees and received their express consent.
  4. Consulted with the Information Security team to weigh security measures against possible server impacts.

Answer(s): A

Explanation:

A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals. The GDPR requires controllers to conduct a DPIA before starting such processing activities. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees' computers, which could affect their privacy and other fundamental rights. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA.


Reference:

Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO



Page 20 of 68



Post your Comments and Discuss IAPP CIPP-E exam with other Community members:

Martinez commented on September 21, 2024
This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing.
NETHERLANDS
upvote

Filipa commented on August 27, 2024
Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work
PORTUGAL
upvote

Nell commented on August 18, 2024
Hello. This is very helpful
UNITED KINGDOM
upvote

X commented on August 08, 2024
answers are correct
Anonymous
upvote