CIPM UPDATED COMPREHENSIVE EXAM
QUESTIONS AND ANSWERS SURE A+
✔✔Notice vs. Consent - ✔✔Consent - must be able to prevent
Notice - inform but do not solicit or imply consent
*GDPR - consent might not be the only reliable bases for processing PI, lawful bases for
processing PI include contract, legal obligation, vital interest, public interest, legitimate
interest
✔✔Opt in vs. Opt out - ✔✔IN: Clear, positive way for an individual to indicate wishes,
such as check box that says i agree
Out: taking an action to prevent
✔✔CCPA Data Subject Rights - ✔✔Ability to request: type of data held about requestor,
sources and the specific PI, what is being done with it, 3rd party sharing
Full erauser
Opt out of selling data to 3rd parties
✔✔GDPR Data Subject Rights - ✔✔Right to Information
Right of Access
Right to Rectification (of inaccurate data)
Right to Erasure
Right to Restriction of Processing
Right to Portability: " data subjects have the right to receive their own personal data"
Automated decision making = profiling
✔✔Responding to withdrawals of consent - ✔✔.•As easily as it was to give it
•At any time
•As soon as possible (must be procedures in place to respond to the individual and to
cease processing)
, •Without penalty
•In the same method that was used to give consent
•Via more than one option (for those uncomfortable using technology)
•Via anytime opt-out (e.g., privacy dashboard) or opt-out by reply
✔✔Define Data Portability - ✔✔extension of right to access
applies only in some circumstances
Interoperable - in a structure that is commonly used and machine readable without
hindrance
✔✔right to be forgotten - ✔✔included in erasure
applies when PI has been made public by the organization
controller is required to take steps to ensure information is erased by third parties
including links, copies, and replications
✔✔When is active delivery of revised privacy notices required - ✔✔When PI is
observed, derived, or inferred
When processing changes
When laws require
Collecting SI
Sharing info that may be unexpected
Significant affect
✔✔Procedures for to guide personnel when someone is withdrawing consent should be
- ✔✔when and how
rules for communication
Methods
Documentation
✔✔Training vs. Awareness - ✔✔Training = Understanding
Awareness = Reminder and Reinforcement, awareness and vigilance
✔✔Importance of Awareness - ✔✔"Awareness-raising is one of the key aspects of the
privacy framework and should be prioritized for all organizations. It can come in different
forms, none of which require huge budgets. If people are not aware of what they are
processing, they are also unaware of the consequences and liabilities that result from
not knowing."
Must take operational actions
QUESTIONS AND ANSWERS SURE A+
✔✔Notice vs. Consent - ✔✔Consent - must be able to prevent
Notice - inform but do not solicit or imply consent
*GDPR - consent might not be the only reliable bases for processing PI, lawful bases for
processing PI include contract, legal obligation, vital interest, public interest, legitimate
interest
✔✔Opt in vs. Opt out - ✔✔IN: Clear, positive way for an individual to indicate wishes,
such as check box that says i agree
Out: taking an action to prevent
✔✔CCPA Data Subject Rights - ✔✔Ability to request: type of data held about requestor,
sources and the specific PI, what is being done with it, 3rd party sharing
Full erauser
Opt out of selling data to 3rd parties
✔✔GDPR Data Subject Rights - ✔✔Right to Information
Right of Access
Right to Rectification (of inaccurate data)
Right to Erasure
Right to Restriction of Processing
Right to Portability: " data subjects have the right to receive their own personal data"
Automated decision making = profiling
✔✔Responding to withdrawals of consent - ✔✔.•As easily as it was to give it
•At any time
•As soon as possible (must be procedures in place to respond to the individual and to
cease processing)
, •Without penalty
•In the same method that was used to give consent
•Via more than one option (for those uncomfortable using technology)
•Via anytime opt-out (e.g., privacy dashboard) or opt-out by reply
✔✔Define Data Portability - ✔✔extension of right to access
applies only in some circumstances
Interoperable - in a structure that is commonly used and machine readable without
hindrance
✔✔right to be forgotten - ✔✔included in erasure
applies when PI has been made public by the organization
controller is required to take steps to ensure information is erased by third parties
including links, copies, and replications
✔✔When is active delivery of revised privacy notices required - ✔✔When PI is
observed, derived, or inferred
When processing changes
When laws require
Collecting SI
Sharing info that may be unexpected
Significant affect
✔✔Procedures for to guide personnel when someone is withdrawing consent should be
- ✔✔when and how
rules for communication
Methods
Documentation
✔✔Training vs. Awareness - ✔✔Training = Understanding
Awareness = Reminder and Reinforcement, awareness and vigilance
✔✔Importance of Awareness - ✔✔"Awareness-raising is one of the key aspects of the
privacy framework and should be prioritized for all organizations. It can come in different
forms, none of which require huge budgets. If people are not aware of what they are
processing, they are also unaware of the consequences and liabilities that result from
not knowing."
Must take operational actions
