IAPP CIPM – IAPP exam questions analysed: CIPP/E, CIPM, CIPT

1. CIPP/E scenarios – part 1

Hi, guys. In the following nine lessons, we’ll understand different question types for the three IAPP certifications. which stands for “European-Certified Information in Privacy Professional.” For Europe. It’s the CIPM privacy manager and the CIPT privacy technologist. IAPP stands for the International Association of Privacy Professionals. And there are three certifications. They have a fairly good reputation both in Europe and around the world. Practically, they are the only privacy certifications existing nowadays. So let me just show you their website. So that’s iapp.org. You go to the certifying office, and you have all this recertification. Then, if you go for CIPE, and let’s look at the exam blueprint, you have an introduction to the European Data Protection Law and Regulation, as well as various things here that you may find a question on in the exam about compliance with the European Data Protection Law and Regulation.

So, first and foremost, and this is critical, you must thoroughly understand and read the GDPR regulation. This one, the CIP certification, is mostly focused on the regulation from a legal standpoint. It’s not technology-related; it’s not privacy management programme-related. It’s more or less data protection law and regulation-related. And in the first three lessons of this section, I will show you the types of questions that you may find. You will not find these questions in the exam, but these are similar questions to the ones that you will find at the exam.

When you first take a certification, these are done in regional or, well, local testing centers. So you cannot take the certification online. You must purchase it through their website and pay the exempt fee. Then you will make an appointment at a training facility near your location. When you first get the certification from IAPP, you will pay $550, or US dollars, but I think it’s $550 translated into euros. And if you already have a certification and want to take the second and third ones, you will only pay $375 the next time you take it. So there is a discount of around $175.

Again, membership to the IAPP is paid separately. And when you take your first certification, you also need to pay the maintenance fee for this first certification for one year, which is $125. So practically, the first time you take the exam, it’s around $675. I also recommend, instead of paying this $125, taking the membership, which is $250 and already includes the maintenance fee of the certification, because with the membership, you will get access to a lot of resources on the IAPP website. And you will find there a lot of case studies, you will find documentation, and you may find a lot of useful things that will help you in your privacy role or in your cybersecurity role related to privacy professionals. So let’s go back to my presentation, and we will have around five questions per lesson. So a total of 15 to 20 questions about forever certification, CIPT, and how this will go on. I will show you the question, and then I will ask you to pause the video, and you will have some seconds. When you can pause the video, you can think again about the question and try to answer it. Try to see what your answer will be in that specific case.

And after that, replay the video, start the video again, and I will tell you the answer and what the explanation is for that answer. So it’s important to stop the video. Think a little bit about the question, try to write down what your answer will be, and then listen for the explanation. So let’s start with the first question. According to GDPR, when does an organisation need to take action to legitimise cross-border data transfers of personal data? So when the data is routed through another jurisdiction within or outside the U.S., when the data is transferred from one jurisdiction in the U.S. to another, or when the data is transferred from a jurisdiction outside the U.S. to a member state of the EU, And when the data is transferred from a jurisdiction in the European Union to a third country that is not deemed adequate, So right now, please stop the video, take a few seconds or minutes, whatever it suits you, and try to answer this question. And right now, I will tell you what the answer is. So, again, watch the video now and then listen for the answer. So the correct answer is D, when the data is transferred from a jurisdiction in the European Union to a third country that is not deemed adequate. So, in the absence of a decision pursuant to Article 45.3, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards and on the condition that the personal data is enforceable. Subject rights and effective legal remedies for data subjects are available. You can see and read these details in GDPR Regulation Article 46.

Okay, so let’s go on to question number two. The GDPR and its predecessor, the Data Protection Directive, were allowed to be set up as a harmonisation measure for European member states under the Lisbon Treaty, the Treaty of Rome, the Council of Europe Convention, or the European Convention on Human Rights. Again, stop the video now. You have some seconds. Try to answer the question, and then listen for the answer. The correct answer is “B. Treaty of Rome.” The Treaty of Rome allowed the Data Protection Directive to be set up as a harmonisation measure as the successor GDPR continues to promote economic activities between European Union member countries and freedom of movement for citizens within its economic areas. GDPR Article 1(3) provides that the free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

The GDPR is the legal framework that harmonises data protection processes and practises across member states while providing citizens with adequate data protection. This supports the Treaty of Rome’s efforts to abolish obstacles to the free movement of goods, persons, and services. Let’s move on right now to question number three, which is an example of direct marketing. Again, please take a few seconds. Stop the video, try to answer the question, and the correct answer here is an email sent to an individual promoting a new book that is on sale. An email sent to an individual promoting a new book on sale is a clear example of direct marketing. The term “direct marketing” refers specifically to the communication, by whatever means, of any advertising or marketing material directed to particular individuals.

This means that data protection laws apply to the sending of marketing messages only where individuals’ personal data is processed in order to communicate the marketing message to them. Marketing that does not entail the processing of any personal data and is therefore not directed at individuals is not subject to data protection compliance. In addition, messages that are purely service-related in nature do not generally constitute direct marketing. Messages sent to individuals, for example, to inform them of the status of an order they have placed. The GDPR does, however, provide the data subject with the right to object to processing for the purposes of direct marketing. Let’s move on to question number four. The Privacy Directive 2000 and 258 European Commission contain which provision? Again, please stop the video and try to answer the question, and listen again for the answer. The answer is D. Cookies require prior information and consent. The Privacy Directive’s main focus is personal data protection in communications and on the Internet. It is not a regulation. Rather, the privacy directive depends on the privacy and electronic communications regulations for implementation.

It also relies on the GDPR for overarching direction or rules and then applies these rules to specific communications and Internet concerns according to the definition of those concerns. In each member state, the E-Privacy Act has been undergoing reviews as there is a need to harmonies or standardize the Act so that member states can rely on one interpretation. GDPR requires prior informed consent to the use of cookies and provides that a data subject’s consent must be an affirmative action under GDPR. Article 4.4 defines cookies and profiling as any form of automated processing of personal data involving the evaluation of a person’s performance, interests, preferences, behavior, et cetera. Let’s move on to question number five: which statement describes a European best practises approach to the protection of employment data held by an organization? Stop the video, try to answer the question, and listen to the answer. The correct answer in this case is D. In dealing with employees’ personal data, employers should always consider any obligations under local employment law that apply to the situation.

For example, there may be a requirement to consult with the various national works councils. Consultation is often required in those jurisdictions where employee rights law is strong and in situations where the collection of data impacts an employee’s privacy. Works councils are bodies that represent employees and have certain rights under local law that affect the use of employee data by employers. Generally, work councils are more active in certain jurisdictions, such as France, Germany, and Italy. The UK, by contrast, does not have works councils, and UK trade unions do not usually have any influence on how employers use employee data. You can also see the direct 38 AC of the European Parliament and of the Council of May 2009 on the establishment of a European Works Council or a procedure in community-scale undertakings and community-scale groups of undertakings for the purposes of informing and consulting employees.

2. CIPP/E scenarios – part 2

Hi, guys. Let’s continue with Part 2 and the next five questions for CIPE. Question number six: Under what conditions is processing sensitive employee data acceptable? Again, pause the video right now. Try to answer the question, read carefully the answers, and listen again for the correct one. In this case, the correct answer is number B. The processing is necessary for the data controller to carry out their obligations under employment law.

The GDPR allows the processing of sensitive employee data if the controller has explicit consent from the data subject and the business obligations of the controller are justifiable reasons to process sensitive information. GDPR, Article 9.2 B, provides that processing of sensitive employee data is acceptable when the condition of processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller, and is also acceptable if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. Right now, let’s move on to question seven: Why do binding corporate rules or PCRs prohibit the transfer of employee names to telecom providers within the same country in order to provide them with mobile phone services?

Again, stop the video right now, try to answer the question, and then listen again for the correct answer, which in this case is answer number C. BCRs would not provide a basis to transfer the names of employees to a telecom provider in the same country in order to provide them with mobile phone services. Because BCRs only deal with intra-organizational transfers and not transfers to third parties, they are specifically designed to provide adequate safeguards within multinational corporations that move data within their organization. Again, the GDPR recital 1 10110 and Articles 4.20 and 47 can be found. Let’s move on to question number eight. Well, along with the name and contact details of the data controller processing the personal data, what other information must be included in the records of processing to be maintained by the data controller under the GDPR?

Again, pause the video right now, try to answer the question, and listen for the correct answer, which in this case is D. So practically all of A, B, and C Article 30 records of processing of the GDPR requires that a data controller maintain a record of the following relating to its processing activities: a. Are the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer b. The purposes of the processing a description of the categories of data subjects and of the categories of personal data. the categories of recipients to whom the personal data have been or will be closed, including recipients and third countries or international organizations. E. Where applicable, transfers of personal data to a third country or an international organization, including identification of that third country or international organization; and in the case of transfers, refers to documentation of appropriate safeguards and, where possible, the envisaged time limits for erasure of the various categories of data. Then let’s move on right now to question number nine. Which statement is correct concerning the information to be provided when collecting personal data directly from the data subject? Again, pause the video right now, try to answer the question, and then come back. For this question (number nine), the correct answer is C.

Information needs to be detailed if the personal data will be passed to another organization. Well, the information is required to be provided, and it’s correct, among other things, in the details of the recipients of the personal data or the categories of the recipients. And you can see this in GDPR Article 13. Then let’s move on to the last question of this lesson, question number ten, which says that under GDPR, would the European company be allowed to use video surveillance to monitor employee access to inventory? Again, pause the video, try to see what the correct answer is, and then come back. So for question number ten, again, the correct answer is C. Although the GDPR makes no specific reference to surveillance, the use of video in the employment context amounts to the processing of personal data. And so the GDPR will apply. The data controller will be required to carry out a balancing exercise to ensure that the surveillance is proportionate and that the processing is lawful. So, yes, provided that certain conditions have been met, is the correct answer in this case?

3. CIPP/E scenarios – part 3

Hi guys. Here we are at the last part of the CIPE case studies. We’ll have six questions and three answers in this lesson. The last three will be part of a scenario. So the same three questions apply practically to the same scenario, which will be more like a story. So let’s start with the first three questions. Which institution is responsible for ensuring that directives are implemented properly by the member states? Pause the video, try to think about the answer, and then come back to check it. And the answer to question eleven is B. The European Commission The European Commission is responsible for ensuring member state implementation. The Commission not only acts as the executive body and influences the legislative function but also acts as a guardian of the treaties by monitoring the compliance of other institutions, member states, and natural and legal persons to fulfil this task. Articles 2, 6, and 2 to 8 of the European Commission treaty grant the Commission the power to take legal and administrative action, including the power to impose a fine against a member state that has failed to comply with the law. Let’s move on right now to question number ten.

What is true for a contract based on European Commission standard contractual terms with a processor outside the European Economic Area? Pause the video right now. Try to think about the answer. So for this question, the correct answer is A. For subcontracting, the processor must inform the controller and obtain written approval when using contracts based on the European Commission’s standard contractual clauses, or SCC. Before subcontracting, the processor must inform the controller and obtain written approval. Article 28 states that a processor shall not engage in processing without the prior specific or general written authorization of the controller. This is reinforced in the “subprocessing” clause of the standard contractual clauses, where it clearly obligates the processor to obtain prior written consent for the use of a subprocessor. Let’s move on to question 13. Which type of data subject is not covered by the GDPR? Pause the video, try to think of a question, and then come back.

The deceased individuals are the answer and correct answer to question 13. Deceased individuals’ personal data are not covered by the GDPR. Member states, however, may provide for rules regarding the processing of personal data of deceased persons. Article One of the GDPR establishes the scope of the regulation as relating to the protection of natural persons with regard to the processing of personal data. And this is from, again, GDPR Article 1, or you can find it in GDPR Recital 27. Let’s move on right now to the scenario I was telling you about. So take some time to read this scenario. These are scenarios that you may find in an exam. It can be either five or six questions in total for an exam, and usually there are three or four questions related to the same scenario. When taking an exam, try to read it quickly and take notes on important points. One of the strategies is to first read the questions quickly to see what exactly they will want from you, and then come back to read the scenario. Alternatively, try to answer the question directly by looking at the scenario.

When you read the question, don’t spend too much time reading the scenario. So practically, take it from start to finish, but don’t try to read it twice, three times, or four times. Read it once and then go for the questions and based on the questions, because there may be areas that aren’t important or specific to the questions you’ll have. And you will lose quite a lot of time in trying to read and understand carefully everything that’s in there, maybe take some notes, and so on and so forth. So read it once, and then move on to the questions. I will like you to pause the video right now, take a look at the scenario, read it carefully, and we’ll move on with the first question. The first question is: what should T and Basquez do before responding to Rob with the information he has requested? Again, pause the video right now. Take a look at the question. Also, I will take you back a bit to the scenario. You can even pause right now to look for something in the scenario. Again, the answer comes back to the question. So what do you think? It will be the correct answer. So, for the time being, the correct answer is to consider GDPR compliance before sending any information under the GDPR. T and Basscript have just 30 days to complete Rob’s SAR.

But given this scenario, they’ve wasted many days and now have only five days left to both let Rob know they are processing his SAR and also deliver the request. There are benefits to contacting the requester early. For example, contacting Rob quickly would help define what information Rob really needs, with specifics that may help narrow his request to a less complex volume. It would provide an understanding between the parties about the specific information being requested, allowing the level of effort required to meet Rob’s request to be determined early and reported to or apologised to Rob immediately or within the same month as required. And if necessary, Tea and Biscuits could request an extension. It would inform Rob that the process has begun and identify the steps that Tea and Biscuit are taking. This will help avoid a situation where Rob files a complaint, and you can see details on GDPR recital 63 and article 15. Let’s move on to the second question related to the same scenario.

What is the time period within which T&B Biscuits Corporation needs to respond to the data subject? Take a look at the question right now. Pause the video. I will also move you back to the scenario so we can have it here again. Read it again, and I will return to the question. And the answer to this question is “without undue delay” or “within a month of receiving the request.” The GPR’s Article 12.3 requires that the controller or employer respond without undue delay or within a month. Tmbisquit is required to respond to Rob’s request as soon as possible, and at the latest within one month of receipt of his request. The first response is to let him know the SAR is undergoing processing. The second response should be the completed SAR. GDPR allows TM Biscuits to request an extension of up to two months to complete the SAR, but only if Rob is making multiple requests or his request is complex in nature. In this case, whether 18-year-old Rob’s email record is complicated depends on the company’s justification.

TM Biscuits would have to provide an explanation to Rob as to why his request requires an extension. And let’s move on to the last question of this lesson: What should Tmbiscus do next to respond to Rob’s request for email? Again, stop the video right now. You can even go back and read the scenario, then come back to see the answer, which in this case is number C. Conduct an email search in accordance with its monitoring policy and inform affected employees before any disclosures to Rob. TMB Biscuits should carry out an email search and inform affected employees before any disclosure of emails to Rob. Article 4.3 of the GDPR states that the data subject has the right to obtain a copy of his personal information being processed.

Article 4.4 states that the right to obtain a copy, as stated in Article 4 and referred to in Paragraph 3, shall not adversely affect the rights and freedoms of others. Where the processing activity changes, there may be a requirement to seek new consent from all the affected individuals. Since the previously given consent does not cover the new processing, TM Biscuits should take into account that obtaining the data subject’s consent may require additional time. GDPR allows companies only 30 days to complete a SAR. The GDPR does not specifically prescribe how third-party individuals’ consent should be obtained. Rather, the employer has to make the judgement on a case-by-case basis, depending on the SAR made and the risks associated with the breach of confidentiality. To fulfil such a request, the needs of the request should be balanced with the employer’s confidentiality obligation to the third-party individual in the emails. Team Biscuits should also be prepared to provide Rob supplemental disclosures required by the GDPR, along with the email records he will provide.

4. CIPM scenarios – part 1

Hi guys. In this lesson, we’ll start the CIPM case studies, and for the following three lessons, including this one, we’ll discuss only CIPM questions. CIPM stands for “Certified Information Privacy Manager.” So these questions will be focused on your privacy programme and the management of your privacy programme in your organization. So it’s not just about the law and regulations; it’s also about technology and how you, as a privacy manager, will implement this concept in your organization. Let’s start with question one:

What is the value of a privacy workshop for an organization’s stakeholders? The same. You can stop the video right now and look for the answer, and then come back to see if you are right or if you are wrong. The correct answer for this one is C. It is important not to assume that all stakeholders involved in the development and launch of a privacy programme are at the same level of understanding about the regulatory environment or the complexity of the undertaking. There will invariably be different levels of privacy knowledge among your various stakeholders. This is your opportunity to ensure everyone has the same baseline understanding of the risks and challenges your organisation faces. Right now, let’s move on to question two. All of the following are factors in determining whether an organisation can craft a common solution to the privacy requirements of multiple jurisdictions. except, so pay attention to the word “accept.” So again, stop the video right now, try to answer the question, and come back.

The correct answer in this case is answer number Crafting a comprehensive personal information protection strategy may not result in a “one size fits all” solution until the most stringent law becomes effective. Instead, one must look at the various activities an organisation performs and the obligations that must be discharged and attempt to create a common solution for the various activities and privacy requirements. Based on an assessment of cost, risk, legal regulations, and implementation complexity, the organisation must determine whether to apply a common solution to a particular activity or safeguard or create a one-off solution. Let’s move on to question number three. What are non-governmental organisations that advocate for privacy protection known as? Right now, try to think about the question, and right now, try to see the answer.

The correct answer is an external privacy organization. After defining privacy in the business case, the privacy domain should be established, which will determine the privacy elements such as industry, privacy organizations, and other data that will provide the necessary laws, standards, guidelines, and other factors that should be evaluated. This includes the selection of appropriate privacy drivers necessary to correctly determine the privacy needs and requirements of the organization. One of these drivers includes external privacy organisations that serve as guardians or protectors against misuse of laws or illegal practices. Let’s move on to question number four: which descriptor best describes the general attitude an organisation should exhibit regarding its practices and policies for data protection? So again, pay attention to the word “best.” It doesn’t mean that all four of these are wrong. It just means one of these four best describes the general attitude. So pause the video, try to think about it, and the correct answer is B. openness. There should be a general policy of openness about developments, practices, and policies with respect to personal data.

Means should be readily available to establish the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. And the last question of this lesson is: When should stakeholders involved in privacy framework development be identified? Take a look at the answers, stop the video, try to follow your ideas, and come back. The answer is D. During the business case development process, the steps to create a privacy policy framework are not necessarily conducted in a rigid order, and every organisation will perform every phase normally. The first step of this process includes an assessment of the business case for the current, let’s say, or forthcoming privacy program. It is a starting point for assessing the needs of the privacy organization. It defines the individual programme needs and the ways to meet specific business goals. Various elements will impact the business case for providing a complete privacy solution. The first of these elements is assembling a team of privacy professionals that will perform the work and identify stakeholders.

5. CIPM scenarios – part 2

Hi guys. In this lesson, we’ll continue the CIPM case studies, and we’ll have a scenario with six questions attached. So what I would like you to try to do is read the complete scenario again. Read it once, do not spend too much time understanding every piece of it, and we’ll come back for every question to the same scenario and try to find out the answer. So read the case study and post the video right now. I would practically continue reading the first question right now. So, question six: What should you do to identify the current condition of CountryFreshest’s privacy practices and policies? You can even write down the question. I will come back to the scenario.

You can have the scenario in front of you, try to answer the question, and then come back. The correct answer for this one is “establish the baseline.” Establishing the current baseline is the process of collecting data that meets privacy requirements in order to document the current environment. Most of this task represents a data collection and documentation effort for current privacy management. In order to generate a baseline or starting point, it is a good idea to start by collecting information on the organization’s current compliance policies related to privacy regulations, standards, and security. Let’s move on to question seven. How can you discover where personal data resides at Country Fresh? I can even write down the questions and answers you have right now. The scenario is in front of you; you can double check, stop the video, try to answer it, and come back.

The correct answer is C. Conduct a data inventory and map data flows. A data inventory identifies where personal data resides, allowing it to be identified as it moves across various systems and thus how data is shared and organized in its locations. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities. Data inventory offers a good starting point for the privacy team to prioritise resources, efforts, risk assessments, and current policy in response to incidents. Let’s move on.

Question eight: You need a master plan or roadmap to guide your choices in developing and refining the country’s fresh privacy program. What is the best action to take? Take a look at the answers over here. I will go back to the scenario. You have it right now in front of you. You can pause the video and then come back to the question. The answer for this one is d. Create a Framework for an Overarching Privacy Program. Well, the privacy governance framework provides the methods to access, protect, sustain, and respond to the positive and negative effects of all influencing factors. This master plan or framework thereby provides reusable procedures and checklists that outline the operational lifecycle, courses of action, research, and subject matter expertise. constituting a best practise approach to an idea, thought, or subject.

Like maps, frameworks provide inquiry topics and direction, problem definition, purpose, literature review, methodology, data collection, and  analysis; these are all examples, and these are helpful to ensure quality through repeatable steps throughout programme management, thereby reducing errors or gaps in knowledge or experience. Let’s move on to question nine. What step can best help you identify the specific needs and objectives of Country Fresh regarding privacy protection? Let me just go back to a case study. You have it here. You can pause the video and come back to the cash question. You can pause the video right now, check the answers, and the correct answer is C. Development of the Business Case The steps identified to create a privacy policy framework are not necessarily conducted in a rigid order, and not every organisation will perform every phase. For example, in very large organizations, every phase should be completed to ensure the highest accuracy in the selection and definition of privacy definitions and drivers. The execution of these events may not need to be as formal or as time-consuming based on organisational needs.

The first step of this process includes an assessment of the business case for the current or forthcoming privacy programme or privacy requirements for privacy policies, standards, and guidelines. Let’s move on to question ten. In analysing Country Fresh’s existing privacy program, you find procedures that are informal and incomplete. So, in AICPA/CICA, what stage does this represent? Privacy Maturity Module You can even look it up on Google, but this is most likely something that will come up in the exam. We did not discuss privacy maturity modules, but you should have an idea of what to expect and that you will most likely have a course purely related to CIPM and how to think about management questions. So take a look at this; you can even try to search on Google for “maturity model” to see what exactly it is. And the correct answer for this is B at Hook. This maturity model is an example of a well-known model that provides a very good and mature description of maturity levels. Models are recognised means by which organisations can measure their progress against established benchmarks.

This PMM private maturity model uses five maturity levels, the first of which is “ad hoc,” which are procedures or processes that are generally informal, incomplete, and inconsistently applied. And let’s take a look at the last question in this scenario. Which of the following best describes who at Country Fresh needs to be trained on privacy protection? Again, stop the video. Take a look at the questions. The correct answer here is D. All departments that have any contact with personal data should have training programmes dealing with privacy policies that are based on clear policies and standards and have ongoing mechanisms and processes to educate and guide employees in implementation. Everyone who handles personal information needs to be trained in privacy policies and how to deploy them within their area to ensure compliance with all policy requirements. This applies to employees, management, contractors, and other entities with which your organisation might share personal information.