CIPM- IAPP EXAMINATIONS
Audit Life Cycle - answer-High-level, five-phase audit approach. The steps include: Audit Planning; Audit
Preparation; Conducting the Audit; Reporting; and Follow-up.
Active Scanning Tools - answer-DLP network, storage, scans and privacy tools can be used to identify
security and privacy risks to personal information. They can also be used to monitor for compliance with
internal policies and procedures, and block e-mail or file transfers based on the data category and
definitions.
Anonymization - answer-The process in which individually identifiable data is altered in such a way that
it no longer can be related back to a given individual. Among many techniques, there are three primary
ways that data is anonymized. Suppression is the most basic version of anonymization and it simply
removes some identifying values from data to reduce its identifiability. Generalization takes specific
identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
Noise addition takes identifying values from a given data set and switches them with identifying values
from another individual in that data set. Note that all of these processes will not guarantee that data is
no longer identifiable and have to be performed in such a way that does not harm the usability of the
data.
Behavioral Advertising - answer-advertising that is targeted to particular customers, based on their
observed online behavior
Binding Corporate Rules - answer-An appropriate safeguard allowed by the GDPR to facilitate cross-
border transfers of personal data between the various entities of a corporate group worldwide.
Bureau of Competition - answer-Enforce the US antitrust laws
Bureau of Consumer Protection - answer-protects consumers against unfair, deceptive, or fraudulent
practices by collecting complaints and conducting investigations, suing companies and people that break
the law, developing rules to maintain a fair marketplace, and educating consumers.
Bureau of Economics - answer-Provides economic analysis and support to antitrust and consumer
protection investigations
,Business Case - answer-The starting point for assessing the needs of the privacy organization, it defines
the individual program needs and the ways to meet specific business goals, such as compliance with
privacy laws or regulations, industry frameworks, customer requirements and other considerations.
Canadian Institute of Chartered Accountants - answer-Responsible for the functions that are critical to
the success of the Canadian CA profession.
COPPA (Children's Online Privacy Protection Act) - answer-Passed in 1998 to protect children from the
gathering of their personal information without parental consent. Required to be followed by all
websites geared toward children under 13.
Choice - answer-Choice refers to the idea that consent must be freely given and that data subjects must
have a genuine choice as to whether to provide personal data or not.
CIA Triad - answer-Confidentiality, Integrity, Availability
Collection Limitation - answer-A fair information practices principle, it is the principle stating there
should be limits to the collection of personal data, that any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data subject.
Consent - answer-Individuals must be able to prevent the collection of their personal data, unless the
disclosure is required by law.
Current Baseline - answer-"As-is" data privacy requirements; the current environment and any
protections, policies, and procedures currently deployed.
Data Breach - answer-The unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do
not include good faith acquisitions of personal information by an employee or agent of the data
collector for a legitimate purpose of the data collector—provided the personal information is not used
for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Data Controller - answer-someone who determines why and how personal data is processed
, Data Inventory - answer-Also known as a record of authority, identifies personal data as it moves across
various systems and thus how data is shared and organized, and its location. That data is then
categorized by subject area, which identifies inconsistent data versions, enabling identification and
mitigation of data disparities.
Data Life Cycle Management - answer-Also known as information life cycle management (ILM) or data
governance, DLM is a policy-based approach to managing the flow of information through a life cycle
from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and
measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives;
minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information
security; authenticity and accuracy of one's own records; retrievability; distribution controls;
auditability; consistency of policies; and enforcement.
Data Minimization Principle - answer-The idea that one should only collect and retain that personal data
which is necessary.
Data Protection Authority - answer-Independent public authorities that supervise the application of data
protection laws in the EU.
Data Protection Impact Assessment - answer-The process by which companies can systematically assess
and identify the privacy and data protection impacts of any products they offer and services they
provide.
Data Quality - answer-A comprehensive approach to ensuring the accuracy, validity, and timeliness of
data.
Do Not Track - answer-A proposed regulatory policy, similar to the existing Do Not Call Registry in the
United States, which would allow consumers to opt out of web-usage tracking.
Electronic Communications Privacy Act of 1986 - answer-The collective name of the Electronic
Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal
Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those
communications are being made, are in transit, and when they are stored on computers. The act applies
to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent
federal enactments have clarified and updated ECPA in light of the ongoing development of modern
Audit Life Cycle - answer-High-level, five-phase audit approach. The steps include: Audit Planning; Audit
Preparation; Conducting the Audit; Reporting; and Follow-up.
Active Scanning Tools - answer-DLP network, storage, scans and privacy tools can be used to identify
security and privacy risks to personal information. They can also be used to monitor for compliance with
internal policies and procedures, and block e-mail or file transfers based on the data category and
definitions.
Anonymization - answer-The process in which individually identifiable data is altered in such a way that
it no longer can be related back to a given individual. Among many techniques, there are three primary
ways that data is anonymized. Suppression is the most basic version of anonymization and it simply
removes some identifying values from data to reduce its identifiability. Generalization takes specific
identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
Noise addition takes identifying values from a given data set and switches them with identifying values
from another individual in that data set. Note that all of these processes will not guarantee that data is
no longer identifiable and have to be performed in such a way that does not harm the usability of the
data.
Behavioral Advertising - answer-advertising that is targeted to particular customers, based on their
observed online behavior
Binding Corporate Rules - answer-An appropriate safeguard allowed by the GDPR to facilitate cross-
border transfers of personal data between the various entities of a corporate group worldwide.
Bureau of Competition - answer-Enforce the US antitrust laws
Bureau of Consumer Protection - answer-protects consumers against unfair, deceptive, or fraudulent
practices by collecting complaints and conducting investigations, suing companies and people that break
the law, developing rules to maintain a fair marketplace, and educating consumers.
Bureau of Economics - answer-Provides economic analysis and support to antitrust and consumer
protection investigations
,Business Case - answer-The starting point for assessing the needs of the privacy organization, it defines
the individual program needs and the ways to meet specific business goals, such as compliance with
privacy laws or regulations, industry frameworks, customer requirements and other considerations.
Canadian Institute of Chartered Accountants - answer-Responsible for the functions that are critical to
the success of the Canadian CA profession.
COPPA (Children's Online Privacy Protection Act) - answer-Passed in 1998 to protect children from the
gathering of their personal information without parental consent. Required to be followed by all
websites geared toward children under 13.
Choice - answer-Choice refers to the idea that consent must be freely given and that data subjects must
have a genuine choice as to whether to provide personal data or not.
CIA Triad - answer-Confidentiality, Integrity, Availability
Collection Limitation - answer-A fair information practices principle, it is the principle stating there
should be limits to the collection of personal data, that any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data subject.
Consent - answer-Individuals must be able to prevent the collection of their personal data, unless the
disclosure is required by law.
Current Baseline - answer-"As-is" data privacy requirements; the current environment and any
protections, policies, and procedures currently deployed.
Data Breach - answer-The unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do
not include good faith acquisitions of personal information by an employee or agent of the data
collector for a legitimate purpose of the data collector—provided the personal information is not used
for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
Data Controller - answer-someone who determines why and how personal data is processed
, Data Inventory - answer-Also known as a record of authority, identifies personal data as it moves across
various systems and thus how data is shared and organized, and its location. That data is then
categorized by subject area, which identifies inconsistent data versions, enabling identification and
mitigation of data disparities.
Data Life Cycle Management - answer-Also known as information life cycle management (ILM) or data
governance, DLM is a policy-based approach to managing the flow of information through a life cycle
from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and
measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives;
minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information
security; authenticity and accuracy of one's own records; retrievability; distribution controls;
auditability; consistency of policies; and enforcement.
Data Minimization Principle - answer-The idea that one should only collect and retain that personal data
which is necessary.
Data Protection Authority - answer-Independent public authorities that supervise the application of data
protection laws in the EU.
Data Protection Impact Assessment - answer-The process by which companies can systematically assess
and identify the privacy and data protection impacts of any products they offer and services they
provide.
Data Quality - answer-A comprehensive approach to ensuring the accuracy, validity, and timeliness of
data.
Do Not Track - answer-A proposed regulatory policy, similar to the existing Do Not Call Registry in the
United States, which would allow consumers to opt out of web-usage tracking.
Electronic Communications Privacy Act of 1986 - answer-The collective name of the Electronic
Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal
Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those
communications are being made, are in transit, and when they are stored on computers. The act applies
to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent
federal enactments have clarified and updated ECPA in light of the ongoing development of modern
