CIPM Practice Questions (Sample Questions)
Practice questions are indispensable for good exam preparation. Below you will find thirty IAPP style CIPM practice questions including two scenario questions. At the very bottom of the page you can download the questions in PDF.
The sample questions are part of our CIPM online training course. Our courses contain more than 300 of these practice questions. Our courses also include an up to date and detailed textbook outline and various training videos. This combination ensures optimum preparation for the exam and a high chance of excelling at your first try. More information can be found at CIPPTraining.com or start immediately and register with the button below.
All the following are responsibilities of a privacy program manager EXCEPT:
A. Identifying privacy obligations
B. Conducting program audits
C. Creating new procedures
D. Submit an annual report to the GDPR
Answer: D. The GDPR does not required an annual report.
Relating to Privacy Law, which term can best be defined as being able to prove that an organization is acting and demonstrating compliance with applicable laws?
A. Accountability
B. Privacy Governance
C. Privacy Framework
D. Data Map
Answer: A. Accountability is a major concept in new data protection laws.
Relating to Privacy Law, which term can best be defined as to guide a privacy function toward compliance with legal obligations and the organization’s business objectives and goals?
A. Accountability
B. Privacy Governance
C. Privacy Framework
D. Data Map
Answer: B. Privacy governance is required for building a strong privacy program.
Regarding privacy governance, which of the following describes where an organization stands on privacy?
A. The Scope of the Privacy Program
B. The Privacy Vision Statement
C. The Privacy Framework
D. The Privacy Strategy
Answer: B. The privacy vision or mission statement describes where the organization stands regarding privacy in just a few sentences.
In which component of privacy governance does an organization identify what personal information is processed and determine privacy obligations?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer: C. While defining the scope of the privacy program an organization should identify what personal information is to be processed and then identify privacy obligations related to the data collected.
Which component of privacy governance is defined as the organization’s approach to communicating and obtaining support for the privacy program?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer: B. Developing a privacy strategy is completed after the vision statement has been written, and both scope and framework have been determined.
During which component of Privacy Governance might a company gain buy-in to a new privacy program by conducting interviews and establishing program sponsors throughout the organization?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer: B. Conducting privacy workshops and assisting with ongoing projects to investigate privacy requirements jointly may also be done.
Which privacy team model gives the most freedom of flexibility and a sense of ownership while allowing everyone to learn what works best for them, but it takes the most time to implement successfully?
A. Central
B. Hybrid
C. Local
D. Sectoral
Answer: B. The central model is quick and easy but tends to exclude rather than include. Most companies use a hybrid that combines both the central and local model.
Assuming that a candidate is qualified, which requirements must be met when appointing a Data Protection Officer?
A. They must have a privacy certification and 10 years’ experience
B. They must be a line manager and integrated into the organization
C. They must have 5 years’ experience as a privacy auditor
D. They must be independent and report to the highest level of the organization
Answer: D. DPO’s are appointed voluntarily, but they must be independent and report to the highest level of management to remain objective and free of organizational influences.
Use the following scenario to answer questions 10-14.
Philip lives in the state of California and owns a gaming website. Most of his customers are between the age of 10 and 35. Philip is unfamiliar with privacy laws and wants to ensure that his business is compliant for operating in the US and especially California. A small number of customers live in the EU. Philip collects personal information for the purpose of directly marketing various games and accessories to his customers.
Philip has a privacy notice that he emails to new customers once they submit their email address at the start of membership sign-up. His notice contains information about his website, what information is processed, and how the data is used after collection.
Philip uses a popular credit card processing company for all his financial transactions and believes they are compliant regarding financial privacy laws so that he does not need to do anything additional to protect customers.
Philip needs a privacy professional to guide him through various California and other laws, so he understands his responsibilities regarding customer privacy on his website.
When explaining the Children’s Online Privacy Protection Act to Philip, what age group does not need parent’s permission to collect information, but Philip must obtain affirmative consent?:
A. 8 to 13 years old
B. 12 to 15 years old
C. 13 to 16 years old
D. 15 to 17 years old
Answer: C. Under the age of 13 requires a parent’s consent. 13 to 16 years of age can give consent, but it must be affirmed, such as clicking on a box.
Which California law must be explained to Philip that states he must have a legible privacy statement on his website?
A. California Online Privacy Protection Act
B. California Shine the Light Law
C. California Online Eraser Law
D. California Consumer Privacy Act
Answer: A. CalOPPA states that websites that collect personal information from California consumers are required to place a privacy notice on their website.
Philip will also need a process to receive and act upon requests from California customers to supply them with whatever information the company has collected about them, how it is used, and with whom it is disclosed and to opt-out of selling the information to third parties. Which California law can be cited to explain this to Philip?
A. California Online Privacy Protection Act
B. California Shine the Light Law
C. California Online Eraser Law
D. California Consumer Privacy Act
Answer: D. The California Consumer Protect Act provides for these rights of consumers.
Dieter, a European citizen, has written an email to Philip. He stated he wanted his name to be modified in the database, because he recently had it changed, and asked for his postal address to be erased. Does Philip have to answer?
A. No, because he earlier gave full consent to the Philip
B. No, Philip would only have to if Dieter was an U.S. citizen
C. Yes, and even if it’s a complex situation, Philip has to do it in under two months
D. Yes, and Philip normally has a month to do so
Answer: D. Article 12 (3) GDPR stipulates that the controller (Philip) has a month to comply with the requests of data subjects. Starting with the receipt of the request. This period can be extended by two months in specific situations and/or in case of complex applications.
Philip decides to answer Dieter. Under the GDPR, should Philips change Dieter’s name as requested?
A. Yes, and as controller he must ensure the data is modified appropriately
B. It’s recommended that he does, but he is not under the legal obligation to do so
C. No, because Dieter gave full consent to use his old name
D. No, but Philip is obligated to add a note of the request to the database
Answer: A. See Article 16 GDPR. The controller must ensure the data is modified appropriately.
Within privacy laws and regulations, which of the following is a voluntary code of conduct?
A. PCI DSS
B. HIPAA
C. FERPA
D. FRCA
Answer: A. The payment card industry data security standard for protecting credit card data is likely the best-known voluntary code of conduct within a large industry.
Which of the following laws has the purpose of finding a balance between the free flow of data and the protection of the fundamental rights and freedoms of those to whom the data relates?
A. GDPR
B. HITECH
C. TCPA
D. COPPA
Answer: A. The GDPR provides general protections and regulations to find the balance between the free flow of data and the protection of the fundamental rights and freedoms of those to whom the data applies.
Which article of the GDPR defines the territorial scope of the GDPR?
A. Article 1
B. Article 3
C. Article 30
D. Article 65
Answer: B. Article 3 defines the territorial scope of the GDPR.
All the following are TRUE concerning data assessments EXCEPT:
A. The Gramm-Leach-Bliley Act requires mandatory data mapping
B. The GDPR applies to both personal and non-personal data collection activities
C. Organizations with less than 250 employees that only collect data occasionally do not require a data inventory (processing records) under GDPR
D. Article 30 of GDPR contains reporting requirements for data processing activities
Answer: B. GDPR only applies to personal data.
Which of the following data assessments is described as, “an analysis of the privacy risks associated with processing personal information in relation to a project, product, or service?”
A. Privacy Assessment
B. Privacy Impact Assessment
C. Second Party Audit
D. Comprehensive Data Mapping
Answer: B. The PIA, which must also include measures to reduce the identified risks.
Which privacy assessment describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as much and as early as possible. This assessment also has specific requirements outlined in Article 35 of the GDPR.
A. Privacy Assessment
B. Privacy Impact Assessment
C. Data Protection Impact Assessment
D. Comprehensive Data Mapping
Answer: C. The DPIA and PIA basically require the same thing, but DPIA has specific requirements under the GDPR.
Which type of data assessment must be completed according to the European Data Protection Board when evaluating or scoring an individual to determine his or her economic situation?
A. Privacy Assessment
B. Privacy Impact Assessment
C. Data Protection Impact Assessment
D. Comprehensive Data Mapping
Answer: C. The EDPB requires that a DPIA be conducted in this situation.
Information Security is about preserving and protecting information regarding:
A. Availability
B. Integrity
C. Confidentiality
D. All the above
Answer: D. CIA = Confidentiality, Integrity, and Availability
All the following statements are TRUE regarding data processing vendors and vendor selection EXCEPT:
A. Privacy risks on the part of the vendor must be exposed and remedied
B. Privacy responsibilities must be clearly documented in the contract
C. Vendors must help the primary company report any data breaches
D. The controller can only act on the instructions of the processor
Answer: D. Vendors (processors) must follow the directions of the controller, or risk becoming subject to the additional laws and obligations of being a controller.
Which elements should be included in an organizations privacy policy?
A. Purpose, Scope, Risk and Responsibilities, and Compliance Reasons
B. Scope, Framework, Strategy, and Team Structure
C. Purpose, Strategy, Scope, and Risk Assessment
D. Purpose, Scope, Strategy, and Team Structure
Answer: A. It is specifically recommended that a privacy policy include the purpose, scope, risk and responsibilities, and compliance reasons.
All the following statements regarding privacy policies are true, EXCEPT:
A. A privacy policy is a living document that adapts over time based on organizational needs
B. Specific guidelines and procedures are an elaboration of the privacy policy
C. A privacy policy is for external communication about the retention of personal data
D. A privacy committee may exist to communicate the privacy policy through an organization
Answer: C. A privacy policy is for internal communication whereas a privacy note is for external communication.
Use the following scenario to answer questions 26-30.
Maria is the new Data Protect Officer at her company. The DPO is also the privacy team leader. Maria has been given new business objectives that the company is focusing on for the next year. Maria wants to map each business objective to the existing reports produced throughout the company so she can see if there are gaps requiring new reports.
Maria also wants to check the reverse and determine if the teams are developing reports that are no longer tied to business objectives. There have been some recent issues of management making business decisions based on the available metrics when it is clear the managers making the decision did not fully understand the limitations of the metric.
Lastly, the company will have an external auditor at the end of the year for recertification. The audit is extremely important since nearly all the company’s biggest clients require TQM or ISO certification to be eligible to bid on projects.
Which of the following is an objective unit of measurement and must aligned with the company’s business objectives?
A. SMART Goal
B. Enabling Objective
C. Performance Metric
D. Program Target
Answer: C. Every performance metric should have an owner who is responsible for the underlying processes that move the metric.
Which statement is true regarding the use of privacy metrics within the company?
A. Privacy metrics promote awareness to the importance of a business objective
B. Each privacy metric should be defined so everyone understands what the measurement indicates
C. Privacy metrics must be adaptable to the changing needs of the organization
D. All the statements above are true
Answer: D. Metrics are not easy. Identifying and identifying exactly which metrics are important and reflect the business objects are always intuitive.
Which type of data reporting may include measuring how long data is not available, such as in a disaster situation?
A. Return on Investment
B. Business Resiliency
C. Trend Analysis
D. Cataclysm Analysis
Answer: B. Business resiliency metrics refer to how well the business withstands crisis.
Regarding program maturity and tracking privacy compliance, at which level is data reporting first mapped out and specified?
A. Ad Hoc
B. Defined
C. Managed
D. Repeatable
Answer: B. Level 3 is Defined. It is not yet regularly reviewed, nor does it have continuous improvement efforts.
What is the correct order of privacy audit phases, and what type of audit would be conducted by ISO or NIST?
A. A first party audit consisting of: Plan, Prepare, Audit, Report, and Follow-up
B. A second party audit consisting of: Prepare, Audit, Report, Plan Response, Follow-up
C. A third-party audit consisting of: Plan, Prepare, Audit, Report and Follow-up
D. A third-party audit consisting of: Plan, Prepare, Audi, Follow-up, Formal Report
Answer: C. ISO and NIST are forms of third-party audit that are usually lengthy and result in certification, or re-certification. Neither ISO nor NIST can determine if your processes or systems are good. They can only determine that you have a documented process, follow that process, and have continuous improvement efforts in place.
More about our CIPM course
Do you want more practice questions? Our CIPM Training includes the following:
- The outline of the official textbook
- 55 lessons
- 3 full practice exams of 90 questions each
- 100+ flashcards
Make data privacy regulations work for your organization by understanding how to implement them in day-to-day operations. Learn to create a company vision, structure a data protection team, develop and implement system frameworks, communicate to stakeholders, measure performance and more.
The Certified Information Privacy Manager is the world’s first and only certification in privacy programme management. When you earn a CIPM, it shows that you know how to make a privacy programme work for your organisation. In other words, you’re the go-to person for day-to-day operations when it comes to data protection.
This CIPM program was developed by the International Association of Privacy Professionals (IAPP), which is the world’s largest comprehensive global information privacy community and resource. The CIPM certification also holds accreditation under ISO 17024: 2012.
Privacy Program Management is the how-to training on implementing a privacy program framework, managing the privacy program operational lifecycle and structuring a knowledgeable, high performing privacy team. Those taking this course will learn the skills to manage privacy in an organisation through process and technology – regardless of jurisdiction or industry.
- How to create a company vision
- How to structure the privacy team
- How to develop and implement a privacy program framework
- How to communicate to stakeholders
- How to measure performance
- The privacy program operational life cycle
The best exam preperation
Pass your exam with ease with our online training courses. You will get study materials and CIPP, CIPM exam questions that are designed by a certified privacy professional. Several students have opted for our online CIPP and CIPM training courses for the following reasons:
Save hundreds of dollars
Money back guarantee
CIPP exam questions
Study at your own pace
Connect with other professionals
Check out our set of sample Flashcards, our study guide with everything you need to know and our blog post about the latest changes in the CIPM Exam. Visit our blog for more.
Unlocking Success with CIPM: Key Benefits for Privacy Professionals 2024
Unlocking Success with CIPM: Key Benefits for Privacy Professionals 2024 When you have a CIPM certification, it shows you can effectively manage privacy programs. It […]
2024 CIPM Exam: New Topics and Updates Explained
2024 CIPM Exam: New Topics and Updates Explained As of September 2, 2024, the Certified Information Privacy Manager (CIPM) exam has undergone some changes. While […]