CIPM Practice Questions (Sample Questions)
Practice questions are indispensable for good exam preparation. Below you will find thirty IAPP style CIPM practice questions including two scenario questions. At the very bottom of the page you can download the questions in PDF.
The sample questions are part of our CIPM online training course. Our courses contain more than 300 of these practice questions. Our courses also include an up to date and detailed textbook outline and various training videos. This combination ensures optimum preparation for the exam and a high chance of excelling at your first try. More information can be found at CIPPTraining.com or start immediately and register here.
Are you planning to pass the CIPM exam? Then these blog posts might be of interest to you:
CIPM Exam Annual Update (2023)
CIPM Study Guide
How to prepare for CIPM exam?
CIPM Training Certification Course
Question 1
Answer
Question 1
All the following are responsibilities of a privacy program manager EXCEPT:
A. Identifying privacy obligations
B. Conducting program audits
C. Creating new procedures
D. Submit an annual report to the GDPR
Answer
Answer: D. The GDPR does not required an annual report.
Question 2
Answer
Question 2
Relating to Privacy Law, which term can best be defined as being able to prove that an organization is acting and demonstrating compliance with applicable laws?
A. Accountability
B. Privacy Governance
C. Privacy Framework
D. Data Map
Answer
Answer: A. Accountability is a major concept in new data protection laws.
Question 3
Answer
Question 3
Relating to Privacy Law, which term can best be defined as to guide a privacy function toward compliance with legal obligations and the organization’s business objectives and goals?
A. Accountability
B. Privacy Governance
C. Privacy Framework
D. Data Map
Answer
Answer: B. Privacy governance is required for building a strong privacy program.
Question 4
Answer
Question 4
Regarding privacy governance, which of the following describes where an organization stands on privacy?
A. The Scope of the Privacy Program
B. The Privacy Vision Statement
C. The Privacy Framework
D. The Privacy Strategy
Answer
Answer: B. The privacy vision or mission statement describes where the organization stands regarding privacy in just a few sentences.
Question 5
Answer
Question 5
In which component of privacy governance does an organization identify what personal information is processed and determine privacy obligations?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer
Answer: C. While defining the scope of the privacy program an organization should identify what personal information is to be processed and then identify privacy obligations related to the data collected.
Question 6
Answer
Question 6
Which component of privacy governance is defined as the organization’s approach to communicating and obtaining support for the privacy program?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer
Answer: B. Developing a privacy strategy is completed after the vision statement has been written, and both scope and framework have been determined.
Question 7
Answer
Question 7
During which component of Privacy Governance might a company gain buy-in to a new privacy program by conducting interviews and establishing program sponsors throughout the organization?
A. Selecting a Privacy Framework
B. Developing a Privacy Strategy
C. Defining Privacy Program Scope
D. Structuring the Privacy Team
Answer
Answer: B. Conducting privacy workshops and assisting with ongoing projects to investigate privacy requirements jointly may also be done.
Question 8
Answer
Question 8
Which privacy team model gives the most freedom of flexibility and a sense of ownership while allowing everyone to learn what works best for them, but it takes the most time to implement successfully?
A. Central
B. Hybrid
C. Local
D. Sectoral
Answer
Answer: B. The central model is quick and easy but tends to exclude rather than include. Most companies use a hybrid that combines both the central and local model.
Question 9
Answer
Question 9
Assuming that a candidate is qualified, which requirements must be met when appointing a Data Protection Officer?
A. They must have a privacy certification and 10 years’ experience
B. They must be a line manager and integrated into the organization
C. They must have 5 years’ experience as a privacy auditor
D. They must be independent and report to the highest level of the organization
Answer
Answer: D. DPO’s are appointed voluntarily, but they must be independent and report to the highest level of management to remain objective and free of organizational influences.
Use the following scenario to answer questions 10-14.
Philip lives in the state of California and owns a gaming website. Most of his customers are between the age of 10 and 35. Philip is unfamiliar with privacy laws and wants to ensure that his business is compliant for operating in the US and especially California. A small number of customers live in the EU. Philip collects personal information for the purpose of directly marketing various games and accessories to his customers.
Philip has a privacy notice that he emails to new customers once they submit their email address at the start of membership sign-up. His notice contains information about his website, what information is processed, and how the data is used after collection.
Philip uses a popular credit card processing company for all his financial transactions and believes they are compliant regarding financial privacy laws so that he does not need to do anything additional to protect customers.
Philip needs a privacy professional to guide him through various California and other laws, so he understands his responsibilities regarding customer privacy on his website.
Question 10
Answer
Question 10
When explaining the Children’s Online Privacy Protection Act to Philip, what age group does not need parent’s permission to collect information, but Philip must obtain affirmative consent?:
A. 8 to 13 years old
B. 12 to 15 years old
C. 13 to 16 years old
D. 15 to 17 years old
Answer
Answer: C. Under the age of 13 requires a parent’s consent. 13 to 16 years of age can give consent, but it must be affirmed, such as clicking on a box.
Question 11
Answer
Question 11
Which California law must be explained to Philip that states he must have a legible privacy statement on his website?
A. California Online Privacy Protection Act
B. California Shine the Light Law
C. California Online Eraser Law
D. California Consumer Privacy Act
Answer
Answer: A. CalOPPA states that websites that collect personal information from California consumers are required to place a privacy notice on their website.
Question 12
Answer
Question 12
Philip will also need a process to receive and act upon requests from California customers to supply them with whatever information the company has collected about them, how it is used, and with whom it is disclosed and to opt-out of selling the information to third parties. Which California law can be cited to explain this to Philip?
A. California Online Privacy Protection Act
B. California Shine the Light Law
C. California Online Eraser Law
D. California Consumer Privacy Act
Answer
Answer: D. The California Consumer Protect Act provides for these rights of consumers.
Question 13
Answer
Question 13
Dieter, a European citizen, has written an email to Philip. He stated he wanted his name to be modified in the database, because he recently had it changed, and asked for his postal address to be erased. Does Philip have to answer?
A. No, because he earlier gave full consent to the Philip
B. No, Philip would only have to if Dieter was an U.S. citizen
C. Yes, and even if it’s a complex situation, Philip has to do it in under two months
D. Yes, and Philip normally has a month to do so
Answer
Answer: D. Article 12 (3) GDPR stipulates that the controller (Philip) has a month to comply with the requests of data subjects. Starting with the receipt of the request. This period can be extended by two months in specific situations and/or in case of complex applications.
Question 14
Answer
Question 14
Philip decides to answer Dieter. Under the GDPR, should Philips change Dieter’s name as requested?
A. Yes, and as controller he must ensure the data is modified appropriately
B. It’s recommended that he does, but he is not under the legal obligation to do so
C. No, because Dieter gave full consent to use his old name
D. No, but Philip is obligated to add a note of the request to the database
Answer
Answer: A. See Article 16 GDPR. The controller must ensure the data is modified appropriately.
Question 15
Answer
Question 15
Within privacy laws and regulations, which of the following is a voluntary code of conduct?
A. PCI DSS
B. HIPAA
C. FERPA
D. FRCA
Answer
Answer: A. The payment card industry data security standard for protecting credit card data is likely the best-known voluntary code of conduct within a large industry.
Question 16
Answer
Question 16
Which of the following laws has the purpose of finding a balance between the free flow of data and the protection of the fundamental rights and freedoms of those to whom the data relates?
A. GDPR
B. HITECH
C. TCPA
D. COPPA
Answer
Answer: A. The GDPR provides general protections and regulations to find the balance between the free flow of data and the protection of the fundamental rights and freedoms of those to whom the data applies.
Question 17
Answer
Question 17
Which article of the GDPR defines the territorial scope of the GDPR?
A. Article 1
B. Article 3
C. Article 30
D. Article 65
Answer
Answer: B. Article 3 defines the territorial scope of the GDPR.
Question 18
Answer
Question 18
All the following are TRUE concerning data assessments EXCEPT:
A. The Gramm-Leach-Bliley Act requires mandatory data mapping
B. The GDPR applies to both personal and non-personal data collection activities
C. Organizations with less than 250 employees that only collect data occasionally do not require a data inventory (processing records) under GDPR
D. Article 30 of GDPR contains reporting requirements for data processing activities
Answer
Answer: B. GDPR only applies to personal data.
Question 19
Answer
Question 19
Which of the following data assessments is described as, “an analysis of the privacy risks associated with processing personal information in relation to a project, product, or service?”
A. Privacy Assessment
B. Privacy Impact Assessment
C. Second Party Audit
D. Comprehensive Data Mapping
Answer
Answer: B. The PIA, which must also include measures to reduce the identified risks.
Question 20
Answer
Question 20
Which privacy assessment describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as much and as early as possible. This assessment also has specific requirements outlined in Article 35 of the GDPR.
A. Privacy Assessment
B. Privacy Impact Assessment
C. Data Protection Impact Assessment
D. Comprehensive Data Mapping
Answer
Answer: C. The DPIA and PIA basically require the same thing, but DPIA has specific requirements under the GDPR.
Question 21
Answer
Question 21
Which type of data assessment must be completed according to the European Data Protection Board when evaluating or scoring an individual to determine his or her economic situation?
A. Privacy Assessment
B. Privacy Impact Assessment
C. Data Protection Impact Assessment
D. Comprehensive Data Mapping
Answer
Answer: C. The EDPB requires that a DPIA be conducted in this situation.
Question 22
Answer
Question 22
Information Security is about preserving and protecting information regarding:
A. Availability
B. Integrity
C. Confidentiality
D. All the above
Answer
Answer: D. CIA = Confidentiality, Integrity, and Availability
Question 23
Answer
Question 23
All the following statements are TRUE regarding data processing vendors and vendor selection EXCEPT:
A. Privacy risks on the part of the vendor must be exposed and remedied
B. Privacy responsibilities must be clearly documented in the contract
C. Vendors must help the primary company report any data breaches
D. The controller can only act on the instructions of the processor
Answer
Answer: D. Vendors (processors) must follow the directions of the controller, or risk becoming subject to the additional laws and obligations of being a controller.
Question 24
Answer
Question 24
Which elements should be included in an organizations privacy policy?
A. Purpose, Scope, Risk and Responsibilities, and Compliance Reasons
B. Scope, Framework, Strategy, and Team Structure
C. Purpose, Strategy, Scope, and Risk Assessment
D. Purpose, Scope, Strategy, and Team Structure
Answer
Answer: A. It is specifically recommended that a privacy policy include the purpose, scope, risk and responsibilities, and compliance reasons.
Question 25
Answer
Question 25
All the following statements regarding privacy policies are true, EXCEPT:
A. A privacy policy is a living document that adapts over time based on organizational needs
B. Specific guidelines and procedures are an elaboration of the privacy policy
C. A privacy policy is for external communication about the retention of personal data
D. A privacy committee may exist to communicate the privacy policy through an organization
Answer
Answer: C. A privacy policy is for internal communication whereas a privacy note is for external communication.
Use the following scenario to answer questions 26-30.
Maria is the new Data Protect Officer at her company. The DPO is also the privacy team leader. Maria has been given new business objectives that the company is focusing on for the next year. Maria wants to map each business objective to the existing reports produced throughout the company so she can see if there are gaps requiring new reports.
Maria also wants to check the reverse and determine if the teams are developing reports that are no longer tied to business objectives. There have been some recent issues of management making business decisions based on the available metrics when it is clear the managers making the decision did not fully understand the limitations of the metric.
Lastly, the company will have an external auditor at the end of the year for recertification. The audit is extremely important since nearly all the company’s biggest clients require TQM or ISO certification to be eligible to bid on projects.
Question 26
Answer
Question 26
Which of the following is an objective unit of measurement and must aligned with the company’s business objectives?
A. SMART Goal
B. Enabling Objective
C. Performance Metric
D. Program Target
Answer
Answer: C. Every performance metric should have an owner who is responsible for the underlying processes that move the metric.
Question 27
Answer
Question 27
Which statement is true regarding the use of privacy metrics within the company?
A. Privacy metrics promote awareness to the importance of a business objective
B. Each privacy metric should be defined so everyone understands what the measurement indicates
C. Privacy metrics must be adaptable to the changing needs of the organization
D. All the statements above are true
Answer
Answer: D. Metrics are not easy. Identifying and identifying exactly which metrics are important and reflect the business objects are always intuitive.
Question 28
Answer
Question 28
Which type of data reporting may include measuring how long data is not available, such as in a disaster situation?
A. Return on Investment
B. Business Resiliency
C. Trend Analysis
D. Cataclysm Analysis
Answer
Answer: B. Business resiliency metrics refer to how well the business withstands crisis.
Question 29
Answer
Question 29
Regarding program maturity and tracking privacy compliance, at which level is data reporting first mapped out and specified?
A. Ad Hoc
B. Defined
C. Managed
D. Repeatable
Answer
Answer: B. Level 3 is Defined. It is not yet regularly reviewed, nor does it have continuous improvement efforts.
Question 30
Answer
Question 30
What is the correct order of privacy audit phases, and what type of audit would be conducted by ISO or NIST?
A. A first party audit consisting of: Plan, Prepare, Audit, Report, and Follow-up
B. A second party audit consisting of: Prepare, Audit, Report, Plan Response, Follow-up
C. A third-party audit consisting of: Plan, Prepare, Audit, Report and Follow-up
D. A third-party audit consisting of: Plan, Prepare, Audi, Follow-up, Formal Report
Answer
Answer: C. ISO and NIST are forms of third-party audit that are usually lengthy and result in certification, or re-certification. Neither ISO nor NIST can determine if your processes or systems are good. They can only determine that you have a documented process, follow that process, and have continuous improvement efforts in place.
Tips for passing your exams
Download our free PDF guide on how to pass without struggling. Our FREE guide covers tips on how to prepare for your IAPP papers, the best strategies for passing at the first try, money saving-tricks, and more.
The CIPP/E course is very well organized and saves you a lot of time. Don't be fooled by the number of pages of the outline compared to the IAPP Official Book; it covers everything important and you will be very well prepared for the exam. Plus, the staff is super helpful and willing to answer any questions you may have along the way. Recommended without hesitation.
Daniel Reyes
CIPP Training provided me with everything I needed to be prepared to sit the CIPP/E exam. I had already read the book but CIPP Training helped me to absorb the topics more effectively as it is really well organised with videos, texts and a detailed summary. The practice questions were incredibly helpful and I definitely wouldn’t have passed the exam without it.
Juliana A.
This training was the key for me to pass on CIPP/E. Specially in my case, since English is not my native language so I all the tips about the tricky questions helped me a lot!
Alan Costa
The best exam preperation
Pass your exam with ease with our online training courses. You will get study materials and CIPP, CIPM exam questions that are designed by a certified privacy professional. Several students have opted for our online CIPP and CIPM training courses for the following reasons:
