Get IAPP CIPM Exam Dumps

Answer : C

When a data breach incident has occurred, the first priority is to determine how to contain the breach. Containment means stopping or minimizing the further loss or unauthorized disclosure of personal data, as well as preserving evidence for investigation and remediation. Containment may involve isolating affected systems, devices, or networks; changing access credentials; blocking malicious IP addresses; or notifying relevant parties such as law enforcement or security experts.After containing the breach, the next steps are to assess the impact and severity of the breach, notify the affected individuals and authorities if required, evaluate the causes and risks of the breach, and implement measures to prevent future breaches1,2.Reference:CIPM - International Association of Privacy Professionals,Free CIPM Study Guide - International Association of Privacy Professionals

Answer : B

If your organization provides a SaaS tool for B2B services and does not interact with individual consumers, and a client's current employee reaches out with a right to delete request, the most appropriate response is to redirect the individual back to their employer to understand their rights and how this might impact access to company tools. This is because your organization is acting as a processor for the client, who is the controller of the employee's personal dat

a. The controller is responsible for determining the purposes and means of processing personal data, as well as responding to data subject requests. The processor should only process personal data on behalf of and in accordance with the instructions of the controller.Therefore, you should not forward the request to the client, process the request without consulting the client, or deny the request based on business contact information being exempt from privacy rights laws1,2.Reference:CIPM - International Association of Privacy Professionals,Free CIPM Study Guide - International Association of Privacy Professionals

Answer : B

The first stage in the incident response plan under the General Data Protection Regulation (GDPR) for this scenario would be to contain the impact of the breach. This means taking immediate action to stop the unauthorized access or disclosure of personal data, and to prevent it from happening again in the future. This could involve revoking access to the data, notifying the employee who mistakenly sent the data, and implementing security measures to prevent similar breaches from occurring in the future.

https://gdpr-info.eu/art-33-gdpr/

https://gdpr-info.eu/art-34-gdpr/

Answer : D

The first step to mitigate further risks when a systems audit uncovers a shared drive folder containing sensitive employee data with no access controls is to restrict access to the folder. This can be done by implementing appropriate access controls, such as user authentication, role-based access, and permissions, to ensure that only authorized individuals can view and access the sensitive data.

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492158151.pdf

https://www.itgovernance.co.uk/blog/5-reasons-why-employees-dont-report-data-breaches/

https://www.ncsc.gov.uk/guidance/report-cyber-incident

Answer : D

Distributing a phishing exercise is not advisable when attempting to address the issue of colleagues not reporting personal data breaches. Instead, the recommended steps are to review reporting activity on breaches, improve communication, and provide role-specific training to areas where breaches are happening. These steps will help to ensure that everyone is aware of their responsibilities and that they understand how to report a breach should one occur.

https://www.itgovernance.co.uk/blog/5-reasons-why-employees-dont-report-data-breaches/

https://www.ncsc.gov.uk/guidance/report-cyber-incident

https://www.ncsc.gov.uk/guidance/phishing-staff-awareness