CDPSE Premium Exam Questions

Privacy by design is an approach that embeds privacy principles and considerations into the design and development of products, services, systems, and processes that involve personal data. Privacy by design aims to protect the privacy and security of the data subjects, as well as to comply with the applicable privacy laws and regulations. One of the key principles of privacy by design is to obtain the consent and choice of the data subjects regarding the collection, use, and disclosure of their personal data. Therefore, the best example of privacy by design in the development of a consumer mobile application is to require consent before sharing locations, as this gives the data subjects control and transparency over their personal data. The other options are not as effective or sufficient as requiring consent before sharing locations, as they do not address the principle of consent and choice, or they may violate other privacy principles or requirements.

References: CDPSE Review Manual, 2021, p. 35

The primary reason that a single cryptographic key should be used for only one purpose, such as encryption or authentication, is that it minimizes the risk if the cryptographic key is compromised. A cryptographic key is a piece of information that is used to perform cryptographic operations, such as encryption or authentication. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Authentication is a process of verifying the identity or integrity of a user or data using a secret key or algorithm. If a single cryptographic key is used for multiple purposes, such as encryption and authentication, it increases the risk if the cryptographic key is compromised. For example, if an attacker obtains the cryptographic key that is used for both encryption and authentication, they can decrypt and access personal data, as well as impersonate or modify legitimate users or data. Therefore, a single cryptographic key should be used for only one purpose, and different keys should be used for different purposes. References: : CDPSE Review Manual (Digital Version), page 107

The most important thing to consider when managing changes to the provision of services by a third party that processes personal data is the business impact due to the changes. Changes to the provision of services by a third party can affect the organization’s ability to meet its business objectives and legal obligations related to data processing activities. For example, changes to the service level agreement (SLA), the scope of services, the security measures, the location of servers, etc., can have implications for the quality, availability, confidentiality, integrity, and compliance of personal data processing. Therefore, an IT privacy practitioner should assess and evaluate the business impact due to the changes, and ensure that they are aligned with the organization’s privacy policies and applicable privacy regulations and standards. References: : CDPSE Review Manual (Digital Version), page 41