Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam CIPM All Questions

View all questions & answers for the CIPM exam

Exam CIPM topic 1 question 215 discussion

Actual exam question from IAPP's CIPM
Question #: 215
Topic #: 1
[All CIPM Questions]

SCENARIO -
Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

What key error related to program governance did Liam make prior to the audit kick-off meeting?

  • A. He asked stakeholders to delete customer data out of the CRM tool.
  • B. He met with stakeholders in marketing and E-commerce without the auditors.
  • C. He did not obtain approval of the newly written policies from senior management.
  • D. He did not properly escalate his concerns around the scope of the previous privacy review and develop a remediation plan with leadership support.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Cock
1 year, 1 month ago
Selected Answer: D
This failure to escalate concerns and involve leadership in addressing the limitations of the previous review is a significant governance error. It is essential for a privacy program to have strong governance and support from leadership to ensure effective risk management and compliance. By not properly escalating the concerns and developing a remediation plan, Liam missed an opportunity to address the shortcomings and ensure a comprehensive and robust privacy program.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...