Free Test
Question: / 10
Quiz
Question 1/101/10
FILL BLANK
VPI
As a starting point, the consultants undertook a visibility exercise to understand the type of personal
information (PI) being dealt with within the organization and also by third parties and the scope was
to cover all the client relationships (IT services and BPM both) and functions. They met with the
client relationship and business function owners to collect this dat
a. The consultants did a mapping exercise to identify PI and associated attributes including whether
company directly collects the PI, how it is accessed, transmitted, stored and what are the applicable
regulatory and contractual requirements. Given the enormous scale of the exercise (enterprise
wide), the consultant classified the PI as financial information, health related information, personally
identifiable information, etc. and collected the rest of the attributes against this classification. When
understanding the underlying technology environment, the consultants restricted themselves only to
the technology environment that was under company’s ownership and premises and did not
continue the exercise for client side environment. This was done because relationship owners
seemed reluctant to share such client specific details. Only in 2 relationships, were the relationship
heads proactive to introduce the consultants to the clients and get the requisite information. The
analysis of the environment in these 2 relationships revealed that even though lots of restrictions
were imposed at the company side, the same restrictions were not available at the client side.
Many business functions were also availing services from third party service providers. Though these
functions were aware of the type of PI dealt by third parties, they were not aware of the technology
environment at the third parties. In one odd case, personal information of a company employee was
accidentally leaked by the employee of the third party through the social networking site. The
consultants relied on whatever information was provided by the functions w.r.t. third parties. After
finishing the data collection, the consultant used the information to create information flow maps
highlighting the flow of information across systems deployed at the company premises. This work
helped them have a high level view of PI dealt by the company. The data collection exercise has been
conducted only once by the consultants. The visibility exercise empowered the management to have
a company-wide view of PI and how it flows across the organization. This information was coupled
with the security controls / practices deployed at the relationship or function level to derive the risk
posture of the PI.
(Note: Candidates are requested to make and state assumptions wherever appropriate to reach a
definitive conclusion)
Introduction and Background
XYZ is a major India based IT and Business Process Management (BPM) service provider listed at BSE
and NSE. It has more than 1.5 lakh employees operating in 100 offices across 30 countries. It serves
more than 500 clients across industry verticals — BFSI, Retail, Government, Healthcare, Telecom
among others in Americas, Europe, Asia-Pacific, Middle East and Africa. The company provides IT
services including application development and maintenance, IT Infrastructure management,
consulting, among others. It also offers IT products mainly for its BFSI customers.
The company is witnessing phenomenal growth in the BPM services over last few years including
Finance & Accounting including credit card processing, Payroll processing, Customer support, Legal
Process Outsourcing, among others and has rolled out platform based services. Most of the
company’s revenue comes from the US from the BFSI sector. In order to diversify its portfolio, the
company is looking to expand its operations in Europe. India, too has attracted company’s attention
given the phenomenal increase in domestic IT spend esp. by the government through various large
scale IT projects.
The company is also very aggressive in the cloud and mobility space, with a strong focus on delivery
of cloud services. When it comes to expanding operations in Europe, company is facing difficulties in
realizing the full potential of the market because of privacy related concerns of the clients arising
from the stringent regulatory requirements based on EU General Data Protection Regulation (EU
GDPR).
To get better access to this market, the company decided to invest in privacy, so that it is able to
provide increased assurance to potential clients in the EU and this will also benefit its US operations
because privacy concerns are also on rise in the US. It will also help company leverage outsourcing
opportunities in the Healthcare sector in the US which would involve protection of sensitive medical
records of the US citizens. The company believes that privacy will also be a key differentiator in the
cloud business going forward. In short, privacy was taken up as a strategic initiative in the company
in early 2011.
Since XYZ had an internal consulting arm, it assigned the responsibility of designing and
implementing an enterprise wide privacy program to the consulting arm. The consulting arm had
very good expertise in information security consulting but had limited expertise in the privacy
domain. The project was to be driven by CIO's office, in close consultation with the Corporate
Information Security and Legal functions.
Was the visibility exercise adequately carried out? What gaps did you notice? (250 to 500 words)
answer in
explanation below.
VPI
As a starting point, the consultants undertook a visibility exercise to understand the type of personal
information (PI) being dealt with within the organization and also by third parties and the scope was
to cover all the client relationships (IT services and BPM both) and functions. They met with the
client relationship and business function owners to collect this dat
a. The consultants did a mapping exercise to identify PI and associated attributes including whether
company directly collects the PI, how it is accessed, transmitted, stored and what are the applicable
regulatory and contractual requirements. Given the enormous scale of the exercise (enterprise
wide), the consultant classified the PI as financial information, health related information, personally
identifiable information, etc. and collected the rest of the attributes against this classification. When
understanding the underlying technology environment, the consultants restricted themselves only to
the technology environment that was under company’s ownership and premises and did not
continue the exercise for client side environment. This was done because relationship owners
seemed reluctant to share such client specific details. Only in 2 relationships, were the relationship
heads proactive to introduce the consultants to the clients and get the requisite information. The
analysis of the environment in these 2 relationships revealed that even though lots of restrictions
were imposed at the company side, the same restrictions were not available at the client side.
Many business functions were also availing services from third party service providers. Though these
functions were aware of the type of PI dealt by third parties, they were not aware of the technology
environment at the third parties. In one odd case, personal information of a company employee was
accidentally leaked by the employee of the third party through the social networking site. The
consultants relied on whatever information was provided by the functions w.r.t. third parties. After
finishing the data collection, the consultant used the information to create information flow maps
highlighting the flow of information across systems deployed at the company premises. This work
helped them have a high level view of PI dealt by the company. The data collection exercise has been
conducted only once by the consultants. The visibility exercise empowered the management to have
a company-wide view of PI and how it flows across the organization. This information was coupled
with the security controls / practices deployed at the relationship or function level to derive the risk
posture of the PI.
(Note: Candidates are requested to make and state assumptions wherever appropriate to reach a
definitive conclusion)
Introduction and Background
XYZ is a major India based IT and Business Process Management (BPM) service provider listed at BSE
and NSE. It has more than 1.5 lakh employees operating in 100 offices across 30 countries. It serves
more than 500 clients across industry verticals — BFSI, Retail, Government, Healthcare, Telecom
among others in Americas, Europe, Asia-Pacific, Middle East and Africa. The company provides IT
services including application development and maintenance, IT Infrastructure management,
consulting, among others. It also offers IT products mainly for its BFSI customers.
The company is witnessing phenomenal growth in the BPM services over last few years including
Finance & Accounting including credit card processing, Payroll processing, Customer support, Legal
Process Outsourcing, among others and has rolled out platform based services. Most of the
company’s revenue comes from the US from the BFSI sector. In order to diversify its portfolio, the
company is looking to expand its operations in Europe. India, too has attracted company’s attention
given the phenomenal increase in domestic IT spend esp. by the government through various large
scale IT projects.
The company is also very aggressive in the cloud and mobility space, with a strong focus on delivery
of cloud services. When it comes to expanding operations in Europe, company is facing difficulties in
realizing the full potential of the market because of privacy related concerns of the clients arising
from the stringent regulatory requirements based on EU General Data Protection Regulation (EU
GDPR).
To get better access to this market, the company decided to invest in privacy, so that it is able to
provide increased assurance to potential clients in the EU and this will also benefit its US operations
because privacy concerns are also on rise in the US. It will also help company leverage outsourcing
opportunities in the Healthcare sector in the US which would involve protection of sensitive medical
records of the US citizens. The company believes that privacy will also be a key differentiator in the
cloud business going forward. In short, privacy was taken up as a strategic initiative in the company
in early 2011.
Since XYZ had an internal consulting arm, it assigned the responsibility of designing and
implementing an enterprise wide privacy program to the consulting arm. The consulting arm had
very good expertise in information security consulting but had limited expertise in the privacy
domain. The project was to be driven by CIO's office, in close consultation with the Corporate
Information Security and Legal functions.
Was the visibility exercise adequately carried out? What gaps did you notice? (250 to 500 words)
answer in
explanation below.
Check the image below to see the right answer:Select the answer
1 correct answerOption A is correct.
The consultants appointed by XYZ to design and implement the enterprise wide privacy program
conducted a visibility exercise. This exercise was meant to capture the current state of Personal
Information (PI) flows within the organization, identify any gaps between existing security
controls/practices and intended enterprise-wide PI practices. The visibility exercise also included
mapping the legal obligations of the organization in protecting PI across different jurisdictions where
its operations were spread. Though this exercise seemed adequate to start with, some gaps in terms
of meeting the requirements of EU GDPR were noticed during course of implementation.
Firstly, though the visibility exercise covered all channels through which PI would flow in and out of
an organization - like email accounts, websites and physical storage locations etc., it did not cover
every element of PI such as Social Security numbers and financial data. Moreover, there was no
comprehensive assessment on the technical feasibility and costs associated with implementing
additional measures for protecting this information. This could have been done in order to ensure
that any new systems or processes introduced met the technical requirements of GDPR.
Additionally, there were certain gaps in terms of external service providers who are also responsible
for ensuring compliance with GDPR while processing/storing personal data on behalf of XYZ. Though
XYZ had ensured that all its existing contracts contained provisions regarding compliance with legal
requirements related to privacy and confidentiality, it did not carry out any due diligence exercise to
ascertain whether these third-party service providers had adequate security practices in place to
comply with GDPR regulations.
Lastly, the visibility exercise did not cover all the legal obligations of XYZ in terms of compliance with
GDPR. For instance, it did not consider any potential liabilities arising from data breaches and the
process for dealing with such eventualities. Nor was any process put in place to ensure that
appropriate technical and organizational measures were taken to protect PI as required by GDPR.
Thus though the visibility exercise carried out by XYZ consultants seemed adequate at first glance,
there were several gaps identified in terms of meeting EU’s GDPR requirements. These gaps could
have been addressed through a more comprehensive assessment and must be taken care of if XYZ
has to realize its full potential in Europe. As GDPR is now firmly in place across the continent,
companies cannot ignore its regulations and must take necessary action to ensure compliance.
This includes making sure that every element of PI is taken into consideration while designing an
enterprise-wide privacy program, due diligence with regards to external service providers who
process/store data on behalf of XYZ, and establishing a comprehensive legal framework for dealing
with any potential liabilities arising from data breaches. In short, if XYZ does not address these
gaps effectively, it may find itself in a vulnerable position in terms of protecting personal information
as required by applicable laws. It will also be at risk of facing significant fines or other penalties.
The consultants appointed by XYZ to design and implement the enterprise wide privacy program
conducted a visibility exercise. This exercise was meant to capture the current state of Personal
Information (PI) flows within the organization, identify any gaps between existing security
controls/practices and intended enterprise-wide PI practices. The visibility exercise also included
mapping the legal obligations of the organization in protecting PI across different jurisdictions where
its operations were spread. Though this exercise seemed adequate to start with, some gaps in terms
of meeting the requirements of EU GDPR were noticed during course of implementation.
Firstly, though the visibility exercise covered all channels through which PI would flow in and out of
an organization - like email accounts, websites and physical storage locations etc., it did not cover
every element of PI such as Social Security numbers and financial data. Moreover, there was no
comprehensive assessment on the technical feasibility and costs associated with implementing
additional measures for protecting this information. This could have been done in order to ensure
that any new systems or processes introduced met the technical requirements of GDPR.
Additionally, there were certain gaps in terms of external service providers who are also responsible
for ensuring compliance with GDPR while processing/storing personal data on behalf of XYZ. Though
XYZ had ensured that all its existing contracts contained provisions regarding compliance with legal
requirements related to privacy and confidentiality, it did not carry out any due diligence exercise to
ascertain whether these third-party service providers had adequate security practices in place to
comply with GDPR regulations.
Lastly, the visibility exercise did not cover all the legal obligations of XYZ in terms of compliance with
GDPR. For instance, it did not consider any potential liabilities arising from data breaches and the
process for dealing with such eventualities. Nor was any process put in place to ensure that
appropriate technical and organizational measures were taken to protect PI as required by GDPR.
Thus though the visibility exercise carried out by XYZ consultants seemed adequate at first glance,
there were several gaps identified in terms of meeting EU’s GDPR requirements. These gaps could
have been addressed through a more comprehensive assessment and must be taken care of if XYZ
has to realize its full potential in Europe. As GDPR is now firmly in place across the continent,
companies cannot ignore its regulations and must take necessary action to ensure compliance.
This includes making sure that every element of PI is taken into consideration while designing an
enterprise-wide privacy program, due diligence with regards to external service providers who
process/store data on behalf of XYZ, and establishing a comprehensive legal framework for dealing
with any potential liabilities arising from data breaches. In short, if XYZ does not address these
gaps effectively, it may find itself in a vulnerable position in terms of protecting personal information
as required by applicable laws. It will also be at risk of facing significant fines or other penalties.
Quiz
Question 2/102/10
Calls for inclusion of data protection from the onset of the designing of systems.
Select the answer:Select the answer
1 correct answerA.
Agile Model
B.
Privacy by Design
C.
Logical Design
D.
Safeguarding Approach
Quiz
Question 3/103/10
Which of the following are classified as Sensitive Personal Data or Information under Section 43A of
ITAA, 2008? (Choose all that apply.)
ITAA, 2008? (Choose all that apply.)
Select multiple answer: (Choose 4)Select the answer
4 correct answersA.
Password
B.
Financial information
C.
Sexual orientation
D.
Caste and religious beliefs
E.
Biometric information
F.
Medical records and history
Quiz
Question 4/104/10
Entities should collect personal information from user that is adequate, relevant and limited to what
is necessary in relation to the purposes for which they are processed. This Privacy Principle is called:
is necessary in relation to the purposes for which they are processed. This Privacy Principle is called:
Select the answer:Select the answer
1 correct answerA.
Collection Limitation
B.
Use Limitation
C.
Accountability
D.
Storage Limitation
Quiz
Question 5/105/10
The method of personal data usage in which the users must explicitly decide not to participate.
Select the answer:Select the answer
1 correct answerA.
Opt-In
B.
Opt-out
C.
Data mining
D.
Data matching
Quiz
Question 6/106/10
An entity shall retain personal data only as long as may be reasonably necessary to satisfy the
purpose for which it is processed; or with respect to an established retention period. This privacy
principle is known as?
purpose for which it is processed; or with respect to an established retention period. This privacy
principle is known as?
Select the answer:Select the answer
1 correct answerA.
Collection Limitation
B.
Use Limitation
C.
Security safeguards
D.
Storage Limitation
Quiz
Question 7/107/10
What are the Nine Privacy Principles as described in DSCI Privacy Framework (DPF©)?
I) Use Limitation
II) Accountability
III) Data Quality
IV) Notice
V) Preventing Harm
VI) Choice & Consent
VII) Access and Correction
VIII) Data Minimization
IX) Openness
X) Disclosure to Third Parties
XI) Right to be Forgotten
XII) Collection limitation
XIII) Security
I) Use Limitation
II) Accountability
III) Data Quality
IV) Notice
V) Preventing Harm
VI) Choice & Consent
VII) Access and Correction
VIII) Data Minimization
IX) Openness
X) Disclosure to Third Parties
XI) Right to be Forgotten
XII) Collection limitation
XIII) Security
Select the answer:Select the answer
1 correct answerA.
I, II, III, IV, V, VI, VII, VIII, IX
B.
I, II, IV, V, VI, VII, IX, X, XII, XIII
C.
I, II, III, IV, V, VI, VII, VIII, XII
D.
I, II, III, IV, VII, VIII, IX, X, XI
Quiz
Question 8/108/10
The concept of data adequacy is based on the principle of .
Select the answer:Select the answer
1 correct answerA.
Adequate compliance
B.
Dissimilarity of legislations
C.
Essential equivalence
D.
Essential assessment
Quiz
Question 9/109/10
What is a Data Controller?
Select the answer:Select the answer
1 correct answerA.
Entity that collects personal data
B.
Entity that stores personal data
C.
Entity that determines the purpose and means for data processing
D.
Entity that shares personal data with third parties
Quiz
Question 10/1010/10
What is a Data Subject? (Choose all that apply.)
Select multiple answer: (Choose 2)Select the answer
2 correct answersA.
An individual who provides his/her data/information for availing any service
B.
An individual who processes the data/information of individuals for providing necessary services
C.
An individual whose data/information is processed
D.
A company providing PI of its employees for processing
E.
An individual who collects data from illegitimate sources
Looking for more questions?Buy now
DSCI Certified Privacy Lead Assessor Practice test unlocks all online simulator questions
Thank you for choosing the free version of the DSCI Certified Privacy Lead Assessor practice test! Further deepen your knowledge on DSCI Simulator; by unlocking the full version of our DSCI Certified Privacy Lead Assessor Simulator you will be able to take tests with over 70 constantly updated questions and easily pass your exam. 98% of people pass the exam in the first attempt after preparing with our 70 questions.
BUY NOWWhat to expect from our DSCI Certified Privacy Lead Assessor practice tests and how to prepare for any exam?
The DSCI Certified Privacy Lead Assessor Simulator Practice Tests are part of the DSCI Database and are the best way to prepare for any DSCI Certified Privacy Lead Assessor exam. The DSCI Certified Privacy Lead Assessor practice tests consist of 70 questions and are written by experts to help you and prepare you to pass the exam on the first attempt. The DSCI Certified Privacy Lead Assessor database includes questions from previous and other exams, which means you will be able to practice simulating past and future questions. Preparation with DSCI Certified Privacy Lead Assessor Simulator will also give you an idea of the time it will take to complete each section of the DSCI Certified Privacy Lead Assessor practice test . It is important to note that the DSCI Certified Privacy Lead Assessor Simulator does not replace the classic DSCI Certified Privacy Lead Assessor study guides; however, the Simulator provides valuable insights into what to expect and how much work needs to be done to prepare for the DSCI Certified Privacy Lead Assessor exam.
BUY NOWDSCI Certified Privacy Lead Assessor Practice test therefore represents an excellent tool to prepare for the actual exam together with our DSCI practice test . Our DSCI Certified Privacy Lead Assessor Simulator will help you assess your level of preparation and understand your strengths and weaknesses. Below you can read all the quizzes you will find in our DSCI Certified Privacy Lead Assessor Simulator and how our unique DSCI Certified Privacy Lead Assessor Database made up of real questions:
Info quiz:
- Quiz name:DSCI Certified Privacy Lead Assessor
- Total number of questions:70
- Number of questions for the test:50
- Pass score:80%
You can prepare for the DSCI Certified Privacy Lead Assessor exams with our mobile app. It is very easy to use and even works offline in case of network failure, with all the functions you need to study and practice with our DSCI Certified Privacy Lead Assessor Simulator.
Use our Mobile App, available for both Android and iOS devices, with our DSCI Certified Privacy Lead Assessor Simulator . You can use it anywhere and always remember that our mobile app is free and available on all stores.
Our Mobile App contains all DSCI Certified Privacy Lead Assessor practice tests which consist of 70 questions and also provide study material to pass the final DSCI Certified Privacy Lead Assessor exam with guaranteed success. Our DSCI Certified Privacy Lead Assessor database contain hundreds of questions and DSCI Tests related to DSCI Certified Privacy Lead Assessor Exam. This way you can practice anywhere you want, even offline without the internet.
BUY NOW