Passed Exam Today CDPSE

Ensuring appropriate data classification should be done next after a migration of personal data involving a data source with outdated documentation has been approved by senior management, as it helps to identify the types, locations, and owners of the data, and to apply the appropriate privacy controls and measures based on the data classification level. Data classification also facilitates the data discovery, data minimization, data retention, and data disposal processes15. References: 1 Domain 3, Task 2; 5 Page 9

User behavior analytics is a technology that uses data analysis and machine learning to monitor, detect and respond to anomalous or malicious user activities, such as accessing sensitive personal customer information to use for unauthorized purposes. User behavior analytics is the best choice to mitigate this risk, as it would help to identify and prevent insider threats, data breaches, fraud or misuse of data by authorized individuals. User behavior analytics can also help to enforce policies and controls, such as access control, audit trail or data loss prevention. The other options are not as effective as user behavior analytics in mitigating this risk. Email filtering system is a technology that scans and blocks incoming or outgoing emails that contain spam, malware or phishing attempts, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Intrusion monitoring is a technology that monitors and alerts on unauthorized or malicious attempts to access a system or network, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Mobile device management (MDM) is a technology that manages and secures mobile devices that are used to access or store organizational data, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes1, p. 92 References: 1: CDPSE Review Manual (Digital Version)

National data privacy legislative and regulatory requirements in each relevant jurisdiction are the most important data protection consideration for a global organization that is planning to implement a customer relationship management (CRM) system to be used in offices based in multiple countries, as they would determine the legal obligations and responsibilities of the organization with respect to the collection, use, disclosure and transfer of customer personal data across different jurisdictions. National data privacy legislative and regulatory requirements may vary significantly from country to country, depending on the type or nature of personal data or data processing activities, and may impose different rules and standards for obtaining consent, providing notice, ensuring security, enforcing rights, reporting breaches, appointing representatives or transferring data. The organization would need to comply with the national data privacy legislative and regulatory requirements in each relevant jurisdiction where it operates or where its customers are located, and to implement appropriate measures and safeguards to ensure compliance. The other options are not as important as national data privacy legislative and regulatory requirements in each relevant jurisdiction as data protection considerations for a global organization that is planning to implement a CRM system to be used in offices based in multiple countries. Industry best practice related to information security standards in each relevant jurisdiction may provide some guidance or benchmarks for ensuring security of customer personal data, but they may not reflect the specific context or needs of the organization or the customers, or comply with the legal obligations and responsibilities of the organization. Identity and access management mechanisms to restrict access based on need to know may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers. Encryption algorithms for securing customer personal data at rest and in transit may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers1, p. 63-64 References: 1: CDPSE Review Manual (Digital Version)

Inferred data is the type of data that is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people. Inferred data is not directly observed or collected from the data subjects, but rather derived from other sources of data, such as behavioral, transactional, or demographic data. Inferred data can be used to make assumptions or predictions about the data subjects’ preferences, interests, behaviors, or characteristics12.

References:

• CDPSE Review Manual, Chapter 3 – Data Lifecycle, Section 3.1 – Data Classification3.
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 3 – Data Lifecycle, Section 3.2 – Data Classification4.