Isaca Updated CDPSE Exam Questions and Answers by heather

API keys are codes that are used to identify and authenticate an application or user when accessing an API. API keys could be stored insecurely, such as in plain text, in public repositories, or in unencrypted files. This could expose the API keys to unauthorized access, theft, or misuse by malicious actors, who could then access the API and the data it contains. This could result in data breaches, privacy violations, fraud, or other damages.

References:

• ISACA Certified Data Privacy Solutions Engineer Study Guide, Domain 3: Privacy Engineering, Task 3.4: Implement privacy engineering techniques to protect data in applications and systems, p. 106-107.
• What Is an API Key? | API Key Definition | Fortinet

The right not to be profiled is the right of data subjects to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them. The online application that delivers a mortgage decision automatically based on criteria set by the lender is an example of such a decision, as it affects the data subject’s ability to obtain a loan.

References:

• What exactly is ‘profiling’ under the GDPR - DMA
• Can I be subject to automated individual decision-making, including profiling - European Commission

Public key infrastructure (PKI) is a system that enables the use of public key cryptography, which is a method of encrypting and authenticating data using a pair of keys: a public key and a private key. Public key cryptography can protect against man-in-the-middle (MITM) attacks, which are attacks where an attacker intercepts and modifies the communication between two parties. PKI makes public key cryptography feasible by providing a way to generate, distribute, verify, and revoke public keys. PKI also uses digital certificates, which are documents that bind a public key to an identity, and certificate authorities, which are trusted entities that issue and validate certificates. By using PKI, the parties can ensure that they are communicating with the intended recipient and that the data has not been tampered with by an attacker.

References:

• What is Public Key Infrastructure (PKI)? - Fortinet
• How is man-in-the-middle attack prevented in TLS? [duplicate]
• A brief look at Man-in-the-Middle Attacks and the Role of Public Key Infrastructure (PKI)

Conducting a privacy impact assessment (PIA) should be done first to establish privacy by design when developing a contact-tracing application. A PIA is a systematic process that identifies and evaluates the potential effects of personal data processing operations on the privacy of individuals and the organization. A PIA helps to identify privacy risks and mitigation strategies at an early stage of development and ensures compliance with legal and regulatory requirements. Conducting a development environment review, identifying privacy controls, or identifying differential privacy techniques are important steps in privacy by design, but they should be done after conducting a PIA. References: CDPSE Exam Content Outline, Domain 2, Task 2.1