Isaca Updated CDPSE Exam Questions and Answers by seb

The strategic goals of the organization should be established first before a privacy office starts to develop a data protection and privacy awareness campaign, because they provide the direction, purpose, and scope of the campaign. The strategic goals of the organization reflect its vision, mission, values, and objectives, as well as its alignment with the relevant privacy laws and regulations, stakeholder expectations, and industry best practices. The privacy office should design and implement the awareness campaign in a way that supports and promotes the strategic goals of the organization, as well as measures and evaluates its effectiveness and impact.

References:

• CDPSE Review Manual, 2023 Edition, Domain 1: Privacy Governance, Section 1.1.2: Privacy Strategy Implementation, p. 19
• CDPSE Review Manual, 2023 Edition, Domain 1: Privacy Governance, Section 1.3.2: Privacy Awareness and Training Program, p. 38-39
• ICO launches data awareness campaign1

Classifying sensitive unstructured data should be done first to address the situation of the proliferation of personal data held as unstructured data, as it helps to identify the types, locations, and owners of the data, and to apply the appropriate privacy controls and measures based on the data classification level. Classifying sensitive unstructured data also facilitates the data discovery, data minimization, data retention, and data disposal processes. References: 2 Domain 3, Task 2; 5 Page 9

The most important consideration for developing data retention requirements is the applicable regulations that govern the data. Different types of data may be subject to different legal and regulatory obligations, such as how long the data must be kept, how it must be protected, and how it can be accessed or disposed of. Failing to comply with these obligations can result in fines, penalties, lawsuits, or reputational damage for the organization. Therefore, it is essential to identify and follow the applicable regulations for each data category.

References:

• Data Retention Policy 101: Best Practices, Examples & More - Intradyn
• Data retention - Wikipedia

User behavior analytics tools are the best control to detect potential internal breaches of personal data because they monitor and analyze the activities and patterns of users on the network and systems, and alert or block any anomalous or suspicious behavior that may indicate unauthorized access, misuse or exfiltration of personal data. Data loss prevention (DLP) systems, employee background checks and classification of data are useful controls to prevent or mitigate internal breaches of personal data, but they do not necessarily detect them.

References:

• CDPSE Review Manual (Digital Version), Domain 2: Privacy Architecture, Task 2.4: Design and/or implement privacy controls1
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 3: Privacy Architecture, Section: Privacy Controls2