IAPP CIPM Questions Answers

This answer is the best way to advise this company regarding the status of security cameras at their offices in the United States, as it can help to protect the privacy and security of the employees and visitors who are recorded by the cameras, as well as to comply with any applicable laws and regulations that may limit or regulate the use of surveillance video. Restricting access to surveillance video means that only authorized personnel who have a legitimate business need can view, copy, share or disclose the video, and that they must follow proper procedures and safeguards to prevent unauthorized or unlawful access, use or disclosure. Destroying the recordings after a designated period of time means that the video is not kept longer than necessary for the purpose for which it was collected, and that it is disposed of securely and irreversibly. The designated period of time should be based on the legal, operational and risk factors that may affect the retention of the video, such as potential litigation, investigations, audits or claims. References: IAPP CIPM Study Guide, page 831; ISO/IEC 27002:2013, section 8.3.2

Under the General Data Protection Regulation (GDPR), the obligations of a processor that engages a sub-processor are to obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. The GDPR defines a processor as a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. A sub-processor is a third party that is engaged by the processor to carry out specific processing activities on behalf of the controller. The GDPR requires that the processor does not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The processor must also ensure that the same data protection obligations as set out in the contract or other legal act between the controller and the processor are imposed on that other processor by way of a contract or other legal act under Union or Member State law, . References: [GDPR Article 28], [CIPM - International Association of Privacy Professionals]

To rationalize data protection requirements means to look for overlaps in laws and regulations from which a common solution can be developed. This can help simplify compliance efforts and reduce costs and complexity. References: IAPP CIPM Study Guide, page 16.

A matrix is a type of organizational structure that involves delegated decision making. In a matrix structure, employees report to more than one manager or leader, usually based on different functions or projects. For example, a software developer may report to both a product manager and a technical manager. A matrix structure allows for more flexibility, collaboration, and innovation in complex and dynamic environments.

The other options are not examples of delegated decision making structures. A de-centralized structure involves distributing decision making authority across different levels or units of the organization, rather than concentrating it at the top. A de-functionalized structure involves breaking down functional silos and creating cross-functional teams or processes. A hybrid structure involves combining elements of different types of structures, such as functional, divisional, or matrix.