Exam CIPM All QuestionsBrowse all questions from this exam
Go to Exam
Question 209

You have just taken on the role of Data Governance Director at an energy corporation based in London, England. The company has been trading for over 25 years and you soon team that so far, the company has done little to control the use of customer information.

During the first few weeks you establish that despite attempts by your predecessor, the company has held onto all customer records digitally in various systems, including their customer records management system, their invoicing system, their call recording system, their marketing database and within two different email clients.

There have been a fair number of minor data breaches in recent months and a couple of larger ones, which have meant that not only has the company's reputation been damaged but they have also had to report some of the bigger breaches to the regulator. One of these breaches led to the credit risk scores of over 150,000 customers being deliberately leaked to the company’s largest competitor.

You also discover that some customers have asked for their data to be deleted following a number of marketing campaigns. Even though the company has told the customers that they have done what was asked, you team that all the company did was remove these customers from their marketing lists - in other words, all their data is still in the various digital systems for marketing, invoicing and records management.

On top of all this, you learn that if a customer service agent based in the energy corporation's US call center cannot find the details of the specific customer they are talking to on the phone, the agent will just add notes of the telephone conversation in whichever customer record the agent can find. What this means is that some customer records are very inaccurate, and this causes delays in compensation payments, poor reviews on independent review sites and the energy regulator in the UK is thinking of suspending the company's license.

As artificial intelligence is seen as the new energy future linking to the Internet of Things (IoT), the company has partnered with another company specializing in ingesting huge amounts of data into cloud-based warehouses. This data is then used to profile customers, so they get an idea of which ones are most likely to buy their new cutting-edge technology that is being offered via their new business partner. Many of the new devices on offer mean that both companies will be able to gather even more data about their customers, including geo-location, IP addresses, which electrical devices their customers use in their homes and when they use them the most.

The company is very excited for the future and how all this new tech can help them beat the competition but you have a big task ahead of you to get things right with their privacy program.

On whom or what might the company carry out a third-party audit?

    Correct Answer: A

    The company should carry out a third-party audit on the call center in the US. This is because the call center has been identified as a source of inaccurate customer records, which has caused delays in compensation payments and poor reviews. Additionally, conducting an audit on the various data storage systems would be critical, but the immediate inaccuracies and mismanagement occurring at the call center require priority to address issues of data misuse and breaches effectively.

Discussion
thecheaterzOption: D

Either A or D. An audit on just the call center might not be enough, hence i choose D. An audit on a supplier or business partner is called a second party audit, so it is not B.

CockOption: B

If I have to choose one option, I would recommend conducting a third-party audit on: B. The new business partner. Auditing the new business partner is crucial because they are involved in ingesting and analyzing large amounts of customer data. The audit should assess their data handling practices, security measures, and compliance with data protection regulations. This will ensure that customer data is adequately protected when it is shared with the partner and throughout the data processing lifecycle. By conducting a thorough audit, the company can identify any potential risks or vulnerabilities in the partner's data governance and privacy practices and take necessary steps to address them.