Explanation
The need-to-know basis principle is a security principle that states that access to personal data should be limited to those who have a legitimate purpose for accessing it. The need-to-know basis principle helps to protect data privacy by minimizing the exposure of personal data to unauthorized or unnecessary parties, reducing the risk of data breaches, leaks, or misuse. The need-to-know basis principle should be applied when designing a role-based user access model for a new application, by defining clear roles and responsibilities for different users, granting access rights based on their roles and functions, and enforcing access controls and audits to monitor and verify data access. References: : CDPSE Review Manual (Digital Version), page 105

Explanation
Attribute-based access control (ABAC) is the best approach for limiting the access of regional HR team members to employee data only within their regional office, because it allows for fine-grained and dynamic access control based on attributes of the subject, object, environment, and action. Attributes are characteristics or properties that can be used to describe or identify entities, such as users, resources, locations, roles, or permissions. ABAC uses policies and rules that evaluate the attributes and grant or deny access accordingly.
For example, an ABAC policy could state that a user can access an employee record if and only if the user's role is HR and the user's region matches the employee's region. This way, the access control can be tailored to the specific needs and context of the organization, without relying on predefined or fixed access levels.
References:
Attribute-Based Access Control (ABAC), NIST
What is Attribute-Based Access Control (ABAC)?, Axiomatics
Access Control Models - Westoahu Cybersecurity, Westoahu Cybersecurity

Explanation
The most important information to capture in the audit log of an application hosting personal data is the last user who accessed personal data. This is because the audit log is a record of the activities and events that occur within the application, such as user actions, system events, errors, or exceptions. The audit log helps to monitor and verify the compliance, security, and performance of the application, as well as to detect and investigate any incidents or anomalies. Capturing the last user who accessed personal data in the audit log helps to ensure the accountability and traceability of the data access, as well as to identify and prevent any unauthorized or inappropriate use, disclosure, or modification of personal data.
References: CDPSE Review Manual, 2021, p. 147

Explanation
A primary objective of performing a privacy impact assessment (PIA) prior to onboarding a new Software as a Service (SaaS) provider for a customer relationship management (CRM) system is to identify controls to mitigate data privacy risks, such as data breaches, unauthorized access, misuse or loss of data. A PIA would help to evaluate the potential privacy impacts of using a new SaaS provider for CRM data processing activities, such as collecting, storing, analyzing or transferring customer data, and to implement appropriate controls to mitigate those impacts, such as encryption, access control, backup, audit trail or contractual clauses. A PIA would also help to ensure compliance with privacy principles, laws and regulations, and alignment with customer expectations and preferences. The other options are not primary objectives of performing a PIA prior to onboarding a new SaaS provider for CRM data processing activities. Classifying personal data according to the data classification scheme is an activity that may be part of a PIA process, but it is not an objective in itself. Assessing the risk associated with personal data usage is an activity that may be part of a PIA process, but it is not an objective in itself. Determining the service provider's ability to maintain data protection controls is an activity that may be part of a PIA process, but it is not an objective in itself1, p. 67 References: 1: CDPSE Review Manual (Digital Version)

Explanation
Some organizations, typically those that manage large amounts of personal information related to employees, customers, or constituents, will employ a chief privacy officer (CPO). Some organizations have a CPO because applicable regulations such as the Gramm-Leach-Bliley Act (GLBA) require it. Other regulations such as the Health Information Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the GLBA place a slate of responsibilities upon an organization that compels them to hire an executive responsible for overseeing compliance.
The chief privacy officer (CPO) is the senior executive who is responsible for establishing and maintaining the organization's privacy vision, strategy, and program. The CPO oversees the development and implementation of privacy policies, procedures, standards, and controls, and ensures that they align with the organization's business objectives and legal obligations. The CPO also leads the privacy governance structure, such as the privacy steering committee, and coordinates with other stakeholders, such as the chief data officer (CDO), the information security steering committee, and the legal counsel, to ensure that privacy is integrated into all aspects of the organization's operations. References: : CDPSE Review Manual (Digital Version), page 21