A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?
Correct Answer: B
Question 97
Which of the following should be done FIRST to establish privacy to design when developing a contact-tracing application?
Correct Answer: B
Question 98
Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?
Correct Answer: B
Explanation A privacy impact assessment (PIA) is a process of analyzing the potential privacy risks and impacts of collecting, using, and disclosing personal data. A PIA should be conducted when there is a change in the data processing activities that may affect the privacy of individuals or the compliance with data protection laws and regulations. One of the scenarios that should trigger the completion of a PIA is when there are new inter-organizational data flows, which means that personal data is shared or transferred between different entities or jurisdictions. This may introduce new privacy risks, such as unauthorized access, misuse, or breach of data, as well as new legal obligations, such as obtaining consent, ensuring adequate safeguards, or notifying authorities. References: PIA Triggers - International Association of Privacy Professionals Privacy Impact Assessment - International Association of Privacy Professionals GDPR Privacy Impact Assessment Data Protection Impact Assessment triggers: Clarity or confusion?
Question 99
Which of the following is the FIRST step toward the effective management of personal data assets?
Correct Answer: C
The first step toward the effective management of personal data assets is to create a personal data inventory, which is a comprehensive list of the personal data that an organization collects, processes, stores, transfers, and disposes of. A personal data inventory helps an organization to understand the types, sources, locations, owners, purposes, and retention periods of the personal data it holds, as well as the risks and obligations associated with them. A personal data inventory is essential for complying with data privacy laws and regulations, such as the GDPR or the PDPA, which require organizations to implement data protection principles and practices, such as obtaining consent, providing notice, ensuring data quality and security, respecting data subject rights, and reporting data breaches. A personal data inventory also helps an organization to identify and mitigate data privacy risks and gaps, and to implement data minimization and data security controls. Reference: ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and Classification1 ISACA, Simplify and Contextualize Your Data Classification Efforts2 PDPC, Managing Personal Data3 PDPC, PDPA Assessment Tool for Organisations4
Question 100
Which of the following activities would BEST enable an organization to identify gaps in its privacy posture?
Correct Answer: D
Short Requiring employees to review the organization's privacy policy on an annual basis is the best activity to enable an organization to identify gaps in its privacy posture because it can help to ensure that the employees are aware of the current privacy requirements, expectations, and practices of the organization. It can also help to identify any discrepancies, inconsistencies, or conflicts between the policy and the actual implementation of privacy controls and processes. By reviewing the policy regularly, the organization can also update and improve it as needed to reflect any changes in the privacy landscape, such as new laws, regulations, standards, or threats. Reference: Privacy Policy Review Checklist, PrivacySense How to Write a Privacy Policy for Your Website, TermsFeed
