CDPSE · Question #125
An organization must de-identify its data before it is transferred to a third party. Which of the following should be done FIRST?
The correct answer is C. Determine the categories of personal data collected. Determining the categories of personal data collected must come first because de-identification cannot be performed without knowing what personal data exists. You must understand the data landscape - what identifiers are present, what categories of sensitive data are involved - b
Question
An organization must de-identify its data before it is transferred to a third party. Which of the following should be done FIRST?
Options
- AEncrypt the data at rest and in motion
- BRemove the identifiers during the data transfer
- CDetermine the categories of personal data collected
- DEnsure logging is turned on for the database
How the community answered
(24 responses)- A8% (2)
- B4% (1)
- C83% (20)
- D4% (1)
Explanation
Determining the categories of personal data collected must come first because de-identification cannot be performed without knowing what personal data exists. You must understand the data landscape - what identifiers are present, what categories of sensitive data are involved - before any technical de-identification technique (masking, pseudonymization, anonymization) can be applied. Encrypting data (A) is a protective measure but does not de-identify it. Removing identifiers during transfer (B) presupposes you already know what the identifiers are. Enabling database logging (D) is a monitoring control unrelated to the de-identification process itself. Inventory and categorization is always the prerequisite step.
Topics
Community Discussion
No community discussion yet for this question.