nerdexam
Isaca

CDPSE · Question #185

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?

The correct answer is A. The applicable privacy legislation. The applicable privacy legislation must be identified first because it establishes the legal obligations, rights, and requirements that govern the entire assessment. Every other element of the PIA-what data is in scope, what risks are relevant, what controls are required-is inter

Privacy Governance

Question

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?

Options

  • AThe applicable privacy legislation
  • BThe quantity of information within the scope of the assessment
  • CThe systems in which privacy-related data is stored
  • DThe organizational security risk profile

How the community answered

(43 responses)
  • A
    91% (39)
  • B
    2% (1)
  • C
    2% (1)
  • D
    5% (2)

Explanation

The applicable privacy legislation must be identified first because it establishes the legal obligations, rights, and requirements that govern the entire assessment. Every other element of the PIA-what data is in scope, what risks are relevant, what controls are required-is interpreted through the lens of the governing law (e.g., GDPR, HIPAA, PIPEDA). Without first identifying the legal framework, the assessor lacks the baseline criteria against which risks, systems, and data volumes are evaluated. Identifying systems, quantities of data, or risk profiles are all subsequent steps that follow from understanding the legal context.

Topics

#Privacy Impact Assessment (PIA)#Privacy Legislation#Compliance#Privacy Program Management

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice