CDPSE · Question #185
Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?
The correct answer is A. The applicable privacy legislation. The applicable privacy legislation must be identified first because it establishes the legal obligations, rights, and requirements that govern the entire assessment. Every other element of the PIA-what data is in scope, what risks are relevant, what controls are required-is inter
Question
Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?
Options
- AThe applicable privacy legislation
- BThe quantity of information within the scope of the assessment
- CThe systems in which privacy-related data is stored
- DThe organizational security risk profile
How the community answered
(43 responses)- A91% (39)
- B2% (1)
- C2% (1)
- D5% (2)
Explanation
The applicable privacy legislation must be identified first because it establishes the legal obligations, rights, and requirements that govern the entire assessment. Every other element of the PIA-what data is in scope, what risks are relevant, what controls are required-is interpreted through the lens of the governing law (e.g., GDPR, HIPAA, PIPEDA). Without first identifying the legal framework, the assessor lacks the baseline criteria against which risks, systems, and data volumes are evaluated. Identifying systems, quantities of data, or risk profiles are all subsequent steps that follow from understanding the legal context.
Topics
Community Discussion
No community discussion yet for this question.