nerdexam
Isaca

CDPSE · Question #188

Data collected by a third-party vendor and provided back to the organization may not be protected according to the organization's privacy notice. Which of the following is the BEST way to address this

The correct answer is D. Validate contract compliance.. Why D is correct: When a third-party vendor collects data on your behalf, the organization's privacy notice may not automatically extend to that vendor's practices - the primary mechanism for enforcing compliance is the contract governing that relationship. Validating contract co

Privacy Governance

Question

Data collected by a third-party vendor and provided back to the organization may not be protected according to the organization's privacy notice. Which of the following is the BEST way to address this concern?

Options

  • AReview the privacy policy.
  • BObtain independent assurance of current practices.
  • CRe-assess the information security requirements.
  • DValidate contract compliance.

How the community answered

(59 responses)
  • A
    2% (1)
  • B
    5% (3)
  • C
    10% (6)
  • D
    83% (49)

Explanation

Why D is correct: When a third-party vendor collects data on your behalf, the organization's privacy notice may not automatically extend to that vendor's practices - the primary mechanism for enforcing compliance is the contract governing that relationship. Validating contract compliance ensures the vendor is legally bound to handle data according to the organization's privacy standards, making it the most direct and actionable remedy.

Why the distractors are wrong:

  • A (Review the privacy policy) - Reviewing your own policy identifies the gap but does nothing to fix the vendor's behavior; it's diagnostic, not corrective.
  • B (Obtain independent assurance) - While useful for auditing, independent assurance is a verification tool after-the-fact, not the primary control mechanism for third-party data handling.
  • C (Re-assess information security requirements) - Security requirements address how data is protected technically, not whether the vendor is contractually obligated to follow your privacy standards; this conflates security with privacy compliance.

Memory tip: Think "vendor = contract." Whenever an exam question involves a third party doing something on your behalf, the answer almost always traces back to contractual obligations - contracts are the enforcement lever organizations use when they can't directly control external parties.

Topics

#vendor data handling#privacy compliance#contract validation

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice