CDPSE · Question #196
Which of the following should an IT privacy practitioner do FIRST following a decision to expand remote working capability to all employees due to a global pandemic?
The correct answer is A. Evaluate the impact resulting from this change.. Evaluating impact (A) must come first because expanding remote work affects data flows, privacy risks, access controls, and compliance obligations - you cannot make sound decisions about policies, tools, or controls without first understanding what has changed and what new risks
Question
Which of the following should an IT privacy practitioner do FIRST following a decision to expand remote working capability to all employees due to a global pandemic?
Options
- AEvaluate the impact resulting from this change.
- BRevisit the current remote working policies.
- CImplement a virtual private network (VPN) tool.
- DEnforce multi-factor authentication for remote access.
How the community answered
(55 responses)- A84% (46)
- B9% (5)
- C2% (1)
- D5% (3)
Explanation
Evaluating impact (A) must come first because expanding remote work affects data flows, privacy risks, access controls, and compliance obligations - you cannot make sound decisions about policies, tools, or controls without first understanding what has changed and what new risks exist. Revisiting policies (B) is a valid follow-up step, but policies should be updated after you understand the impact, not before. Implementing a VPN (C) and enforcing MFA (D) are technical controls that address specific risks - jumping to them prematurely assumes you already know what risks need mitigating, skipping the assessment that justifies those choices.
Memory tip: Think "assess before you address" - in privacy and security frameworks (like GDPR or NIST), a Privacy Impact Assessment (PIA) or risk assessment always precedes policy changes and control implementation.
Topics
Community Discussion
No community discussion yet for this question.