nerdexam
Isaca

CDPSE · Question #198

Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?

The correct answer is D. The organization's chief privacy officer (CPO). Contacting the organization's Chief Privacy Officer (CPO) is the correct first step because most privacy frameworks (GDPR, CCPA, etc.) require organizations to have an internal point of contact for data subject complaints, and the CPO has direct authority to investigate, remediat

Privacy Governance

Question

Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?

Options

  • APrivacy rights advocate
  • BOutside privacy counsel
  • CData protection authorities
  • DThe organization's chief privacy officer (CPO)

How the community answered

(44 responses)
  • A
    7% (3)
  • B
    2% (1)
  • C
    5% (2)
  • D
    86% (38)

Explanation

Contacting the organization's Chief Privacy Officer (CPO) is the correct first step because most privacy frameworks (GDPR, CCPA, etc.) require organizations to have an internal point of contact for data subject complaints, and the CPO has direct authority to investigate, remediate, and halt unauthorized data processing. Going internally first is both faster and gives the organization the chance to resolve the issue without regulatory escalation. A privacy rights advocate (A) is a third-party activist with no direct authority over the organization. Outside privacy counsel (B) represents legal interests, typically the organization's, not the individual's. Data protection authorities (C) such as the ICO or FTC are the escalation path - you contact them when the internal process fails or the organization is unresponsive.

Memory tip: Think "inside before outside" - always exhaust the internal chain (CPO) before escalating to external regulators (DPAs). The CPO owns the problem; regulators own the penalty.

Topics

#Data Subject Rights#Privacy Incident Escalation#CPO Role#Consent Violations

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice