nerdexam
Isaca

CDPSE · Question #201

Which of the following should an IT privacy practitioner do FIRST before an organization migrates personal data from an on-premise solution to a cloud-hosted solution?

The correct answer is B. Perform a privacy impact assessment (PIA).. Performing a Privacy Impact Assessment (PIA) first is correct because it is the foundational step that identifies what personal data is involved, what privacy risks the migration introduces, and what controls are needed before any action is taken. A PIA drives all subsequent deci

Privacy Governance

Question

Which of the following should an IT privacy practitioner do FIRST before an organization migrates personal data from an on-premise solution to a cloud-hosted solution?

Options

  • ADevelop and communicate a data security plan.
  • BPerform a privacy impact assessment (PIA).
  • CEnsure strong encryption is used.
  • DConduct a security risk assessment.

How the community answered

(20 responses)
  • A
    5% (1)
  • B
    75% (15)
  • C
    15% (3)
  • D
    5% (1)

Explanation

Performing a Privacy Impact Assessment (PIA) first is correct because it is the foundational step that identifies what personal data is involved, what privacy risks the migration introduces, and what controls are needed before any action is taken. A PIA drives all subsequent decisions - it tells you what to secure and how to assess risk, making it the logical prerequisite to everything else.

Why the distractors are wrong:

  • A (Data security plan): You can't build an effective security plan until you know what data exists and what risks have been identified - the PIA informs the plan.
  • C (Strong encryption): Encryption is a specific technical control; jumping straight to it skips the analysis needed to determine whether encryption is the right or sufficient mitigation.
  • D (Security risk assessment): A security risk assessment is narrower in scope - it focuses on technical/system threats. A PIA is broader and privacy-specific, covering legal obligations, data flows, and individual rights, making it the correct first step for a privacy practitioner specifically.

Memory tip: Think PIA = Privacy "I" (Identify) first - you must identify what personal data you have and what risks exist before you can plan, assess technically, or implement controls. The "P" in PIA also stands for "Prerequisite."

Topics

#Privacy Impact Assessment#Data Migration#Cloud Data Protection#Privacy Governance

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice