nerdexam
Isaca

CDPSE · Question #218

Which of the following should be done FIRST to address privacy risk when migrating customer relationship management (CRM) data to a new system?

The correct answer is C. Perform a privacy impact assessment (PIA).. Performing a Privacy Impact Assessment (PIA) first is correct because it systematically identifies what personal data exists, how it flows, what risks the migration introduces, and what controls are needed - before any technical work begins. Without this foundational analysis, yo

Privacy Governance

Question

Which of the following should be done FIRST to address privacy risk when migrating customer relationship management (CRM) data to a new system?

Options

  • ADevelop a data migration plan.
  • BConduct a legitimate interest analysis (LIA).
  • CPerform a privacy impact assessment (PIA).
  • DObtain consent from data subjects.

How the community answered

(30 responses)
  • A
    7% (2)
  • B
    3% (1)
  • C
    73% (22)
  • D
    17% (5)

Explanation

Performing a Privacy Impact Assessment (PIA) first is correct because it systematically identifies what personal data exists, how it flows, what risks the migration introduces, and what controls are needed - before any technical work begins. Without this foundational analysis, you're making decisions blind to privacy risks.

  • A (Data migration plan) is wrong because the migration plan should be informed by the PIA, not precede it. You need to understand privacy risks before you can plan around them.
  • B (Legitimate interest analysis) is wrong because an LIA is a narrower tool used to justify a specific legal basis for processing - it doesn't comprehensively assess migration risks across all dimensions.
  • D (Obtain consent) is wrong because consent may not even be the appropriate legal basis for this processing, and you can't know that until the PIA is done. Jumping to consent collection is premature.

Memory tip: Think of PIA as "Plan It All first" - it's the risk assessment that drives every other decision in a data migration, so it always comes before planning, legal justification choices, or subject engagement.

Topics

#Privacy Impact Assessment#Data Migration#CRM#Risk Assessment

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice