CDPSE · Question #241
Which of the following should an IT privacy practitioner do FIRST when assessing the potential impact of new privacy legislation on the organization?
The correct answer is A. Identify systems and processes that contain privacy components.. Before any compliance strategy can be developed, the practitioner must first identify what systems and processes contain privacy components - this is a gap analysis prerequisite. You cannot assess legislative impact without knowing where personal data lives and how it is processe
Question
Which of the following should an IT privacy practitioner do FIRST when assessing the potential impact of new privacy legislation on the organization?
Options
- AIdentify systems and processes that contain privacy components.
- BResearch and identify privacy legislation in other countries that may contain similar requirements.
- CShare operational plans for achieving compliance with regulatory entities.
- DRestrict the collection of personal information until there is assurance the organization is
How the community answered
(33 responses)- A82% (27)
- B9% (3)
- C6% (2)
- D3% (1)
Explanation
Before any compliance strategy can be developed, the practitioner must first identify what systems and processes contain privacy components - this is a gap analysis prerequisite. You cannot assess legislative impact without knowing where personal data lives and how it is processed. Researching similar legislation (B) is a secondary research step. Sharing operational compliance plans (C) is premature before assessment is complete. Restricting data collection (D) is a drastic operational action that should not be taken before understanding the actual requirements. Identifying systems and data flows first establishes the scope of the compliance effort.
Topics
Community Discussion
No community discussion yet for this question.