nerdexam
Isaca

CDPSE · Question #385

An organization identifies a risk that data subject access requests may not be managed within the regulatory timeline. The organization decides to outsource the data subject access request process to

The correct answer is A. Risk transfer. Outsourcing a process to a third party to manage a risk is a classic example of risk transfer, where responsibility for the risk is shifted to another entity.

Privacy Governance

Question

An organization identifies a risk that data subject access requests may not be managed within the regulatory timeline. The organization decides to outsource the data subject access request process to a third party. Which risk response is this an example of?

Options

  • ARisk transfer
  • BRisk acceptance
  • CRisk reduction
  • DRisk avoidance

How the community answered

(35 responses)
  • A
    89% (31)
  • B
    6% (2)
  • C
    3% (1)
  • D
    3% (1)

Why each option

Outsourcing a process to a third party to manage a risk is a classic example of risk transfer, where responsibility for the risk is shifted to another entity.

ARisk transferCorrect

Risk transfer involves shifting the financial or operational burden of a risk to a third party, typically through contracts, insurance, or outsourcing arrangements. By outsourcing the DSAR process, the organization moves the responsibility for meeting regulatory timelines to the third party. The third party now bears the operational risk of non-compliance with the regulatory timeline, making this a textbook risk transfer strategy.

BRisk acceptance

Risk acceptance involves acknowledging the risk and consciously deciding to bear it without taking action to shift or reduce it, which is the opposite of outsourcing.

CRisk reduction

Risk reduction involves implementing internal controls or process improvements to lower the likelihood or impact of the risk within the organization, not shifting it externally.

DRisk avoidance

Risk avoidance involves ceasing or not undertaking the activity that creates the risk entirely, whereas the organization continues to fulfill DSARs - just through a third party.

Concept tested: Risk transfer through third-party outsourcing

Source: https://www.isaca.org/resources/glossary

Topics

#Risk Management#Risk Response#Outsourcing#Data Subject Rights

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice