CDPSE · Question #388
An assessment of an organization's cloud infrastructure has determined that for some services, the metadata of some transactions is transmitted through different jurisdictions. Which of the following
The correct answer is D. Assess the risk associated with the metadata being transmitted.. When cross-jurisdictional metadata transmission is discovered, the organization must first assess the associated risk before taking any corrective or escalation actions.
Question
An assessment of an organization's cloud infrastructure has determined that for some services, the metadata of some transactions is transmitted through different jurisdictions. Which of the following should be done FIRST?
Options
- AAssess the mitigating controls in place to protect metadata.
- BInvoke the privacy incident response plan.
- CReview the organization's risk appetite and tolerance.
- DAssess the risk associated with the metadata being transmitted.
How the community answered
(48 responses)- A4% (2)
- B8% (4)
- C4% (2)
- D83% (40)
Why each option
When cross-jurisdictional metadata transmission is discovered, the organization must first assess the associated risk before taking any corrective or escalation actions.
Assessing mitigating controls is a step that occurs after the risk itself has been identified and quantified, as controls must be evaluated against a known risk level.
Invoking the incident response plan is premature without first confirming through a risk assessment that a privacy incident or regulatory violation has actually occurred.
Reviewing risk appetite and tolerance is a governance activity that follows risk assessment, as appetite can only be meaningfully compared against a quantified or qualified risk.
Risk assessment is the necessary first step because the organization cannot determine the appropriate response without understanding the nature and severity of the risk posed by cross-jurisdictional metadata transmission. The assessment determines whether applicable data protection laws in the involved jurisdictions restrict such transfers, what the potential harm to data subjects is, and what mitigating factors exist. All subsequent actions - including reviewing controls, notifying authorities, or invoking incident response - depend on the findings of this initial risk assessment.
Concept tested: Risk assessment priority before action on data transfer discovery
Source: https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
Topics
Community Discussion
No community discussion yet for this question.