nerdexam
(ISC)2

CISSP · Question #218

An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?

The correct answer is C. Privacy Officer. Data retention policies are governed by privacy regulations and compliance requirements, making the Privacy Officer the most authoritative person to consult when establishing such policies.

Submitted by wei.xz· Mar 5, 2026Security and Risk Management

Question

An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?

Options

  • AApplication Manager
  • BDatabase Administrator
  • CPrivacy Officer
  • DFinance Manager

How the community answered

(26 responses)
  • A
    4% (1)
  • B
    8% (2)
  • C
    88% (23)

Why each option

Data retention policies are governed by privacy regulations and compliance requirements, making the Privacy Officer the most authoritative person to consult when establishing such policies.

AApplication Manager

An Application Manager oversees software application operations and functionality but does not have authority or expertise over legal and regulatory data retention requirements.

BDatabase Administrator

A Database Administrator manages the technical storage and performance of databases but is not responsible for defining the compliance-driven policies that determine how long data should be kept.

CPrivacy OfficerCorrect

The Privacy Officer is responsible for ensuring the organization complies with data protection laws and regulations (such as GDPR, HIPAA, or CCPA), which directly dictate how long data must be retained and when it must be destroyed. They have the authority and expertise to define retention schedules based on legal obligations, risk management, and privacy frameworks. This role is specifically chartered to govern data lifecycle policies across the organization.

DFinance Manager

A Finance Manager may have input on financial record retention for accounting purposes but does not have the broad organizational authority to define a comprehensive data retention policy covering all data types and regulatory requirements.

Concept tested: Data governance roles and data retention policy ownership

Source: https://www.nist.gov/privacy-framework/privacy-framework-faqs

Topics

#data retention policy#privacy officer#data governance#compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice