CISSP · Question #218
An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?
The correct answer is C. Privacy Officer. Data retention policies are governed by privacy regulations and compliance requirements, making the Privacy Officer the most authoritative person to consult when establishing such policies.
Question
An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?
Options
- AApplication Manager
- BDatabase Administrator
- CPrivacy Officer
- DFinance Manager
How the community answered
(26 responses)- A4% (1)
- B8% (2)
- C88% (23)
Why each option
Data retention policies are governed by privacy regulations and compliance requirements, making the Privacy Officer the most authoritative person to consult when establishing such policies.
An Application Manager oversees software application operations and functionality but does not have authority or expertise over legal and regulatory data retention requirements.
A Database Administrator manages the technical storage and performance of databases but is not responsible for defining the compliance-driven policies that determine how long data should be kept.
The Privacy Officer is responsible for ensuring the organization complies with data protection laws and regulations (such as GDPR, HIPAA, or CCPA), which directly dictate how long data must be retained and when it must be destroyed. They have the authority and expertise to define retention schedules based on legal obligations, risk management, and privacy frameworks. This role is specifically chartered to govern data lifecycle policies across the organization.
A Finance Manager may have input on financial record retention for accounting purposes but does not have the broad organizational authority to define a comprehensive data retention policy covering all data types and regulatory requirements.
Concept tested: Data governance roles and data retention policy ownership
Source: https://www.nist.gov/privacy-framework/privacy-framework-faqs
Topics
Community Discussion
No community discussion yet for this question.