Question 18
Domain 3: Privacy, Data Stewardship, and User RightsA privacy team decides to proceed with a business initiative even though some data-related risk remains after review. What should be documented to support that decision?
Correct answer: B
Explanation
When an organization accepts remaining privacy risk in a data-related decision, it should document both the reasoning behind the decision and the acceptance of that risk. — Document rationale for data-related decisions and risk acceptance.
Why each option is right or wrong
A. Only the technical controls selected for the initiative
The requirement includes documenting rationale and risk acceptance, not only implementation controls.
B. The rationale for the data-related decision and the risk acceptance
The source states that organizations should document rationale for data-related decisions and risk acceptance. Because the team is proceeding despite remaining risk, both the decision's rationale and the acceptance of that risk must be recorded.
C. Only the final approval date for the business initiative
The required documentation addresses the decision basis and accepted risk, not merely the date of approval.
D. The list of stakeholders involved in the discussion
Stakeholder involvement may be tracked separately, but the stated requirement is to document rationale and risk acceptance.