Question 7
IIA privacy team wants to answer queries like "Which processors indirectly receive EU personal data via at least two intermediate systems?" Data lives across CMDBs, contracts, and data-flow diagrams. Which approach best leverages a knowledge graph to support this?
Correct answer: B
Explanation
A knowledge graph is built to model entities and relationships, so using “nodes for systems, datasets, vendors, and jurisdictions” with “edges describing data-sharing relationships” fits the problem. Multi-hop queries are the right way to find processors that “indirectly receive EU personal data via at least two intermediate systems,” because graph traversal follows linked paths across CMDBs, contracts, and data-flow diagrams.
Why each option is right or wrong
A. Storing all contracts as PDFs in a repository and relying on keyword search on vendor names.
PDF repositories with keyword search find terms, not indirect multi-step relationship paths.
B. Creating a graph with nodes for systems, datasets, vendors, and jurisdictions and edges describing data-sharing relationships, then issuing multi-hop queries over that graph.
A knowledge graph is the appropriate structure because it represents entities as nodes and their relationships as edges, which is exactly what is needed to connect CMDB records, contract parties, and data-flow artifacts into one traversable model. Under GDPR Article 4(2) and Article 28, the relevant question is not a flat lookup but a relationship path: identifying processors that receive EU personal data through a chain of at least two intermediary systems requires multi-hop graph traversal across linked data-sharing edges, not a relational filter on isolated tables.
C. Exporting a single flat table with one row per vendor and a free-text notes column describing data flows.
A flat vendor table loses explicit relationships needed for traversal across systems and jurisdictions.
D. Using a dashboard that shows only counts of vendors per region.
Regional counts summarize totals but cannot identify specific multi-hop downstream processors.