Question 3
Domain 6: Sustaining Privacy Program PerformanceA privacy team completes a post-incident review and also identifies a new business process that introduces additional data handling exposure. What is the most appropriate next step for the team?
Correct answer: B
Explanation
Policies, procedures, and controls should be updated when organizations identify lessons learned or when risk conditions change. Continuous improvement requires using both past events and emerging risks to refine how privacy is managed. — Update policies, procedures and controls based on lessons learned and changing risks.
Why each option is right or wrong
A. Keep existing controls in place unless a formal audit identifies a compliance failure
Updates are triggered by lessons learned and changing risks, not only by formal audit findings.
B. Revise relevant policies, procedures, and controls to reflect lessons learned and the new risk environment
The source states that policies, procedures, and controls should be updated based on lessons learned and changing risks. Here, the post-incident review provides lessons learned, and the new business process creates changing risk, so revising all relevant governance documents and safeguards is the appropriate response.
C. Document the incident review findings but defer control changes until the next annual review cycle
Continuous improvement calls for updates when lessons learned or risks change, not only during annual review cycles.
D. Focus on retraining staff and leave policies and procedures unchanged unless the incident recurs
Policies, procedures, and controls should be updated after lessons learned or changing risks, even without recurrence.