Question 34
Domain 2: Privacy Governance and Operating ModelEngineering asks for an exception to the standard log retention period because a defect may take months to diagnose. What is the best governance response from the privacy office?
Correct answer: C
Explanation
A retention exception should be handled through a formal governance process so the privacy office can document the business need, assess risk, and require compensating controls. An approval and expiration date keep the exception temporary and aligned with the principle of limiting retention to what is necessary for the stated purpose.
Why each option is right or wrong
A. Allow the exception indefinitely if the engineering manager approves it
B. Deny all exceptions to avoid setting a precedent
C. Use a formal exception process with business justification, compensating controls, approval and an expiration date
The privacy office should route this through the organization’s documented exception/waiver governance, because retention limits are a core data-minimization control and any deviation must be justified, risk-assessed, and time-bound. A proper exception file should record the business rationale, require compensating controls to reduce exposure during the extended retention, and be approved by the appropriate authority with a defined expiration date so the deviation does not become an indefinite retention practice.
D. Let each technical team decide its own retention period