Question 36
Domain 3: Assessing Personal Data and Processing ActivitiesAn organization has completed scoping for several personal data processing activities and identified different levels of risk and context. What is the most appropriate next step for deciding which reviews, controls, and remediation efforts to address first?
Correct answer: B
Explanation
Scoping results should be used to determine the priority of reviews, controls, and remediation activities. Higher-priority actions are driven by the outcomes of the scoping exercise rather than by arbitrary sequencing. — Use scoping results to prioritize reviews, controls and remediation.
Why each option is right or wrong
A. Apply the same review and remediation schedule to all processing activities regardless of scoping outcome.
Prioritization is based on scoping results, not identical treatment of all activities.
B. Use the scoping results to rank and prioritize the needed reviews, controls, and remediation actions.
The source states that scoping results are used to prioritize reviews, controls, and remediation. Because the organization has already completed scoping, the next step is to use those results to determine which activities should be addressed first.
C. Begin remediation first and perform prioritization only after controls have been implemented.
Scoping results are used to prioritize remediation and controls before deciding implementation order.
D. Prioritize reviews based primarily on operational convenience instead of the scoping findings.
Reviews, controls, and remediation should be prioritized using scoping results.