Question 39
Domain 1: Privacy Program Framework and StrategyAfter acquiring a health technology startup, leadership asks to fold it into the existing B2B privacy program without additional investment. What should the privacy manager recommend FIRST?
Correct answer: B
Explanation
A scope and gap assessment is the first step because privacy programs must be based on the actual data, processing, and legal obligations involved. It identifies "data types, business model, jurisdictions, vendors, and existing controls" so leadership can choose the right target model before trying to fold the startup into the current program.
Why each option is right or wrong
A. Reuse the current program unchanged because all personal data risks are substantially the same
B. Complete a scope and gap assessment covering data types, business model, jurisdictions, vendors, and existing controls before deciding the target model
Under the accountability principle in GDPR Article 5(2) and the requirement to implement appropriate technical and organizational measures under Article 24, the organization must first understand the acquired entity’s actual processing footprint before selecting a control model. A scope-and-gap review is the only defensible first step here because the startup may involve different data categories, jurisdictions, processors, and regulatory triggers than the existing B2B program; without that baseline, any decision to reuse the current model would be premature and potentially noncompliant.
C. Pause all startup processing until every legacy system is retired
D. Replace the startup's contracts and notices immediately, then assess gaps later