Question 6
Domain 5: Protecting Personal Data Through Operational ControlsA company wants to reduce privacy risk when engaging a new vendor that may handle personal data. According to the guidance, at which points should the organization integrate privacy review into its procurement activities?
Correct answer: B
Explanation
Privacy review should be built into procurement workflows at the key vendor engagement stages of sourcing, contracting, and onboarding. — Integrate privacy review into sourcing, contracting and onboarding processes.
Why each option is right or wrong
A. Only during vendor onboarding, after the contract has been signed
Privacy review is integrated into sourcing, contracting, and onboarding, not only after contract execution.
B. During sourcing, contracting, and onboarding activities
The guidance states that privacy review should be integrated into sourcing, contracting, and onboarding processes. Because the vendor may handle personal data, all three procurement stages are included.
C. During sourcing and onboarding, but not during contracting
Privacy review includes contracting as a required stage along with sourcing and onboarding.
D. Only during contracting, because privacy terms belong in the contract
Privacy review is not limited to contract terms; it is also integrated into sourcing and onboarding.