Question 9
Domain 2: Privacy Governance and Operating ModelMonitoring shows repeated privacy exceptions are being approved without any end date. What is the BEST response?
Correct answer: C
Explanation
Privacy exceptions should not remain open-ended because exceptions must be limited, documented, and reviewed. Time-boxing them, documenting compensating controls, and requiring periodic reapproval enforces ongoing risk acceptance and prevents indefinite deviations from policy.
Why each option is right or wrong
A. Let exceptions remain open until an incident occurs
B. Convert them into permanent policy carve-outs
C. Time-box exceptions, document compensating controls, and require periodic reapproval
Under a standard privacy governance exception process, approvals must be explicitly bounded and periodically revalidated; an open-ended exception is effectively an indefinite risk acceptance with no documented expiration or review trigger. The proper control response is to set a defined expiry date, record the compensating safeguards being relied on, and require reapproval at each review cycle so the exception remains tied to current business need and residual risk.
D. Stop approving any exceptions under any circumstance