Question 13
UnclassifiedWhat is the strongest reason to map personal-data flows across systems and vendors?
Correct answer: B
Explanation
Mapping personal-data flows shows where data is collected, shared, stored, and deleted, which is necessary to give accurate notice and handle access, deletion, and other rights requests. It also identifies which systems and vendors are involved so incident response can trace exposure and contracts can cover required security and processing terms.
Why each option is right or wrong
A. To reduce the amount of software documentation engineers need
B. To support notice accuracy, rights handling, incident response, and contract scoping
Under GDPR Articles 13 and 14, the controller must give data subjects accurate information about the purposes, recipients, transfers, retention, and rights, so a current map of where personal data moves is needed to keep notices complete and correct. The same mapping is operationally required for Article 15–22 rights requests, Article 33 breach notification within 72 hours, and Article 28 processor contracts, which must specify the subject matter, duration, nature, purpose, categories of data, and security obligations for each vendor involved.
C. To eliminate the need for security testing
D. To prevent regulators from asking questions