Question 30
UnclassifiedWhich activity is most useful for understanding vendor-related privacy risk?
Correct answer: B
Explanation
Vendor-related privacy risk is best understood before disclosure by reviewing how the vendor will use personal data, what controls protect it, and whether it relies on subcontractors. This due diligence identifies risks in "data uses, controls, and subcontracting" before sharing personal data, which is the point at which privacy exposure begins.
Why each option is right or wrong
A. Sending every vendor the same generic marketing deck
B. Performing due diligence on the vendor's data uses, controls, and subcontracting before sharing personal data
Under GDPR Article 28(1)–(2), a controller may only engage a processor after carrying out sufficient assessment of the processor’s ability to provide appropriate technical and organizational measures, and any further sub-processing requires prior specific or general written authorization. That makes pre-disclosure due diligence on the vendor’s intended data uses, security controls, and subcontractor chain the relevant activity for identifying privacy exposure before personal data is transferred.
C. Asking the vendor to promise orally that it is secure
D. Skipping review if the vendor is already well known in the industry