Question 11
Domain 3: The Privacy Technologist’s Role in the OrganizationA third-party assessment finds that dozens of engineers have production access to customer data. Who should normally lead the technical remediation design?
Correct answer: B
Explanation
Technical remediation should be led by the privacy technologist because the issue involves access to customer data and requires privacy-by-design input. They should work with the IAM, security, and system owners, since access controls and production permissions are implemented across those functions. This aligns with the principle that remediation design is owned by the technical and control stakeholders, not only by business management.
Why each option is right or wrong
A. The DPO alone, because access control is purely a legal question.
B. The privacy technologist working with the IAM, security, and system owners.
Under privacy-by-design and access-control governance, the remediation plan should be designed by the privacy technologist in coordination with the IAM, security, and system owners, because the defect is a production-access control issue affecting customer data. In practice, the technical fix must address least-privilege and role-based access controls across the systems that grant access, so the people who own identity, security controls, and the affected platforms are the ones who can define and implement the change correctly.
C. Marketing, because customer data supports revenue.
D. Finance, because access reviews affect software licensing costs.