Question 3
Domain 3: The Privacy Technologist’s Role in the OrganizationA vendor pushes an analytics SDK update that adds session replay by default. Which control should have caught this before release?
Correct answer: A
Explanation
A change-management process should review vendor updates before deployment because it governs changes that can introduce new risks. Adding session replay by default is a new data behavior, so a privacy review would catch that the SDK now collects more user data than before and require approval before release.
Why each option is right or wrong
A. A change-management process that includes privacy review for vendor updates and new data behaviors.
Under a formal change-management control, any vendor-supplied software update that alters data collection must be reviewed before deployment, because it is a material change to processing rather than a routine patch. In privacy programs this review is typically tied to the organization’s change-control and vendor-management procedures, and it should flag that session replay by default expands collection of user interactions and may require prior approval, notice, or a DPIA/PIA depending on the jurisdiction and risk level.
B. A faster deployment pipeline with fewer approvals.
C. An agreement that engineers will read release notes if they have time.
D. A policy requiring quarterly password changes for the vendor portal.