Question 6
Domain 4: Privacy Engineering and GovernanceA company cannot answer where support-chat transcripts travel after collection. What artifact should the privacy engineer build first?
Correct answer: B
Explanation
A data flow or lineage map is the first artifact because it shows where personal data moves after collection, including “systems, recipients, and regions involved in the processing.” When a company cannot answer where support-chat transcripts travel, mapping the flow is necessary to identify processing locations and downstream disclosures.
Why each option is right or wrong
A. A brand style guide for the chat window.
B. A data flow or lineage map covering systems, recipients, and regions involved in the processing.
Under GDPR Article 30(1), the controller must maintain records of processing activities that identify the categories of recipients, transfers to third countries, and the envisaged time limits for erasure; you cannot complete that obligation without first mapping where the transcripts go. In practice, a lineage map is the first artifact because it establishes the exact processing path for the chat data, including each system, downstream recipient, and any region or country involved, which is the minimum needed to determine whether disclosures or international transfers are occurring.
C. A marketing campaign calendar.
D. A copy of the source code without any architecture notes.