Question 27
Domain 4 — Privacy Risk Assessment and Compliance ValidationWhich of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?
Correct answer: A
Explanation
A privacy impact assessment is used to identify and address privacy risks before collecting or processing personal data. It supports compliance with consumer privacy laws and regulatory requirements by showing how an organization will protect information and meet legal obligations.
Why each option is right or wrong
A. To comply with consumer regulatory requirements
Under privacy regimes such as the GDPR, a PIA/DPIA is required where processing is likely to result in a high risk to individuals’ rights and freedoms, and it must be completed before the processing begins (GDPR Article 35(1)). The primary purpose is to demonstrate compliance with applicable consumer privacy obligations and to document how identified risks will be mitigated, rather than to serve as a general business review.
B. To establish privacy breach response procedures
Breach response procedures belong to incident response planning, not the primary purpose of a PIA.
C. To classify personal data
Data classification is a supporting data governance task, not the main reason to perform a PIA.
D. To understand privacy risks
Understanding privacy risks is an outcome of a PIA, but compliance is the primary driver.