Question 37
Domain 5 — Privacy Operations, Incident Response, and Continuous ImprovementWhich of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?
Correct answer: B
Explanation
Changes to a third party’s processing can alter how personal data is collected, used, stored, and deleted, so the data life cycle policy must be updated to keep those controls aligned. A data life cycle policy governs the handling of personal data throughout its lifecycle, making it the key document to revise when service provision changes.
Why each option is right or wrong
A. Changes to current information architecture
Information architecture concerns system structure, not the full privacy handling of personal data over time.
B. Updates to data life cycle policy
Under GDPR Article 28(3), the controller must ensure the processor’s services are governed by a contract that reflects the actual processing arrangements, including the subject matter, duration, nature, and purpose of processing, and the obligations for retention and deletion. If the third party changes how it processes the data, the organisation must revise the data life cycle controls so collection, storage, retention, and disposal remain aligned with those changed processing activities; otherwise the documented handling rules no longer match the real processing environment.
C. Business impact due to the changes
Business impact matters operationally, but privacy governance focuses first on lawful handling and retention of personal data.
D. Modifications to data quality standards
Data quality standards address accuracy and consistency, not retention, deletion, or third-party processing obligations.