Question 38
Domain 5 — Privacy Operations, Incident Response, and Continuous ImprovementWhat is the BEST way for an organization to maintain the effectiveness of its privacy breach incident response plan?
Correct answer: B
Explanation
The privacy office should be part of plan review because privacy breaches require specialized handling of personal data, notification duties, and regulatory obligations. Regular organizational review keeps the incident response plan aligned with current risks and procedures, which is the best way to maintain its effectiveness.
Why each option is right or wrong
A. Require security management to validate data privacy security practices.
Security validation focuses on controls, not full privacy governance, notification, and data-handling obligations.
B. Involve the privacy office in an organizational review of the incident response plan.
An incident response plan is only effective if it is periodically reviewed and updated by the functions that own the legal and operational obligations triggered by a breach. Under the GDPR, for example, controllers must notify a personal data breach to the supervisory authority within 72 hours where feasible (Art. 33) and, in some cases, notify affected individuals without undue delay (Art. 34), so the privacy office must be involved to ensure those timelines, decision points, and escalation paths remain accurate. A general organizational review with privacy participation is the strongest control because it tests whether the plan still reflects current breach-reporting duties, data-handling procedures, and regulatory requirements.
C. Hire a third party to perform a review of data privacy processes.
Third-party reviews can help, but they are periodic and less effective than internal ongoing plan ownership.
D. Conduct annual data privacy tabletop exercises.
Annual tabletop exercises test the plan, but reviewing it with privacy stakeholders better maintains effectiveness.