Question 4
Domain 1 — Privacy Governance and Program ManagementWhich of the following is MOST important to ensure when developing a business case for the procurement of a new IT system that will process and store personal information?
Correct answer: D
Explanation
A business case for a new IT system that will process and store personal information must include data protection requirements because privacy obligations apply from the design stage. Under data protection principles, organizations must ensure personal data is processed lawfully, securely, and only for specified purposes, so these requirements must be built into procurement decisions.
Why each option is right or wrong
A. The system architecture is clearly defined.
Architecture describes technical design, but the business case must first capture privacy obligations.
B. A risk assessment has been completed.
Risk assessment is important, but it follows from knowing the applicable data protection requirements.
C. Security controls are clearly defined.
Security controls protect systems broadly; data protection also covers lawful use, purpose, and rights.
D. Data protection requirements are included.
Under the UK GDPR, data protection must be built in at the procurement stage: Article 25 requires data protection by design and by default, and Article 5(1)(c), (e) and (f) require data minimisation, storage limitation, and integrity/confidentiality. For a system that will process and retain personal data, the business case must therefore specify privacy and security controls up front, because failure to do so can make the proposed solution non-compliant from the outset.