Question 40
Domain 5 — Privacy Operations, Incident Response, and Continuous ImprovementA migration of personal data involving a data source with outdated documentation has been approved by senior management.Which of the following should be done NEXT?
Correct answer: A
Explanation
After a migration is approved, the next step is to verify that the data still moves and processes as intended, so a post-migration data flow review is appropriate. This checks for issues caused by the outdated documentation and confirms the migration did not disrupt personal data handling.
Why each option is right or wrong
A. Review data ow post migration
Under GDPR Article 5(2) and Article 24, the controller remains accountable for ensuring personal data is processed as intended even after a change has been approved, so the immediate control point is to validate the actual post-change flow rather than rely on stale records. Because the source documentation is outdated, the migration must be followed by a post-migration review of how the data now moves, confirming the transfer path, recipients, and processing steps are still accurate and compliant.
B. Ensure appropriate data classi cation
Data classification is important earlier in planning, not the immediate next step after approved migration.
C. Engage an external auditor to review the source data
External audit is a broader assurance activity, not the standard immediate follow-up to approved migration.
D. Check the documentation version history for anomalies
Version history review examines documentation quality, but does not verify actual post-migration personal data handling.