Question 8
Domain 1 — Privacy Governance and Program ManagementWhich of the following is the BEST way for senior management to verify the success of its commitment to privacy by design?
Correct answer: C
Explanation
A third-party privacy control assessment gives independent evidence that privacy by design commitments are being implemented and operating effectively. Senior management can use the findings to verify whether controls align with the principle of building privacy into processes from the start, rather than relying only on internal assurances.
Why each option is right or wrong
A. Review the findings of an industry benchmarking assessment
Benchmarking compares against peers, but does not verify internal privacy controls are properly designed and operating.
B. Identify trends in the organization's amount of compromised personal data
Compromised data volume is a lagging outcome metric, not direct evidence of privacy-by-design implementation.
C. Review the findings of a third-party privacy control assessment
Senior management needs independent, objective evidence that privacy requirements were embedded into design and operating controls, and a third-party privacy control assessment provides exactly that by testing control design and effectiveness against an external standard. Under GDPR Article 24(1) and Article 25(1)–(2), the controller must implement appropriate technical and organizational measures and integrate data protection into processing by design and by default; an external assessment is the strongest way to verify those measures are actually working, rather than merely documented internally.
D. Identify trends in the organization's number of privacy incidents.
Incident trends show outcomes after failures, not whether preventive privacy controls were independently validated.