Question 1
Domain 3: Assessing Personal Data and Processing ActivitiesA privacy professional is comparing an organization's existing data handling activities with its documented policies, applicable laws, and internal controls. What is the primary objective of this gap analysis step?
Correct answer: B
Explanation
Gap analysis identifies where current practices do not align with policy, legal, or control requirements so those deficiencies can be addressed. — Source material: Identify gaps between current practices and policy, legal or control requirements.
Why each option is right or wrong
A. Determine which business units collect the greatest volume of personal data
Gap analysis compares practices to requirements, not business units by data volume.
B. Identify where current practices differ from policy, legal, or control requirements
The stated purpose is to identify gaps between current practices and policy, legal, or control requirements. In this scenario, comparing existing data handling activities against those requirements is done to find points of misalignment.
C. Confirm that all existing privacy controls are operating effectively in every department
Gap analysis identifies differences from requirements; it does not by itself confirm universal control effectiveness.
D. Replace legal requirements with internal policy standards for easier compliance measurement
Legal requirements remain applicable and are compared alongside policy and control requirements.