Question 18
Domain 5: Protecting Personal Data Through Operational ControlsAn organization is creating a data governance program for personal data held in multiple applications. Which action best demonstrates that retention and deletion rules have been properly defined and operationalized?
Correct answer: B
Explanation
Retention and deletion rules are effective only when they are clearly defined and put into practice consistently across the systems and teams that handle the data. — Source material: Define and operationalize retention and deletion rules across systems and teams.
Why each option is right or wrong
A. Publishing a general privacy statement that mentions data should not be kept longer than necessary
A general statement does not operationalize retention and deletion across systems and teams.
B. Establishing retention and deletion rules and implementing them consistently across relevant systems and teams
The source states that organizations should define and operationalize retention and deletion rules across systems and teams. This option matches both required elements: creating the rules and putting them into practice consistently in the environments and groups that handle the data.
C. Allowing each business unit to decide independently when personal data should be deleted
Retention and deletion rules must apply across systems and teams, not be left to separate local decisions.
D. Focusing only on deleting data from one central database after a retention period expires
The requirement covers systems and teams broadly, not only one system.