Question 2
Domain 2: Privacy Governance and Operating ModelThe record of processing is outdated because no one knows whether privacy, security, or system owners are responsible for updates. What is the BEST fix?
Correct answer: B
Explanation
A RACI clarifies who is "responsible" and who is "accountable" for keeping the record of processing current, which fixes the ownership gap causing outdated entries. Assigning accountable business or system owners with privacy oversight adds governance and quality challenge, so updates are not left ambiguous among privacy, security, and system teams.
Why each option is right or wrong
A. Have privacy update every entry alone
B. Assign a RACI with accountable business or system owners and privacy oversight for quality and challenge
Under GDPR Article 30, the record of processing activities must be kept up to date and remain the controller’s responsibility, so an undefined ownership model is a governance failure rather than a documentation issue. The best remedy is to assign named accountable business or system owners for maintenance, with privacy oversight to challenge and quality-check changes; that creates a clear control structure for ongoing updates instead of leaving privacy, security, and system teams to assume someone else will act.
C. Transfer ownership permanently to internal audit
D. Update the record only when regulators ask for it