Question 21
Domain 3: Assessing Personal Data and Processing ActivitiesAn organization is inventorying its personal data processing operations to decide which activities require closer review. Which approach BEST aligns with segmenting processing activities for scoping purposes?
Correct answer: B
Explanation
Processing activities should be grouped using the characteristics that most affect risk and context: sensitivity, volume, purpose, and business criticality. Segmenting by these factors helps determine which activities need different levels of assessment and oversight. — Segment processing activities by sensitivity, volume, purpose and business criticality.
Why each option is right or wrong
A. Group activities only by the department that owns the system performing the processing.
Segmentation is based on sensitivity, volume, purpose, and business criticality, not organizational ownership alone.
B. Group activities by the sensitivity of data, processing volume, purpose, and business criticality.
The stated segmentation method is to classify processing activities by sensitivity, volume, purpose, and business criticality. Because the organization is deciding which activities require closer review, using those four factors directly matches the required scoping approach.
C. Group activities only by whether the data is stored on-premises or in a cloud environment.
Storage location is not one of the listed segmentation factors for processing activities.
D. Group activities by the age of the application and the size of the supporting IT team.
The relevant factors are sensitivity, volume, purpose, and business criticality rather than system age or team size.