Question 25
Domain 3: Assessing Personal Data and Processing ActivitiesA consent platform records customer preferences, but the privacy inventory cannot show which downstream systems actually receive and honor those signals. What is the most important assessment finding?
Correct answer: B
Explanation
A privacy inventory must map data flows and processing activities so consent choices can be traced to the systems that use them. If it “cannot show which downstream systems actually receive and honor those signals,” the key finding is that the program cannot reliably verify implementation across processing flows.
Why each option is right or wrong
A. The consent banner color may be inconsistent across pages
B. The program cannot reliably trace whether consent choices are implemented across processing flows
Under GDPR Art. 30, the record of processing activities must identify the categories of recipients and the processing purposes, and Art. 5(2) places accountability on the controller to demonstrate compliance. If the inventory cannot identify which downstream systems receive the consent signal, the organization cannot evidence that the preference is propagated through the processing chain or that consent is being honored in each flow, which is the core control failure here.
C. The inventory should remove all references to consent until the next audit
D. The issue matters only if customers complain publicly