Question 30
Domain 4: Privacy Engineering and GovernanceAs U.S. state privacy obligations continue to expand in 2026, which record best supports both engineering and governance response?
Correct answer: A
Explanation
A current data inventory supports privacy compliance because state laws increasingly require organizations to know what personal data they collect, why they use it, who receives it, and how long they keep it. Mapping “systems, data elements, purposes, recipients, and retention” gives engineering a control baseline and governance a record for notices, access requests, minimization, and retention decisions.
Why each option is right or wrong
A. A current data inventory that maps systems, data elements, purposes, recipients, and retention.
State privacy statutes now commonly require a controller to maintain records of processing activities and to be able to disclose categories of personal information, the purposes for collection/use, third-party disclosures, and retention periods; for example, the CCPA/CPRA regulations require a retention schedule or criteria for each category of personal information and disclosures in the privacy notice. A current inventory that ties systems to data elements, purposes, recipients, and retention is the only record that simultaneously supports engineering controls and governance evidence for notice, access, deletion, minimization, and retention obligations.
B. A list of all employee birthdays.
C. A static screenshot of the home page.
D. A budget sheet that contains only total cloud spend.