Question 31
Domain 1: Data Collection, Use, Dissemination, and DestructionSupport chat transcripts are kept forever in backups 'just in case.' Which control best addresses the privacy problem?
Correct answer: A
Explanation
A retention schedule limits storage to what is needed and requires deletion when data is no longer needed, which addresses the privacy risk of keeping transcripts forever. Backup aging rules ensure old backups are retired and tested deletion confirms the data can actually be removed, rather than remaining in backups "just in case."
Why each option is right or wrong
A. A retention schedule with tested deletion and backup aging rules
Under GDPR Article 5(1)(e), personal data must be kept no longer than necessary for the purpose collected, and Article 17 requires erasure when retention is no longer justified. A formal retention schedule operationalizes that limit, while tested deletion and backup aging rules ensure the organization can actually remove transcripts from live systems and aged backups instead of preserving them indefinitely.
B. A promise that engineers will remember to delete old files manually
C. More disk space so the transcripts are less likely to be overwritten
D. A longer privacy notice describing indefinite retention