Question 38
Domain 3: The Privacy Technologist’s Role in the OrganizationWhere is the most effective place to require privacy acceptance criteria for a new API that collects voice samples?
Correct answer: B
Explanation
Privacy acceptance criteria should be defined during backlog and design work because privacy-by-design requires requirements to be built in before implementation. Adding them "before coding begins" ensures the API’s data collection, storage, and consent flows are reviewed early, when changes are cheapest and most effective.
Why each option is right or wrong
A. After production rollout
B. During backlog and design work before coding begins
Privacy requirements should be captured at the backlog and design stage, before any implementation starts, because that is when the API’s data flows, consent language, retention, and access controls can still be shaped without rework. For a new API collecting voice samples, the earliest design review is the point at which privacy acceptance criteria can be translated into testable conditions for collection, storage, and processing, rather than being bolted on after code already exists.
C. Only during the annual audit
D. After the procurement team signs off