Question 5
Domain 4: Privacy Engineering and GovernanceMarketing proposes adding a mobile SDK that collects device identifiers for attribution. What is the privacy technologist's best first step?
Correct answer: A
Explanation
Privacy engineering starts by turning legal requirements into buildable controls. For a mobile SDK that collects device identifiers, the first step is to translate notice, choice, and minimization obligations into technical acceptance criteria so the design can enforce only necessary collection and proper user disclosures.
Why each option is right or wrong
A. Translate notice, choice, and minimization requirements into technical acceptance criteria for the SDK
Under GDPR Article 5(1)(c), personal data must be "adequate, relevant and limited to what is necessary" for the stated purpose, and Article 12–14 require transparent notice, while Article 7 requires that consent, where relied on, be demonstrable and freely given. For a mobile SDK collecting device identifiers, the first engineering move is to convert those legal constraints into acceptance criteria—e.g., what identifiers may be collected, when disclosure must fire, and what user choice gates are required—so the build can be validated against the privacy requirements before implementation.
B. Wait until launch and see whether users complain
C. Assume the vendor's privacy policy covers the app
D. Focus only on breach notification language