Question 17
Domain 2 — Personal Data Lifecycle ManagementWhich of the following is the PRIMARY reason that organizations need to map the data ows of personal data?
Correct answer: A
Explanation
Organizations map data flows to understand how personal data is collected, used, shared, and stored, which reveals where privacy harms can arise. This supports a privacy risk assessment by identifying processing activities that may create exposure, misuse, or unauthorized disclosure.
Why each option is right or wrong
A. To assess privacy risks
Under GDPR Article 30, organizations must maintain records of processing activities, and under Articles 24 and 32 they must implement appropriate technical and organizational measures based on risk. Mapping personal-data flows is the practical step that shows where data enters, moves, is shared, stored, and deleted, so the controller can identify exposure points and evaluate the likelihood and severity of harm. Without that mapping, a privacy impact or risk assessment cannot reliably determine where unauthorized access, excessive collection, or unlawful disclosure may occur.
B. To evaluate effectiveness of data controls
Control effectiveness is usually tested after flows are understood; it is a downstream assessment activity.
C. To determine data integration gaps
Integration gaps concern system architecture and data movement, not the main privacy objective.
D. To comply with regulations
Regulatory compliance is an important outcome, but risk identification is the more fundamental reason.