Question 24
Domain 3 — Privacy Architecture and Data Protection by DesignWhen con guring information systems for the communication and transport of personal data, an organization should:
Correct answer: B
Explanation
Organizations handling personal data must ensure systems are configured to meet privacy and security requirements, so reviewing configuration settings for compliance is necessary. This checks that the communication and transport of personal data follow required controls and reduce the risk of unauthorized access or disclosure.
Why each option is right or wrong
A. adopt the default vendor speci cations
Vendor defaults are generic starting points and may not satisfy an organization’s legal or policy obligations.
B. review con guration settings for compliance
Under GDPR Article 25(1) and (2), controllers must implement appropriate technical and organizational measures and, by default, ensure only personal data necessary for each specific purpose is processed; configuration settings are part of those measures and must be checked against the required privacy controls. For communication and transport, Article 32(1) requires security appropriate to the risk, including measures such as encryption and the ability to ensure ongoing confidentiality, integrity, and resilience, so reviewing the system configuration for compliance is the required control point.
C. implement the least restrictive mode
Least restrictive settings increase exposure; personal data transport should follow least privilege and strong protection.
D. enable essential capabilities only
Enabling only essential capabilities supports hardening, but alone does not ensure compliance requirements are met.