Question 31
Domain 4 — Privacy Risk Assessment and Compliance ValidationWhich of the following is the BEST way to protect personal data in the custody of a third party?
Correct answer: C
Explanation
A third party handling personal data should be bound by contract to follow the organization’s privacy rules, because contractual terms create enforceable obligations for data protection. Requiring compliance with the organization’s privacy policies helps ensure the vendor uses the data only as authorized and maintains the same privacy standards.
Why each option is right or wrong
A. Have corporate counsel monitor privacy compliance.
Legal monitoring is oversight only; it does not itself impose vendor privacy obligations.
B. Require the third party to provide periodic documentation of its privacy management program.
Periodic documentation shows evidence of a program, but not enforceable compliance with your requirements.
C. Include requirements to comply with the organization’s privacy policies in the contract.
Under common privacy governance practice, the strongest control over a processor or service provider is a written contract that makes adherence to the organization’s privacy requirements mandatory and enforceable. This is the only option that creates a binding obligation on the third party to follow the controller’s rules for collection, use, disclosure, retention, and safeguarding of personal data; policies alone are internal documents and do not bind an external custodian unless incorporated by contract.
D. Add privacy-related controls to the vendor audit plan.
Audit controls help verify practices later, but protection should be contractually required upfront.