Question 39
Domain 5 — Privacy Operations, Incident Response, and Continuous ImprovementWithin a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?
Correct answer: C
Explanation
Recovery point objective (RPO) defines the maximum acceptable data loss measured in time, so it directly determines how much personal data must be recovered after an incident. In a BCP, this is vital for restoring “availability and access to personal data” because it sets the backup and recovery window needed to resume operations with minimal loss.
Why each option is right or wrong
A. Offline backup availability
Offline backups improve resilience, but alone do not define acceptable data loss after an incident.
B. Recovery time objective (RTO)
RTO measures how quickly service returns, not how current the recovered personal data will be.
C. Recovery point objective (RPO)
The relevant continuity metric is the recovery point objective, which is the maximum tolerable period of data loss measured backward from the incident; in practice it determines how far back backups must go to restore the affected personal data set. By contrast, recovery time objective addresses how quickly services must be back online, but it does not define how much data may be lost, so it is the less direct control for restoring availability and access to personal data after a privacy incident.
D. Online backup frequency
Backup frequency influences recovery capability, but RPO is the governing business requirement behind that frequency.