Certified Information Privacy Manager (CIPM) — Question 155

Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?

Answer options

• A. The DPIA result must be reported to the corresponding supervisory authority.
• B. The DPIA report must be published to demonstrate the transparency of the data processing.
• C. The DPIA must include a description of the proposed processing operation and its purpose.
• D. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.

Correct answer: C

Explanation

The correct answer is C because the DPIA must indeed include a detailed description of the processing operations and their purposes as part of compliance with GDPR. Option A is incorrect because while results may need to be shared, it is not mandated to report them to the supervisory authority. Option B is false since publishing the report is not a requirement under GDPR. Option D is also not entirely correct, as a DPIA is required specifically when the processing poses a high risk, not just any risk.