Certified Information Privacy Manager (CIPM) — Question 218

Data retention and destruction policies should meet all of the following requirements EXCEPT?

Answer options

• A. Data destruction triggers and methods should be documented.
• B. Personal information should be retained only for as long as necessary to perform its stated purpose.
• C. Documentation related to audit controls (third-party or internal) should be saved in a non-permanent format by default.
• D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).

Correct answer: C

Explanation

Option C is correct because documentation related to audit controls should generally be kept in a permanent format to ensure compliance and accountability. The other options (A, B, and D) are valid requirements that support proper data retention and destruction practices.