Certified Information Privacy Manager (CIPM) — Question 224

Which of the following changes typically does NOT require a Privacy Impact Assessment (PIA)?

Answer options

• A. When the volume of the personal data being processed changes.
• B. When new features are added that change the way personal data is accessed.
• C. When the privacy policy is updated to include a data subject access request option.
• D. When the solution is moved from on-premise data center to a hosted cloud service.

Correct answer: C

Explanation

The correct answer is C because updating a privacy policy to include a data subject access request option does not typically alter how personal data is processed or accessed. In contrast, changes in data volume, access features, or moving to a cloud service all represent significant alterations that could impact privacy, thus requiring a PIA.