Certified Information Privacy Professional – Europe (CIPP/E) — Question 145

An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

Answer options

• A. Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
• B. Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
• C. Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects until more information can be gathered.
• D. Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Correct answer: A

Explanation

The correct answer is A, as it is essential for the company to notify the data protection supervisory authority promptly to comply with legal obligations regarding data breaches. Option B is incorrect because waiting a month to notify could lead to non-compliance with regulations. Option C is not applicable since the loss of unencrypted data typically requires immediate notification rather than postponement. Option D is also incorrect because informing customers should follow legal guidance and assessment of the breach.