Certified Information Privacy Professional – Europe (CIPP/E) — Question 267

A high-ranking employee has his laptop bag stolen in a train station. In addition to the laptop, the bag contained the employee’s ID card, confidential company documents (such as financial information and minutes of board meetings, including participants and their roles), company payment cards, and authorization tokens.

As the company's Data Protection Officer, what should be your first action?

Answer options

• A. Inform the appropriate supervisory authority of the breach.
• B. Verify whether the laptop contained personal data and, if so, if it was encrypted.
• C. Inform the meeting participants of the breach and provide them with next steps to be taken.
• D. Request deactivation of the authorization tokens to avoid access to company data, and remotely wipe the laptop.

Correct answer: B

Explanation

The correct answer is B because verifying if the laptop contained personal data and its encryption status is crucial for assessing the severity of the data breach. Informing authorities or participants (options A and C) comes after understanding the data involved, while option D, although important, focuses on immediate security measures rather than initial assessment.