Certified Information Privacy Professional – Europe (CIPP/E) — Question 9

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

Answer options

• A. Notify affected individuals that their data was unavailable for a period of time.
• B. Document the loss of availability to demonstrate accountability
• C. Notify the supervisory authority about the loss of availability
• D. Conduct a thorough audit of all security systems

Correct answer: B

Explanation

The correct answer, B, emphasizes the importance of documenting the incident to demonstrate accountability under GDPR. While notifying individuals and authorities may be necessary in some cases, the primary focus in this scenario is on maintaining a record of the availability loss to satisfy regulatory requirements.