Certified Information Privacy Technologist (CIPT) — Question 18

An organization based in California, USA is implementing a new online helpdesk solution for recording customer call information. The organization considers the capture of personal data on the online helpdesk solution to be in the interest of the company in best servicing customer calls.
Before implementation, a privacy technologist should conduct which of the following?

Answer options

• A. A Data Protection Impact Assessment (DPIA) and consultation with the appropriate regulator to ensure legal compliance.
• B. A privacy risk and impact assessment to evaluate potential risks from the proposed processing operations.
• C. A Legitimate Interest Assessment (LIA) to ensure that the processing is proportionate and does not override the privacy, rights and freedoms of the customers.
• D. A security assessment of the help desk solution and provider to assess if the technology was developed with a security by design approach.

Correct answer: C

Explanation

The correct answer is C, as a Legitimate Interest Assessment ensures that the processing aligns with the organization's interests without compromising customer rights. Option A is incorrect as it focuses on legal compliance rather than the balance of interests. Option B, although relevant, does not specifically address the legitimacy of the processing in relation to customer rights. Option D is not directly related to privacy assessments but rather focuses on security measures.