Certified Information Privacy Technologist (CIPT) — Question 92

An organization is using new technologies that will target and process personal data of EU customers. In which of the following circumstances would a privacy technologist need to support a data protection impact assessment (DPIA)?

Answer options

• A. If a privacy notice and opt-in consent box are not displayed to the individual
• B. If security of data processing has not been evaluated
• C. If a large amount of personal data will be collected
• D. If data processing is a high risk to an individual’s rights and freedoms

Correct answer: D

Explanation

The correct answer is D because a DPIA is specifically required when data processing is likely to result in high risks to the rights and freedoms of individuals. Options A, B, and C, while relevant to data protection, do not specifically trigger the need for a DPIA in the same way that high-risk processing does.