Certified in Risk and Information Systems Control (CRISC) — Question 1269

A Software as a Service (SaaS) company wants to use aggregated data from its clients to improve its services via a machine learning model. However, its contracts do not clearly allow this use of aggregated data. What should the organization do NEXT?

Answer options

• A. Update the organization’s data processing agreement template
• B. Request internal risk acceptance from senior management.
• C. Request formal consent from clients to use their data.
• D. Update the organization’s privacy policy to reflect the use of aggregated data.

Correct answer: C

Explanation

The correct answer is C because obtaining formal consent from clients ensures that the organization has the legal right to use their data for the intended purpose. Options A and D deal with updating agreements and policies but do not address the immediate need for client consent. Option B focuses on internal risk acceptance, which does not resolve the lack of explicit permission from clients.