Certified in Risk and Information Systems Control (CRISC) — Question 341

A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?

Answer options

• A. Adopt the international standard.
• B. Adopt the standard determined by legal counsel.
• C. Adopt the local standard.
• D. Adopt the least stringent standard determined by the risk committee.

Correct answer: B

Explanation

The best recommendation is to adopt the standard determined by legal counsel because they can provide guidance on compliance with both local and international regulations. Adopting the international standard or local standard without legal counsel may lead to non-compliance risks. Choosing the least stringent standard could pose significant legal and financial risks if it does not adhere to the stricter international requirements.