Certified Information Systems Security Professional (CISSP) — Question 279

An organization with divisions in the United States (US) and the United Kingdom (UK) processes data comprised of personal information belonging to subjects living in the European Union (EU) and in the US. Which data MUST be handled according to the privacy protections of General Data Protection Regulation
(GDPR)?

Answer options

• A. Only the UK citizens' data
• B. Only the EU residents' data
• C. Only data processed in the UK
• D. Only the EU citizens' data

Correct answer: B

Explanation

The correct answer is B because the General Data Protection Regulation (GDPR) applies specifically to the personal data of individuals residing in the European Union, regardless of their citizenship. The other options either focus on UK citizens or limit the scope to specific processing locations, which is not relevant under GDPR's jurisdiction.