The best answer is C. Privacy regulations . A data subject access request process exists to support an individual’s right to access their personal data. Regulators and official privacy guidance define this as a core privacy right. The UK ICO explains that the “right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data” , and Article 15 GDPR establishes the same right in law. Because the security officer is asking a third party to prove it can handle these requests, the officer is clearly validating compliance with privacy law and related data protection obligations.
This also aligns with CompTIA SecurityX’s GRC focus on compliance requirements, program documentation, and data governance. A third party that processes personal data for the enterprise must be able to respond appropriately to access requests from data subjects, so confirming that process is a due diligence activity tied to regulatory privacy compliance rather than e-discovery, certification, or generic reporting frameworks.
Why the other options are incorrect:
A. Information security standards may require good practices, but DSAR handling is specifically about privacy rights. B. E-discovery requirements relate to legal discovery and litigation processes, not an individual’s privacy access rights. D. Certification requirements and E. Reporting frameworks are not the primary reason an organization must support subject access requests. The clearest and most accurate answer is privacy regulations.
[References:, ICO guidance on subject access requests and the right of access. , UK/EU GDPR Article 15, right of access by the data subject. , CompTIA SecurityX official exam objectives summary, GRC domain. , CompTIA SecurityX CAS-005 exam objectives PDF mirror., , ]
Submit