A privacy risk assessment identified that a third-party collects personal data on the organization's behalf. This finding could subject the organization to a regulatory fine for not disclosing this relationship. What should the organization do NEXT?
A.
Amend the privacy policy to include a provision that data might be collected by trusted third parties.
B.
Review the third-party relationship to determine who should be collecting data.
C.
Update the risk assessment process to cover only required disclosures.
D.
Disclose the relationship to those affected in jurisdictions where such disclosures are required.
The organization should disclose the relationship to those affected in jurisdictions where such disclosures are required, as this is the most appropriate and compliant action to take after identifying a privacy risk related to third-party data collection. Disclosing the relationship to the data subjects is a way of providing transparency and accountability, as well as respecting their rights and choices regarding their personal data. It also helps the organization avoid regulatory fines or sanctions for not complying with the applicable privacy laws or regulations that mandate such disclosures. The other options are not as effective or sufficient as disclosing the relationship, as they do not address the root cause of the risk, do not mitigate the potential harm to the data subjects, or do not align with the privacy principles and best practices.
[: CDPSE Review Manual, 2021, p. 36, , , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit