Isaca CDPSE Exam - Topic 2 Question 70 Discussion

Actual exam question for Isaca's CDPSE exam

Question #: 70
Topic #: 2

[All CDPSE Questions]

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?

AThe applicable privacy legislation

BThe quantity of information within the scope of the assessment

CThe systems in which privacy-related data is stored

DThe organizational security risk profile

Show Suggested Answer

Suggested Answer: A

The first consideration when conducting a privacy impact assessment (PIA) is the applicable privacy legislation that governs the collection, processing, storage, transfer, and disposal of personal data within the scope of the assessment. The applicable privacy legislation may vary depending on the jurisdiction, sector, or purpose of the data processing activity. The PIA should identify and comply with the relevant legal requirements and obligations for data protection and privacy, such as obtaining consent, providing notice, ensuring data quality and security, respecting data subject rights, and reporting data breaches. The applicable privacy legislation also determines the criteria, methodology, and documentation for conducting the PIA.

ISACA, Performing an Information Security and Privacy Risk Assessment1

ISACA, Best Practices for Privacy Audits2

ISACA, GDPR Data Protection Impact Assessments3

ISACA, GDPR Data Protection Impact Assessment Template4

by Jutta at Aug 15, 2025, 06:36 AM

Limited Time Offer

25%

Off

Get Premium CDPSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Han

2 months ago

Wait, are we sure legislation is the first step? Seems off.

upvoted 0 times

...

Stephen

2 months ago

Totally agree, legislation is key.

upvoted 0 times

...

Milly

3 months ago

I think the quantity of info matters too, though.

upvoted 0 times

...

Vincent

3 months ago

The security risk profile should be top priority, right?

upvoted 0 times

...

Lacresha

3 months ago

Gotta start with the applicable privacy legislation!

upvoted 0 times

...

Ming

3 months ago

The organizational security risk profile seems relevant, but I thought we usually start with the legal requirements in PIAs.

upvoted 0 times

...

Pearlene

4 months ago

I feel like the quantity of information might be important too, but I can't recall if it should come before the legislation.

upvoted 0 times

...

Arlyne

4 months ago

I remember a practice question that emphasized understanding the systems where data is stored first. Maybe that's what we should focus on?

upvoted 0 times

...

Angella

4 months ago

I think the first consideration should be the applicable privacy legislation, but I'm not entirely sure if that's the most critical factor.

upvoted 0 times

...

Moon

4 months ago

I'm a little confused on this one. I know a PIA is about identifying and mitigating privacy risks, but I'm not sure if the legislation is the absolute first thing to look at. The systems and data involved might be a good starting point too. I'll have to think this through carefully.

upvoted 0 times

...

Dana

4 months ago

The applicable privacy legislation is definitely the most important consideration when doing a PIA. That's going to set the framework for the whole assessment, so I'm pretty confident that's the right answer here.

upvoted 0 times

...

Denae

4 months ago

Hmm, I'm a bit unsure about this one. There are a few different factors to consider when doing a PIA, so I'm not sure if the legislation should be the very first thing. Maybe the quantity of information or the systems involved would be a better starting point.

upvoted 0 times

...

Anastacia

5 months ago

This seems like a straightforward question about conducting a privacy impact assessment. I think the key is to focus on the first step, which is understanding the applicable privacy legislation.

upvoted 0 times

...