Exam CIPM topic 1 question 65 discussion

In many jurisdictions, the processing of personal data by health-care professionals and lawyers as part of their regular professional duties (for instance, treatment of patients or legal representation) might not necessarily trigger the requirement for a PIA. This is because the processing is generally understood, expected, and subject to other professional and legal obligations, like doctor-patient or attorney-client confidentiality.

A Privacy Impact Assessment (PIA) is a process that helps to identify and mitigate the privacy risks of a project or activity that involves personal data. A PIA is usually required when there is a new or significant change in the way personal data is collected, used, or disclosed. Therefore, a PIA would be the least likely to be required if a company created a credit-scoring platform five years ago, as this would not be a new or significant change. The other situations involve new or changed processing of personal data that could have privacy impacts, such as sensitive data (health or children’s data), profiling data (user profiles), or large-scale data (patient’s file).

should be B

Should be B

Privacy assessments measure an organization’s compliance with laws, regulations, adopted standards, and internal policies and procedures. Their scope may include education and awareness; monitoring and responding to the regulatory environment; data, systems, and process assessments; risk assessments; incident response; contracts; remediation; and program assurance, including audits.

PIAs are triggered do to some type of new activity. New data being added, new database, new program. A should be the correct answer because a PIA should have been done five years ago.

B maybe?