Exam CIPM topic 1 question 199 discussion

SCENARIO -
Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the “reasonable and appropriate security” requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email, sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.


Based on your findings regarding how data is transferred to InStyle Data Corp.’s customers, what can you do from a control perspective that is most likely to mitigate risk from this data processing activity?