Exam CIPM topic 1 question 169 discussion

SCENARIO -
Please use the following to answer the next question:
Hi Zoe,
Thank you so much for your email. I am so glad you have jumped right into your new position as our in-house privacy professional. BastTech greatly needs your expertise. I hope you are comfortably settling into your new home in the United States after your move from the United Kingdom! Georgia is a wonderful state.
I particularly appreciate your enthusiasm in using your recent informal assessment to begin rectifying gaps in our privacy program and making sure we are in compliance with all laws. However, I also want to make sure that we are prioritizing our initiatives by spending time on the measures that are most important to our customers, our company, and the tech industry as a whole.
Specifically, I know that you are advocating for an update of our Business Continuity Disaster Response (BCDR) plan with an eye toward privacy concerns. I think this effort is something that we may be able to postpone. I'm sure that after ten years the document can be updated in spots; however, we have first-rate, experienced executive leaders that would have things well in hand in the unlikely event of a disaster.
Further, you mentioned that you would like to assess our longtime subcontractor's disaster plan through a second-party audit. Papyrus, our longtime subcontractor, does keep a great deal of personal data about our customers. However, I am not sure I understand your request and would like to discuss this further during our meeting Wednesday.
You also say that your audit uncovered some inadequacies in staff compliance with our security procedures and local laws. I just wanted to emphasize that the audit findings only need to be communicated to the executive leadership. I would rather not cause unnecessary alarm across departments.
I know you are also looking closely at the recent loss of a file belonging to a staff member in Human Resources (HR). It was an unfortunate incident, but rest assured, we handled the situation according to Georgia state law. The only difficult part was easing the concerns of our many remote employees all across the country whose data was on the computer. But I believe everything is settled. At least this stands as proof that in the event of another breach of any type, Information Security (IS) will take the lead while other departments move on with business as usual without having to get involved. Thankfully, we have taken the measure of supplementing our General Commercial Liability Insurance with cyber insurance.
Anyway, we will talk more on Wednesday. I just wanted to communicate some of my current thinking.
Thanks,

Whitney -
Interim Assistant Business Manager, BastTech.
Based on the email, what should Zoe suggest to Whitney regarding the informal audit?