Exam CISSP topic 1 question 136 discussion

Can't be A. GDPR does not prohibit storage of personal data outside the EU, but it requires appropriate safeguards if data is transferred internationally. Can't be C. GDPR recommends appropriate encryption, but does not mandate the use of specific EU-approved protocols. Can't be D/ Anonymization is encouraged but is not strictly required for every transmission; pseudonymization or encryption is often sufficient depending on risk.

A C and D all utilize ABSOLUTES in their answers where B does not and it's asking for the reasonable measure.

No way its B "think like a manager" - has to be D.

Option A states "Never store personal data of European Union citizens outside the European Union." Although the international transfer of personal data outside the EU is subject to restrictions under the General Data Protection Regulation (GDPR), the law does not strictly prohibit the storage of EU citizens' data outside the region. Rather than outright prohibiting the storage of data outside the EU, the GDPR states that when personal data is transferred outside the European Union to non-EU countries, appropriate safeguards must be implemented to ensure an adequate level of data protection. These safeguards may include standard contractual clauses, the use of approved certification instruments, or the assessment of the adequacy of the recipient country in terms of data protection.

Data masking and encryption of personal data are some of the measures that can be taken to ensure the security of personal data. However, the GDPR does not require organizations to store personal data of EU citizens only within the EU or use encryption protocols approved by the EU. In contrast, the Russian law of privacy requires companies to store personal data of Russian citizens on servers located within the territory of the Russian Federation. Failure to comply with this requirement may result in fines and other penalties. The GDPR does not impose such a requirement.

The correct answer is B. Data masking and encryption of personal data. The EU General Data Protection Regulation (GDPR) requires organizations to implement appropriate technical and organizational measures to ensure the security of personal data. Data masking and encryption are examples of such measures.

GDPR requires that all EU citizen data be stored within the EU.

Only possible regarding biz

A data owner is responsible for the data within their perimeter in terms of its collection, protection and quality.