• Home
• Isaca Exams
• CDPSE - Certified Data Privacy Solutions Engineer

CDPSE Isaca Practice Test Questions and Exam Dumps

Question 1
What is the most important factor a multinational company should consider when implementing a user and entity behavior analytics (UEBA) system for monitoring unusual employee behavior across multiple countries?

A. Cross-border data transfer
B. Support staff availability and skill set
C. User notification
D. Global public interest

Correct Answer: A

Explanation:

When a multinational organization deploys a user and entity behavior analytics (UEBA) tool, it involves centralizing data collected from multiple geographic regions. UEBA tools are designed to detect unusual behavior by analyzing patterns of user and system activity, and to do this effectively, they often require the aggregation of large volumes of user data from different business units across the globe. This raises significant concerns, particularly about how personal or behavioral data is transferred and processed across borders.

Let’s examine each option:

Option A: Cross-border data transfer
This is the correct answer. The primary concern for multinational organizations using UEBA tools is ensuring compliance with international data protection laws, especially when data is transferred between countries. Cross-border data transfer involves legal, privacy, and regulatory challenges, especially with laws such as the General Data Protection Regulation (GDPR) in the European Union, which strictly regulates the transfer of personal data outside the EU/EEA. Some countries have data sovereignty laws that require personal data to be stored or processed within national boundaries. Failing to account for these legal requirements can expose an organization to severe penalties, lawsuits, and reputational harm. Therefore, before deploying a UEBA solution, a company must first assess whether international data transfer mechanisms (such as Standard Contractual Clauses or Binding Corporate Rules) are in place and legally valid.

Option B: Support staff availability and skill set
While having trained staff to support a UEBA deployment is important for the tool’s effective use and ongoing maintenance, it is not the primary concern. This is an operational issue, not a legal or regulatory one. If an organization lacks the necessary internal expertise, it can be outsourced or developed over time. This makes it secondary compared to the immediate legal implications of transferring and analyzing employee data internationally.

Option C: User notification
Notifying users that their behavior is being monitored may be a legal or ethical requirement in some jurisdictions, but it is part of a broader compliance strategy. However, data protection laws typically place a stronger emphasis on how data is handled and transferred than on notification alone. Moreover, some monitoring can be done transparently or anonymized, depending on local laws, which reduces the emphasis on individual notification as the primary concern.

Option D: Global public interest
This is too vague and broad to be the primary concern. While acting in the public interest can be part of an organization’s mission or values, UEBA deployment is about internal risk management and security, not about serving the global public. This option lacks direct relevance to the technical and legal realities of UEBA implementation.

In conclusion, while many considerations are involved in deploying a UEBA tool across borders, cross-border data transfer is the most critical due to the complex patchwork of international data privacy regulations. Ensuring lawful, secure, and compliant data flows is foundational to the success and legality of the monitoring effort.

Question 2
When performing a privacy impact assessment (PIA), what is the most important factor to consider first?

A. The applicable privacy legislation
B. The quantity of information within the scope of the assessment
C. The systems in which privacy-related data is stored
D. The organizational security risk profile

Correct Answer: A

Explanation:

A Privacy Impact Assessment (PIA) is a systematic process for evaluating the impact that a project or system might have on the privacy of individuals whose data is being collected, processed, or stored. The goal of a PIA is to identify privacy risks and ensure compliance with privacy requirements.

Among the several aspects that must be considered in a PIA, the first and most foundational step is to understand the legal and regulatory framework that governs privacy in the jurisdiction(s) involved.

Let’s analyze each option in detail:

Option A: The applicable privacy legislation
This is the correct answer. The first step in any PIA should be to identify the applicable privacy laws and regulations that apply to the system or project being assessed. These could include national laws (like HIPAA in the U.S., GDPR in the EU, or PIPEDA in Canada), sector-specific regulations, or international data protection agreements. Knowing the legal landscape provides the baseline requirements for what constitutes compliance and what privacy risks must be mitigated. Without understanding the laws that apply, any subsequent analysis would be misguided or incomplete. For instance, GDPR has very specific mandates on lawful processing, data minimization, and subject rights—requirements that would significantly influence the outcome of a PIA.

Option B: The quantity of information within the scope of the assessment
While the volume of data can affect the scale and severity of a privacy risk, it is not the first thing to evaluate. Knowing the type of information (e.g., personal data, sensitive data) and its legal categorization under relevant legislation is more important than the amount. Volume matters more during risk quantification, which occurs after you’ve identified the legal framework and data types.

Option C: The systems in which privacy-related data is stored
Understanding where and how data is stored is certainly important, particularly for identifying potential technical vulnerabilities and security risks, but this step comes after defining the legal context and scope. You cannot properly assess risks in a system without first knowing what laws and data protection principles apply.

Option D: The organizational security risk profile
This relates more to overall cybersecurity posture and might be assessed later when evaluating how well privacy protections are supported by technical controls. While relevant to data protection, it’s more indirect when compared to a direct understanding of privacy-specific obligations under law.

Question 3
Which option best describes the process of using privacy threat modeling as a methodology?

A. Mitigating inherent risks and threats associated with privacy control weaknesses
B. Systematically eliciting and mitigating privacy threats in a software architecture
C. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities
D. Replicating privacy scenarios that reflect representative software usage

Correct Answer: B

Explanation:

Privacy threat modeling is a structured methodology used to identify, evaluate, and mitigate threats to personal data within a system, particularly during its design and development phases. It is a proactive approach that allows privacy risks to be identified early, typically as part of a privacy-by-design framework.

The key word in the question is methodology, which implies a systematic process, not just an isolated action like estimating threats or simulating usage. This narrows the correct answer to the one that most accurately defines the structured approach to modeling privacy threats.

Let’s analyze each option:

Option A: Mitigating inherent risks and threats associated with privacy control weaknesses
This option sounds plausible but is not fully accurate as a definition of privacy threat modeling methodology. It focuses only on mitigation and control weaknesses, which are part of the broader privacy risk management process. Threat modeling, however, is not limited to inherent weaknesses or to the mitigation step—it begins with identification and analysis of threats, followed by mitigation strategies. Therefore, this description is too narrow and misses the systematic and architectural focus of threat modeling.

Option B: Systematically eliciting and mitigating privacy threats in a software architecture
This is the correct answer. It correctly captures both the structured nature ("systematically") and the technical scope ("in a software architecture") of privacy threat modeling. This process includes identifying what personal data is collected, how it's processed, where it flows, and what could go wrong—all within the context of how the system is architected. The phrase “eliciting and mitigating privacy threats” aligns directly with well-established threat modeling frameworks (such as LINDDUN), which are used to identify threats such as linkability, identifiability, non-repudiation, detectability, information disclosure, and more.

Option C: Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities
This option focuses on threat actor capability estimation, which is typically part of a cybersecurity risk assessment, not privacy threat modeling specifically. While evaluating potential exploitation paths is a component of threat analysis, the methodology of privacy threat modeling is broader and includes identifying threats systematically, often before implementation. This answer focuses too narrowly on attacker profiling, making it a subset of threat assessment, not a full methodology.

Option D: Replicating privacy scenarios that reflect representative software usage
This option refers more to testing or simulation, which might occur during user acceptance testing or usability analysis, rather than during the threat modeling phase. Privacy threat modeling does not depend on replicating user behavior scenarios but rather focuses on mapping out data flows and evaluating where risks may occur. Therefore, this is not the best representation of privacy threat modeling methodology.

In summary, privacy threat modeling is a proactive, systematic process that analyzes how a software system’s architecture and data flows can introduce risks to personal data. It starts with understanding the system, identifying privacy threats, analyzing their potential impact, and implementing controls to mitigate them. This is best captured in option B.

Question 4
An organization is building a register to record how personal data is processed. Which category should include details about how long personal data is kept and the related controls?

A. Data archiving
B. Data storage
C. Data acquisition
D. Data input

Correct Answer: A

Explanation:

A personal data processing register, often required under regulations such as the General Data Protection Regulation (GDPR), helps organizations document how they handle personal data. This register includes details such as the purposes of processing, categories of data subjects, types of personal data, data recipients, and—critically—the retention period for each category of data.

Understanding which category best describes controls over how long data is retained is essential for meeting compliance obligations and minimizing risks associated with storing personal data unnecessarily.

Let’s evaluate each option:

Option A: Data archiving
This is the correct answer. Data archiving refers to the long-term storage of data that is no longer actively used but must be retained for legal, regulatory, or business purposes. This is where controls relating to data retention periods are typically documented. When data reaches the end of its active use, it is often archived instead of deleted immediately, especially if there are legal requirements to retain it for a specified period. The retention policy defines how long archived data must be kept before it can be deleted, making this category directly relevant to the question.

Including archiving information in a data processing register allows organizations to demonstrate that they are handling data responsibly, only keeping it for as long as needed, and ensuring secure storage until it can be destroyed or anonymized. In privacy regulations, data minimization and storage limitation principles require that personal data should not be kept longer than necessary for the purpose for which it was collected. Therefore, controls around data archiving are essential to support compliance.

Option B: Data storage
While this option might seem relevant at first glance, data storage generally refers to the current or active state of how and where data is stored, such as in databases or file systems. It does not typically include information about retention periods or how data will be handled once it is no longer needed. Data storage focuses more on technical infrastructure, security controls, and access management rather than the lifecycle management of data from a privacy standpoint.

Option C: Data acquisition
This refers to the collection or gathering of data from various sources, which occurs at the beginning of the data lifecycle. While acquisition must also comply with data protection requirements (e.g., lawful basis, transparency), it is unrelated to the retention or deletion of data. Therefore, it is not the appropriate category for documenting retention controls.

Option D: Data input
This refers to the act of entering data into a system, such as filling out a form or submitting personal information through a website. Like data acquisition, this category concerns the early stage of data processing and has no bearing on how long data is kept or how it is archived. Retention policies are not part of the data input phase.

In summary, data archiving is the part of the data lifecycle where retention controls are applied and monitored. It directly relates to the storage limitation principle, which mandates that personal data should be retained no longer than necessary. Organizations must carefully document these controls in their personal data processing registers to demonstrate accountability and legal compliance.

Question 5
When data is collected by a third-party vendor and returned to an organization, and there’s concern that it may not be protected according to the organization’s privacy notice, what is the best way to address the issue?

A. Review the privacy policy.
B. Obtain independent assurance of current practices.
C. Re-assess the information security requirements.
D. Validate contract compliance.

Correct Answer: D

Explanation:

When an organization relies on a third-party vendor to collect or process personal data on its behalf, there is a risk that the vendor’s data handling practices may not align with the organization’s privacy commitments, such as those outlined in the organization’s privacy notice to users or customers. The privacy notice is a formal declaration of how the organization collects, uses, shares, and protects personal data—and it creates expectations that must be met not only internally but also by any external partners or processors.

In this context, the best way to address the concern is to ensure that the vendor’s actual practices are contractually obligated to comply with the organization’s privacy requirements. That means the data protection obligations must be clearly spelled out in the contract, and the organization must validate that the vendor is in compliance with those terms.

Let’s examine the options:

Option A: Review the privacy policy
While reviewing the organization’s privacy policy (or privacy notice) may be helpful to understand the commitments made to data subjects, doing so does not address the concern directly. The issue is that the third-party vendor may not be honoring these commitments. Simply reviewing internal documents won’t resolve that gap. What’s needed is a mechanism to ensure the vendor’s practices align with the policy.

Option B: Obtain independent assurance of current practices
Obtaining an external or third-party audit or certification can provide a level of confidence in the vendor’s data handling practices. However, this is a secondary measure that might not be enforceable or detailed enough to ensure alignment with your organization’s specific privacy notice. It’s useful, but not as direct or binding as a contract.

Option C: Re-assess the information security requirements
While this might be part of a broader risk management review, information security requirements usually focus on technical safeguards like encryption, access control, and network security. These are important but do not fully address privacy commitments, which may include restrictions on data use, sharing, location, or retention. This option is not focused enough on privacy notice compliance.

Option D: Validate contract compliance
This is the correct answer. Contracts with third-party vendors should include data protection clauses that reflect the organization’s privacy notice, including how data is to be collected, processed, stored, transferred, and deleted. The best way to ensure that the vendor adheres to these commitments is to validate that the vendor is in compliance with those contract terms. This could involve contract reviews, audits, or requesting documentation of processes and procedures.

Most privacy regulations—such as the GDPR, CCPA, and HIPAA—require organizations to have Data Processing Agreements (DPAs) or similar contractual arrangements with third parties to ensure that data processors handle personal data in accordance with legal obligations. These contracts create enforceable obligations, and validating compliance is a critical control.

In conclusion, while reviewing policies, reassessing security, and obtaining assurances all have value, validating contract compliance is the most direct and effective method for ensuring that third-party vendors handle data in a manner consistent with the organization’s privacy commitments.

Question 6
When designing a role-based access control (RBAC) model for a new application, which principle is most critical to protect data privacy?

A. Segregation of duties
B. Unique user credentials
C. Two-person rule
D. Need-to-know basis

Correct Answer: D

Explanation:

Role-based access control (RBAC) is a common and efficient method of managing user permissions within applications, particularly those that handle sensitive or personal information. One of the primary goals of RBAC is to minimize unnecessary access to data, which directly aligns with data privacy principles.

Among the choices listed, the “need-to-know” basis is the most closely aligned with privacy protection. This principle means that users should only have access to the information that is necessary for them to perform their job responsibilities—nothing more, nothing less. It is a cornerstone of data minimization, a key concept in most privacy regulations and frameworks such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and NIST Privacy Framework.

Let’s break down each option:

Option A: Segregation of duties
This is a security and governance control that ensures no single person has full control over all critical aspects of a process, to reduce the risk of fraud or error. While it helps in maintaining accountability and controlling operational risk, it’s more aligned with financial controls and process integrity than with ensuring personal data privacy. It’s relevant to internal control frameworks like COSO or SOX but not the most direct principle for data privacy within an RBAC model.

Option B: Unique user credentials
Having unique credentials ensures that user activities can be individually tracked, supporting auditability and accountability. This is indeed an important principle in both privacy and security. However, it doesn’t directly enforce restrictions on data access—it ensures traceability but not access limitation. So while valuable, it’s not as crucial for enforcing data minimization as the need-to-know principle.

Option C: Two-person rule
This principle requires that two authorized individuals must approve or execute a certain task before it can proceed. It is commonly used in high-risk environments, such as nuclear command systems, or in financial processes to prevent fraud. Although it can strengthen oversight, it is not particularly relevant to the RBAC model in the context of personal data access control. It’s about process control, not granular data access restrictions.

Option D: Need-to-know basis
This is the correct answer. The need-to-know principle is at the core of privacy-preserving access design. It ensures that roles are defined in a way that grants access only to the data required for users to perform their duties. For example, a customer support representative might need access to contact information but not to full payment details. Limiting access on a need-to-know basis directly supports compliance with the principle of least privilege and data minimization, both of which are foundational in privacy and security best practices.

In summary, when designing role-based access, protecting privacy hinges on limiting access to only what is essential. Among all the choices, only need-to-know directly enforces this principle. It helps ensure that personal or sensitive data is not unnecessarily exposed to users, thereby reducing privacy risks and supporting regulatory compliance.

Question 7
What is the first thing that should be determined before a privacy office begins creating a data protection and privacy awareness campaign?

A. Detailed documentation of data privacy processes
B. Strategic goals of the organization
C. Contract requirements for independent oversight
D. Business objectives of senior leaders

Correct Answer: D

Explanation:

Before a privacy office initiates a data protection and privacy awareness campaign, it is essential that the campaign aligns with the organization’s direction, priorities, and business needs. This makes it critical to start by understanding the business objectives of senior leaders, as these goals drive the strategic agenda, resource allocation, and overall tone of corporate culture.

A data privacy awareness campaign will be most effective when it is tailored to support the goals of top leadership, whether those goals relate to regulatory compliance, customer trust, data innovation, or risk reduction. The campaign should not operate in a vacuum. If it is disconnected from the broader business context, it risks being seen as irrelevant, underfunded, or ignored by stakeholders.

Let’s analyze each of the answer choices:

Option A: Detailed documentation of data privacy processes
While this is important and can help provide content for an awareness campaign, it is not the logical starting point. Awareness campaigns are about engaging people—particularly non-privacy professionals—around the importance of protecting data. To make that message effective, it must be aligned with higher-level business goals, not technical or procedural documentation. This can be developed or refined later as the campaign matures.

Option B: Strategic goals of the organization
This is close to the correct answer and certainly relevant. However, strategic goals are often general (such as “expand into new markets” or “improve customer satisfaction”), whereas the business objectives of senior leaders are more specific, current, and actionable. Understanding the top leadership’s concrete objectives allows the privacy team to link privacy awareness directly to business impact—such as improving trust, reducing risk, or enabling data-driven growth. Therefore, while strategic goals are important, business objectives of senior leaders provide a more targeted and effective foundation for a campaign.

Option C: Contract requirements for independent oversight
This refers to external accountability mechanisms, such as audits or regulatory assessments. These requirements may influence the scope or urgency of a privacy program but are not the first concern when developing an internal awareness campaign. Awareness efforts are focused on internal education and behavior change. Contractual obligations may justify a campaign’s existence, but they do not define its content or messaging.

Option D: Business objectives of senior leaders
This is the correct answer. Understanding the specific priorities of leadership allows the privacy office to develop a campaign that resonates across departments and is viewed as a strategic enabler rather than a compliance burden. For instance, if the CEO is focused on expanding into the EU market, the awareness campaign can emphasize GDPR readiness. If the CFO is focused on reducing risk, the campaign can highlight costs associated with data breaches. Tailoring the message to leadership’s business goals increases buy-in and ensures the campaign supports broader organizational success.

In summary, while many elements contribute to a successful privacy awareness campaign, starting with the business objectives of senior leaders ensures alignment, relevance, and executive support, making it the most important first step.

Question 8
Which of the following features should be included in an organization's technology stack to fulfill privacy obligations that grant individuals control over their personal data?

A. Providing system engineers the ability to search and retrieve data
B. Allowing individuals to have direct access to their data
C. Allowing system administrators to manage data access
D. Establishing a data privacy customer service bot for individuals

Correct Answer: B

Explanation:

Modern privacy regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other data protection frameworks, give individuals several enforceable rights over their personal data. These rights—often called data subject rights—include the right to access, correct, delete, and restrict processing of their personal information.

To comply with these legal obligations, an organization must ensure that individuals can exercise control over their personal data in a direct, transparent, and user-friendly way. This includes enabling individuals to access their data without depending on intermediaries, which is the core of option B.

Let’s analyze each of the options:

Option A: Providing system engineers the ability to search and retrieve data
While system engineers need technical capabilities to manage and support data platforms, giving them the ability to search and retrieve data does not address the privacy rights of individuals. In fact, excessive access by engineers may raise security and privacy concerns. It does not empower data subjects, but rather supports internal operations.

Option B: Allowing individuals to have direct access to their data
This is the correct answer. Granting individuals direct access to their personal data via secure portals or interfaces enables organizations to comply with data subject access requests (DSARs). This capability directly supports the right of access, as well as potentially the right to data portability, correction, or erasure. For example, a user logging into a dashboard where they can view, download, or delete their personal data is a direct implementation of these rights.

This approach also reduces administrative burden on the organization and enhances transparency, which builds trust with users. More importantly, it ensures regulatory compliance with privacy laws that mandate user autonomy over personal data.

Option C: Allowing system administrators to manage data access
System administrators play a critical role in enforcing access controls, ensuring least privilege, and securing data infrastructure. However, this function is internal and does not directly fulfill the rights of individuals. It is more about internal governance and system integrity than enabling user-facing privacy controls.

Option D: Establishing a data privacy customer service bot for individuals
While this could enhance customer experience and automate responses to privacy-related queries, it is more of a support mechanism than a core privacy feature. A chatbot might assist individuals in submitting access requests or learning about privacy policies, but it does not itself fulfill the requirement of user control over personal data. At most, it acts as a facilitator.

To summarize, data privacy regulations increasingly require organizations to embed user control into technology systems. This means building features that allow data subjects to see, download, update, or delete their information without complex manual intervention. Therefore, direct access by individuals is not only the most practical and scalable solution—it’s also a regulatory expectation.

Question 9
What is the most significant concern for an organization subject to cross-border data transfer laws when using a cloud provider for data storage and processing?

A. The service provider has denied the organization’s request for right to audit.
B. Personal data stored on the cloud has not been anonymized.
C. The extent of the service provider’s access to data has not been established.
D. The data is stored in a region with different data protection requirements.

Correct Answer: D

Explanation:

When an organization subject to cross-border data transfer regulations uses a cloud service provider (CSP) to store and process data, the jurisdiction where the data is stored becomes one of the most critical issues to manage. These regulations, including the European Union’s General Data Protection Regulation (GDPR) and various international equivalents, place strict controls on transferring personal data outside of a region unless certain adequacy, safeguards, or legal mechanisms are in place.

This makes Option D the greatest concern: if data is stored in a country that has different (or weaker) data protection requirements, the organization may be in violation of data protection laws, potentially facing significant legal, financial, and reputational consequences.

Let’s examine the implications and relevance of each option:

Option A: The service provider has denied the organization’s request for right to audit
While this is a legitimate contractual and oversight issue, it is primarily a concern related to governance, risk management, and compliance monitoring. It does affect an organization’s ability to verify how data is handled but does not immediately suggest a breach of cross-border data transfer regulations. In contrast, storing data in a region with conflicting privacy laws could automatically breach legal requirements.

Option B: Personal data stored on the cloud has not been anonymized
This is also a valid concern, especially for privacy and data minimization. However, most data protection laws (like GDPR) apply to personal data, and anonymization is one way to mitigate regulatory risk—but not always a requirement. Many organizations process personal data in identifiable form legally, as long as they follow proper legal bases and apply appropriate safeguards. The location of the data, however, is often a non-negotiable regulatory constraint, especially with regard to adequacy decisions and standard contractual clauses.

Option C: The extent of the service provider’s access to data has not been established
This refers to the lack of transparency or clarity in data access privileges. While this can raise concerns about unauthorized access, data leakage, or security risks, it is less specific to the cross-border transfer issue than the data’s physical or legal location. Regulatory frameworks often allow data processors (like cloud providers) to access data under strict controls—as long as the data remains in a compliant jurisdiction.

Option D: The data is stored in a region with different data protection requirements
This is the correct answer and the most direct legal risk. Cross-border data transfers are heavily scrutinized under laws such as GDPR, which prohibits the transfer of personal data to countries without adequate protections unless appropriate safeguards (e.g., standard contractual clauses or binding corporate rules) are in place. For instance, transferring EU citizen data to a country like the United States (absent appropriate mechanisms) can lead to non-compliance. This concern is exacerbated by differing national laws, such as surveillance regimes or data localization mandates.

In summary, while operational controls like auditing rights, data access transparency, and anonymization are all important, regulatory compliance starts with ensuring that data isn't stored in or transferred to jurisdictions that lack adequate data protections. Cross-border data transfer laws are primarily concerned with where the data resides, making Option D the greatest concern in this context.

Question 10
When setting up information systems to handle the communication and transmission of personal data, what should an organization do?

A. Adopt the default vendor specifications.
B. Review configuration settings for compliance.
C. Implement the least restrictive mode.
D. Enable essential capabilities only.

Correct Answer: B

Explanation:

Organizations that collect, store, transmit, or process personal data have a responsibility to ensure that their information systems are configured in a way that upholds privacy and data protection regulations such as the GDPR, CCPA, or other regional laws. One of the most critical tasks during system implementation is reviewing and adjusting configuration settings to align with these compliance requirements.

Option B, which involves reviewing configuration settings for compliance, is the correct answer because it reflects a proactive, risk-based approach. Default configurations may not be secure or privacy-preserving by design, and therefore require evaluation and, if necessary, modification to ensure:

• Encryption is enabled for data in transit and at rest.

• Access controls are correctly enforced.

• Logging and auditing functions are in place.

• Data minimization and purpose limitation principles are followed.

This review ensures that the system's operational behaviors do not violate privacy regulations and that the configuration supports organizational policies for protecting personal data.

Now let’s examine the other options:

Option A: Adopt the default vendor specifications
This is not recommended for systems handling personal data. Default configurations are typically designed for broad functionality and ease of use, not security or compliance. For example, default admin passwords, open ports, or non-encrypted communication channels can pose serious risks. Regulatory guidance often warns organizations against relying on default settings, especially when dealing with sensitive or regulated data.

Option C: Implement the least restrictive mode
This goes against the principle of least privilege and privacy by design. The least restrictive mode might enable broad access, unencrypted communication, or reduced audit logging, which could expose personal data to unnecessary risk. From a compliance standpoint, systems must enforce access limitations and security controls proportional to the sensitivity of the data they handle.

Option D: Enable essential capabilities only
While this aligns with minimalism and reducing the attack surface, the phrase is too vague and incomplete without the broader context of compliance review. What is considered "essential" could vary, and this approach might overlook necessary legal requirements. For instance, enabling only essential features without verifying encryption or secure communication protocols may result in non-compliance with privacy mandates.

In summary, system configurations must be deliberately reviewed and tailored to ensure they align with data protection laws, security best practices, and organizational privacy policies. Organizations should not assume vendor defaults are compliant or that restricting features is sufficient. Instead, a thorough compliance-focused review allows the organization to identify gaps, mitigate risks, and ensure legal obligations are met—making Option B the most accurate and responsible choice.