Question 104 - CIPM discussion

The company should perform a multi-factor risk analysis immediately after discovering the loss of the laptop containing employee payroll data. A multi-factor risk analysis is a process of assessing the potential impact and likelihood of a data breach, taking into account various factors such as the nature, scope, context, and purpose of the processing, the type and severity of the harm that may result from the breach, the number and categories of data subjects and personal data affected, the measures taken to mitigate the risk, and any relevant legal obligations or codes of conduct.A multi-factor risk analysis can help the company determine whether the breach poses a high risk to the rights and freedoms of the data subjects, and whether it needs to notify them and/or the relevant supervisory authority without undue delay, as required by Article 33 and 34 of the GDPR1. A multi-factor risk analysis can also help the company identify the root cause of the breach, evaluate the effectiveness of its existing security measures, and implement appropriate corrective actions to prevent or minimize similar incidents in the future.

CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B: Protecting Personal Information, Subsection 2: Data Breach Incident Planning and Management2

CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management3

CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management4

CIPM Practice Exam (2021), Question 1285

GDPR Article 33 and 341