What is the BEST way for an IS auditor to address the risk associated with over-retention of personal data after identifying a large number of customer records retained beyond the retention period defined by law?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
When an IS auditor identifies a large number of customer records retained beyond the retention period defined by law, it represents a significant risk for the organization. In such a situation, the auditor's role is to recommend the best way to address the risk associated with over-retention of personal data.
Option A, recommending automating deletion of records beyond the retention period, is a valid response. By automating the deletion process, the organization can ensure that data is deleted promptly and in compliance with legal requirements. This option is appropriate when the organization has the technical capability to automatically delete data without risking data loss or system downtime.
Option B, scheduling regular internal audits to identify records for deletion, is also a valid response. Regular audits can help the organization identify data that needs to be deleted, and ensure that it is done in a timely manner. However, this option may not be the best approach if the retention period noncompliance represents a significant risk, and urgent action is needed.
Option C, reporting the retention period noncompliance to the regulatory authority, is also a valid response. However, it should be considered only if the organization's noncompliance with the retention period is significant, and there is a potential for regulatory penalties. Reporting the issue to the regulatory authority should be done only after the organization has made every effort to address the issue internally.
Option D, escalating the over-retention issue to the data privacy officer for follow-up, is a valid response when there is a data privacy officer in the organization. The data privacy officer can work with the relevant stakeholders to determine the best way to address the issue, and ensure that the organization is in compliance with legal requirements. However, this option may not be sufficient if the issue is urgent, and immediate action is needed.
In summary, the BEST way for an IS auditor to address the risk associated with over-retention of personal data is to recommend automating deletion of records beyond the retention period, as long as the organization has the technical capability to do so. If not, scheduling regular internal audits to identify records for deletion may be a better option. Reporting the retention period noncompliance to the regulatory authority should be considered only if the noncompliance is significant, and the organization has made every effort to address the issue internally. Finally, escalating the over-retention issue to the data privacy officer for follow-up is a valid option when there is a data privacy officer in the organization.