Organizations must comply with privacy principles that emphasize data retention limitations. Keeping personal data indefinitely violates privacy laws and regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
* Privacy Regulations Require Data Minimization:
* GDPR Article 5(1)(e) states that personal data should only be kept for as long as necessary for the intended purpose.
* IIA GTAG 4: Management of IT Auditing also advises against excessive data retention.
* Security and Risk Concerns:
* Storing data indefinitely increases the risk of data breaches.
* IIA Standard 2110 - Governance emphasizes the need for proper information security governance to protect personal data.
* Legal and Compliance Issues:
* Organizations are required to define retention policies to prevent unauthorized or unnecessary storage of personal data.
* A. Customers can access and update personal information when needed. (Incorrect)
* Reason: Allowing customers to access and update their information aligns with privacy principles such as data accuracy and transparency.
* C. Customers reserve the right to reject sharing personal information with third parties.
(Incorrect)
* Reason: This supports data control rights, which is consistent with privacy standards like opt- in and opt-out policies.
* D. The organization performs regular maintenance on customers' personal information.
(Incorrect)
* Reason: Regular maintenance (e.g., updates, corrections, deletions) enhances data accuracy and security, aligning with privacy best practices.
* IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing - Discusses data privacy principles.
* IIA Standard 2110 - Governance - Ensures data security and regulatory compliance.
* IIA GTAG 8: Auditing Application Controls - Covers data retention policies and privacy compliance.
* Privacy Regulations: GDPR (Article 5), CCPA (Section 1798.105) - Require organizations to delete data once it is no longer needed.
Why is Indefinite Retention a Violation?Analysis of Incorrect Answers:IIA References:Thus, the correct answer is B. The organization retains customers' personal information indefinitely.