Which of the following should be done FIRST to address privacy risk when migrating customer...

A privacy impact assessment (PIA) is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be done first to address privacy risk when migrating customer relationship management (CRM) data to a new system, as it would help to ensure that privacy risks are identified and mitigated before the migration is executed. A PIA would also help to ensure compliance with privacy principles, laws and regulations, and alignment with customer expectations and preferences. The other options are not as important as performing a PIA when addressing privacy risk when migrating CRM data to a new system. Developing a data migration plan is a process of defining and documenting the objectives, scope, approach, methods and steps for transferring data from one system to another, but it does not necessarily address privacy risk or impact. Conducting a legitimate interest analysis (LIA) is a process of assessing whether there is a legitimate interest for processing personal data that outweighs the rights and interests of the data subjects, but it is only applicable in certain jurisdictions and situations where legitimate interest is a valid legal basis for processing. Obtaining consent from data subjects is a process of obtaining their permission or agreement before collecting, using, disclosing or transferring their personal data for specific purposes, but it may not be required or sufficient for migrating CRM data to a new system, depending on the context and nature of the migration and the applicable laws and regulations1, p. 67 References: 1: CDPSE Review Manual (Digital Version)