What does an organization FIRST review to assure compliance with privacy requirements?

The first thing that an organization reviews to assure compliance with privacy requirements is the legal and regulatory mandates that apply to its business operations and data processing activities. Legal and regulatory mandates are the laws, regulations, standards, and contracts that govern how an organization must protect the privacy of personal information and the rights of data subjects. An organization must identify and understand the relevant mandates that affect its jurisdiction, industry, and data types, and implement the appropriate controls and measures to comply with them. The other options are not the first thing that an organization reviews, but rather part of the privacy compliance program. Best practices are the recommended methods and techniques for achieving privacy objectives, but they are not mandatory or binding. Business objectives are the goals and strategies that an organization pursues to create value and competitive advantage, but they may not align with privacy requirements. Employee’s compliance to policies and standards is the degree to which the organization’s staff adhere to the internal rules and guidelines for privacy protection, but it is not a review activity, but rather a measurement and enforcement activity. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, p. 105; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, p. 287.