A data privacy policy outlines how an organization collects, stores, processes, and protects personal data. It should comply with global data protection regulations such as GDPR, CCPA, and IIA guidelines on data security.
(1) Stipulations for deleting certain data after a specified period of time. ✅
Correct. Many data protection laws (e.g., GDPR Article 5) require organizations to delete personal data after a defined retention period to reduce data breach risks.
(2) Guidance on acceptable methods for collecting personal data. ✅
Correct. A privacy policy must define legal and ethical ways to collect personal data (e.g., user consent, lawful processing).
(3) A requirement to retain personal data indefinitely to ensure a complete audit trail. ❌
Incorrect. Retaining personal data indefinitely violates most data privacy regulations (e.g., GDPR Right to Be Forgotten). Data must be stored only for as long as necessary.
(4) A description of what constitutes appropriate use of personal data. ✅
Correct. A privacy policy should clearly define how collected data can and cannot be used to prevent misuse and ensure compliance.
IIA GTAG – "Auditing Privacy Risks"
IIA Standard 2110 – Governance (Data Protection & Privacy)
GDPR (General Data Protection Regulation) – Articles 5 & 17 (Data Retention & Deletion)
Analysis of Answer Choices:IIA References:Thus, the correct answer is C (1, 2, and 4 only) because data should not be retained indefinitely, and the policy must include data collection, retention, and appropriate usage guidelines.
