The best answer is C. Ensuring DPAs are in place with third-party vendors.
When a company handles personal data across multiple countries, one of the most important legal and regulatory requirements is ensuring that any third parties processing that data are contractually bound to protect it appropriately. A DPA (Data Processing Agreement) defines how a vendor may collect, process, store, share, and protect personal data. This is a key requirement in many privacy frameworks and regulations.
This matters because organizations are often still responsible for customer data even when a third-party provider handles it. A DPA helps establish:
the roles and responsibilities of each party
the legal basis and limits for data processing
security and privacy obligations
breach notification expectations
cross-border data handling requirements
Why the other options are incorrect:
A. Storing all customer data on encrypted local serversEncryption is important, but this alone does not ensure compliance with international privacy laws. Legal compliance involves governance, lawful processing, third-party handling, and contractual obligations.
B. Hiring a data privacy officer to review contractsA privacy officer may be helpful or required in some situations, but simply hiring one is not as directly critical as having the actual data processing agreements in place.
D. Using strong passwords and firewalls on all endpointsThese are valuable security controls, but they are not sufficient for legal compliance with global privacy regulations.
From a Security+ perspective, privacy compliance often involves third-party risk management, contractual controls, and lawful data handling, making DPAs the most critical answer here.
