ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During an operational risk analysis for a cloud-hosted application that will serve EU customers, engineers propose copying full production user data to a development environment located in the United States, where third-party support staff will troubleshoot incidents. Which GDPR obligation is most at risk of being violated by this plan?

Transferring EU personal data to a country outside the EEA without first implementing an approved safeguard or adequacy mechanism
Storing the replicated data unencrypted at rest in the development environment
Not notifying the supervisory authority within 72 hours if the development database is later breached
Failing to provide data subjects with their information in a portable format within the statutory time frame

Report Issue

Answer Description

The proposal would move EU residents' personal data to a country outside the European Economic Area (EEA) without mention of an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or any other lawful transfer mechanism. GDPR Chapter V (Articles 44-49) prohibits such international transfers unless appropriate safeguards are in place. Therefore, the greatest compliance risk lies in breaching GDPR restrictions on cross-border data transfers. While encryption, breach notification, and data portability are important, none of them directly address the legality of transferring personal data to a third country without safeguards, which could result in significant fines.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.