CISM Certified Information Security Manager – Question0061

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

A.
corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.

Correct Answer: B

Explanation:

Explanation:
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.