PDPA · Singapore

PDPA Practice Quiz Bank

75 MCQs with answers
Tap a quiz card to reveal · drag to pan · scroll / + − to zoom

Readable outline — open in a web browser (Safari/Chrome) for the interactive map.

PDPA Quiz Bank Singapore PDPA

Practice quiz built from Singapore PDPA Practice Question Bank. It covers Data Breach Management, DPIA, DPMP, and Risk Management across foundational, intermediate, and advanced scenario questions.

Open a branch, choose a topic, then tap a question card to reveal the correct answer.

Foundational Q1-Q25

25 multiple-choice questions from foundational level. Open a topic set below and tap cards to reveal answers.

Breach Quiz Q1-Q7

7 questions covering Data Breach Management. Source range: Q1-Q7.

Answer distribution: A: 0, B: 4, C: 3, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q1. Under the PDPA, within how many calendar days must an organisation notify the PDPC of a notifiable data breach after assessing it to be notifiable?
A 24 hours
B 3 calendar days
C 30 days
D 72 hours
Q2. A data breach is “notifiable” if it meets either of two thresholds. One is “significant harm to affected individuals.” What is the other?
A The breach involves more than 50 individuals
B The breach is of a significant scale (affects 500 or more individuals)
C The breach occurred outside Singapore
D The breach involves financial data only
Q3. When an organisation assesses that a breach is likely to result in significant harm to individuals, it must notify:
A Only the PDPC
B Only the police
C Both the PDPC and the affected individuals
D Only its insurer
Q4. What is the FIRST priority action when a data breach is discovered?
A Notify the media
B Contain the breach to limit further unauthorised access or loss
C Pay compensation to individuals
D Delete all logs
Q5. Which document outlines an organisation's procedures for detecting, assessing, and responding to a data breach?
A Data Protection Notice
B Data Breach Management / Incident Response Plan
C Consent form
D Privacy policy of a third party
Q6. Which of the following is generally NOT considered “significant harm” triggering individual notification on its own?
A Disclosure of NRIC numbers
B Disclosure of financial / bank account information
C Disclosure of a publicly listed business contact number
D Disclosure of health/medical information
Q7. If a data intermediary discovers a breach affecting personal data it processes on behalf of another organisation, it must:
A Notify the PDPC directly
B Notify the affected individuals directly
C Notify the organisation (the controller) without undue delay
D Take no action — it is not responsible

DPIA Quiz Q8-Q13

6 questions covering Data Protection Impact Assessment (DPIA). Source range: Q8-Q13.

Answer distribution: A: 1, B: 4, C: 1, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q8. A DPIA is best described as:
A A financial audit of the organisation
B A risk-based assessment that identifies, assesses, and addresses personal data protection risks
C A marketing analysis tool
D A mandatory annual tax filing
Q9. When is a DPIA most appropriately conducted?
A After a system has gone live and a breach has occurred
B Before deploying a new system or making material changes to how personal data is handled
C Only when the PDPC requests it
D Only after receiving a complaint
Q10. Which factor would most strongly indicate that a DPIA should be initiated?
A The project involves no personal data
B The processing involves sensitive personal data or operates at large scale
C The project uses only anonymised public data
D The project has a small budget
Q11. In the PDPC's DPIA guide, the sample DPIA questionnaire (Annex B) typically captures which three elements per item?
A Question, response/description, and evidence/source
B Cost, deadline, and owner
C Revenue, profit, and loss
D Name, NRIC, and address
Q12. A key benefit of conducting a DPIA is that it helps an organisation:
A Avoid paying corporate tax
B Demonstrate accountability and reduce the likelihood of non-compliance before processing begins
C Bypass the consent obligation
D Eliminate the need for a DPO
Q13. Which phase is typically the FINAL step in a DPIA lifecycle?
A Identifying personal data flows
B Assessing risks
C Implementing and monitoring the risk-mitigation measures
D Scoping the project

DPMP Quiz Q14-Q19

6 questions covering Data Protection Management Programme (DPMP). Source range: Q14-Q19.

Answer distribution: A: 2, B: 4, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q14. A Data Protection Management Programme (DPMP) is primarily intended to help an organisation:
A Increase advertising revenue
B Establish policies, processes, and governance to systematically comply with the PDPA
C Replace the need for staff training
D Avoid appointing a DPO
Q15. Which of the following is a core component of a DPMP?
A Governance structure and a designated DPO
B A company stock buy-back plan
C A competitor pricing model
D An external marketing agency contract
Q16. Under the Accountability Obligation, organisations must:
A Keep all data protection practices secret
B Develop and implement data protection policies and make information about them available
C Only document policies if a breach occurs
D Delegate all responsibility to customers
Q17. The PDPC's “PATO” tool refers to:
A PDPA Assessment Tool for Organisations (a self-assessment questionnaire)
B Personal Account Transfer Order
C Public Audit of Telecom Operators
D Privacy Act Tax Obligation
Q18. A data inventory map within a DPMP is used to:
A Track employee attendance
B Document what personal data is collected, where it is stored, and how it flows
C Record competitor data only
D List the organisation's physical assets
Q19. Which obligation requires an organisation to appoint at least one individual responsible for ensuring PDPA compliance?
A Consent Obligation
B Accountability Obligation (appointment of a DPO)
C Notification Obligation
D Retention Limitation Obligation

Risk Quiz Q20-Q25

6 questions covering Risk Management. Source range: Q20-Q25.

Answer distribution: A: 4, B: 2, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q20. In data protection risk management, “risk” is generally assessed as a combination of:
A Likelihood of occurrence and severity of impact
B Revenue and headcount
C Brand colour and logo
D Office location and size
Q21. Third-Party Risk Management (TPRM) under the PDPA is most concerned with:
A Risks arising from vendors / data intermediaries handling personal data
B Risks from currency fluctuations
C Physical building maintenance
D Marketing campaign performance
Q22. When engaging a data intermediary, an organisation should primarily manage risk by:
A Avoiding any written agreement
B Imposing contractual obligations requiring the intermediary to protect personal data
C Sharing all passwords openly
D Transferring all legal liability to the individual
Q23. Which of the following is a recognised risk-treatment strategy?
A Mitigate, transfer, avoid, or accept the risk
B Ignore, hide, deny, or delay
C Outsource all data to the public
D Delete all compliance records
Q24. The Protection Obligation requires organisations to make reasonable security arrangements. This is an example of which risk-treatment approach?
A Risk acceptance
B Risk mitigation (applying controls/safeguards)
C Risk transfer
D Risk avoidance
Q25. Regular review and monitoring of data protection controls is important because:
A Risks evolve over time as systems, data, and threats change
B The PDPA only applies once
C Controls never need updating once set
D It eliminates the need for a DPMP

Intermediate Q26-Q50

25 multiple-choice questions from intermediate level. Open a topic set below and tap cards to reveal answers.

Breach Quiz Q26-Q32

7 questions covering Data Breach Management. Source range: Q26-Q32.

Answer distribution: A: 2, B: 5, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q26. Mandatory data breach notification became a legal obligation under the PDPA following which amendment?
A PDPA (Amendment) Act 2020, in force 1 Feb 2021
B PDPA original enactment 2012
C Computer Misuse Act 2017
D Spam Control Act 2007
Q27. An organisation must conduct a breach assessment in a “reasonable and expeditious” manner. This means it should:
A Take as long as it wants
B Assess whether the breach is notifiable as soon as practicable after becoming aware
C Wait until the next financial year
D Only assess if an individual complains
Q28. Which is an example of a data breach caused by human error?
A A ransomware attack by an external hacker
B An employee emailing a customer list to the wrong recipient
C A natural disaster destroying a server
D A vendor's certified secure deletion
Q29. When notifying affected individuals of a breach, the notification should generally include:
A The organisation's annual revenue
B How the breach occurred, the data involved, and steps individuals can take to protect themselves
C The names of all other affected organisations
D The CEO's personal contact details
Q30. An organisation does NOT need to notify affected individuals if:
A It has taken remedial action that renders the significant harm unlikely, or the data was encrypted/protected
B It simply prefers not to
C The breach happened on a weekend
D Fewer than 10 staff are employed
Q31. Failure to comply with the data breach notification obligation can result in:
A No consequences
B Financial penalties imposed by the PDPC
C Automatic imprisonment of all staff
D Loss of company registration only
Q32. Keeping a breach register/log is recommended because it:
A Is required for tax filing
B Demonstrates accountability and supports investigation and reporting
C Replaces the need to notify the PDPC
D Is used for marketing analytics

DPIA Quiz Q33-Q38

6 questions covering Data Protection Impact Assessment (DPIA). Source range: Q33-Q38.

Answer distribution: A: 2, B: 4, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q33. A company wants to deploy a new IT system that processes large volumes of personal data. The strongest reason to run a DPIA is:
A It is expensive
B The new system is high-risk and processes large volumes of personal data
C Employees may dislike change
D DPIAs are legally mandatory for all systems
Q34. Mapping personal data flows during a DPIA helps to:
A Identify where data is collected, used, disclosed, stored, and the associated risks
B Calculate corporate income tax
C Determine office seating arrangements
D Set product prices
Q35. Which stakeholders should ideally be involved in a DPIA?
A Only the marketing team
B Cross-functional input — e.g., business owners, IT, legal/compliance, and the DPO
C Only external customers
D Only the finance department
Q36. After identifying risks in a DPIA, the next logical step is to:
A Ignore them if the project is urgent
B Determine and implement appropriate controls to mitigate the risks
C Publish all risks publicly
D Cancel the project automatically
Q37. A DPIA supports the principle of “Privacy by Design” because it:
A Builds data protection considerations into projects from the outset
B Adds privacy only after launch
C Removes the need for consent
D Focuses solely on aesthetics
Q38. Which statement about DPIAs under the PDPA is correct?
A They are explicitly mandatory by law for every project
B They are strongly recommended by the PDPC as good practice for high-risk processing
C They are illegal for SMEs
D They must be filed with the police

DPMP Quiz Q39-Q44

6 questions covering Data Protection Management Programme (DPMP). Source range: Q39-Q44.

Answer distribution: A: 4, B: 2, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q39. A DPMP should be:
A A one-time document never reviewed again
B A living programme that is regularly reviewed and updated
C Kept hidden from all employees
D Outsourced entirely with no internal oversight
Q40. Staff training is part of a DPMP because:
A It is a legal requirement to train competitors
B Employees are often the first line of defence and a common source of breaches
C It replaces the need for technical controls
D It reduces the need for a privacy policy
Q41. Which document communicates to individuals how their personal data is collected, used, and disclosed?
A Data Protection Notice / Privacy Policy
B Annual financial statement
C Employee payslip
D Vendor invoice
Q42. An effective DPMP typically aligns its policies with how many key PDPA data protection obligations?
A Nine (the PDPA's main obligations)
B Two
C Twenty-five
D Fifty
Q43. Which of the following best reflects the “four-step” DPMP development approach often taught?
A Govern → Assess (Plan) → Implement (Protect) → Sustain (Review/Maintain)
B Buy → Sell → Trade → Profit
C Hire → Fire → Rehire → Retire
D Collect → Hide → Forget → Repeat
Q44. Demonstrating accountability through a DPMP can benefit an organisation by:
A Building consumer trust and reducing regulatory and reputational risk
B Guaranteeing zero breaches forever
C Exempting it from the PDPA
D Removing the need for consent in all cases

Risk Quiz Q45-Q50

6 questions covering Risk Management. Source range: Q45-Q50.

Answer distribution: A: 5, B: 1, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q45. A risk register in data protection is used to:
A Record identified risks, their likelihood, impact, owners, and mitigation status
B List employee birthdays
C Track office supplies
D Record customer loyalty points
Q46. “Risk appetite” refers to:
A The amount and type of risk an organisation is willing to accept in pursuit of its objectives
B The number of meals served at staff events
C The speed of internet connection
D The number of vendors used
Q47. Conducting due diligence before appointing a data intermediary is an example of:
A Ignoring risk
B Proactive third-party risk management
C Risk transfer to individuals
D Marketing optimisation
Q48. A residual risk is:
A The risk remaining after controls have been applied
B The risk before any assessment
C A risk that does not exist
D Only financial risk
Q49. Which is a technical safeguard that mitigates the risk of unauthorised data access?
A Encryption and access controls
B Posting passwords on a public website
C Disabling all logging
D Sharing admin accounts with all staff
Q50. Periodic risk assessments should be triggered by:
A Significant changes to systems, processes, regulations, or after an incident
B Only once at company founding
C Never, if no complaints are received
D Only when revenue increases

Advanced Scenarios Q51-Q75

25 multiple-choice questions from advanced scenarios level. Open a topic set below and tap cards to reveal answers.

Breach Quiz Q51-Q57

7 questions covering Data Breach Management. Source range: Q51-Q57.

Answer distribution: A: 0, B: 7, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q51. A retailer's database of 800 customers (names + email addresses only) is accessed by an unauthorised party. No financial, NRIC, or sensitive data is involved. Is this notifiable, and to whom?
A Not notifiable — emails are not sensitive
B Notifiable to the PDPC only, because the breach meets the significant-scale threshold (≥500 individuals)
C Notifiable to individuals only
D Notifiable to the police only
Significant scale is an independent trigger even if harm is low; PDPC notification is required, though individual notification may not be if significant harm is unlikely.
Q52. An organisation discovers a breach on Day 1, but cannot immediately tell if it is notifiable. It completes its assessment on Day 4 and concludes it IS notifiable. By when must it notify the PDPC?
A By Day 4 (the day of assessment) — already late
B Within 3 calendar days of completing the assessment (i.e., by Day 7)
C Within 30 days of discovery
D No deadline applies once assessment is done
The 3-day clock runs from when the organisation assesses the breach as notifiable, but the assessment itself must be expeditious.
Q53. A laptop containing customers' personal data is stolen, but the data was strongly encrypted and the decryption key was not compromised. The most defensible position is:
A Always notify both PDPC and individuals regardless
B Significant harm is unlikely due to encryption, so individual notification may not be required — but assess and document the reasoning
C No assessment is needed at all
D Notify only the police and stop there
Q54. A data intermediary suffers a breach and notifies the controlling organisation on Day 2. The 3-day notification clock for the PDPC, owed by the controller, generally begins when:
A The intermediary first detects the breach
B The controller has assessed the breach (after being informed) and determines it is notifiable
C Exactly 72 hours after the intermediary's detection
D The controller never has an obligation — only the intermediary does
Q55. Which scenario most clearly creates a presumption of “significant harm” requiring individual notification?
A Disclosure of a customer's office desk phone extension
B Unauthorised disclosure of individuals' bank account numbers together with their identities
C Disclosure of a list of subscriber first names only
D Disclosure of a company's general enquiry email
Q56. An organisation argues it should delay notifying individuals because doing so would tip off the attacker during an active investigation. Under the PDPA framework, this:
A Is never permitted
B May justify a waiver/exception to individual notification on enforcement or remediation grounds, subject to PDPC's position
C Removes the obligation to notify the PDPC as well
D Permits indefinite secrecy with no documentation
Q57. Which post-incident action best supports the Accountability and Protection obligations?
A Deleting all breach logs to avoid liability
B Conducting a root-cause review and updating controls and the breach response plan
C Blaming the affected individuals
D Ignoring it since notification was filed

DPIA Quiz Q58-Q63

6 questions covering Data Protection Impact Assessment (DPIA). Source range: Q58-Q63.

Answer distribution: A: 0, B: 5, C: 1, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q58. A company wants to deploy facial-recognition for office access, repurposing CCTV footage. The strongest reason to run a DPIA first is:
A CCTV is expensive
B The new use is high-risk, involves potentially sensitive biometric data, and changes the original purpose of collection
C Employees may dislike cameras
D DPIAs are legally mandatory for all CCTV
Q59. During a DPIA, the team finds a process collects more data fields than necessary. The correct response aligned to PDPA principles is to:
A Keep collecting everything in case it's useful later
B Apply data minimisation — collect only what is reasonably necessary for the stated purpose
C Encrypt the extra data and keep it indefinitely
D Sell the surplus data
Q60. A DPIA concludes a project carries “high residual risk” even after controls. The most appropriate next step is to:
A Proceed silently
B Escalate to senior management/DPO for a risk-acceptance decision or further mitigation before go-live
C Cancel the DPIA
D Reduce the documentation
Q61. Which is the WEAKEST trigger, on its own, for conducting a DPIA?
A Large-scale processing of sensitive data
B Deploying automated decision-making affecting individuals
C A minor wording change to an internal memo not involving personal data
D Sharing personal data with a new overseas vendor
Q62. A vendor will process customer data overseas as part of a new system under DPIA review. The DPIA should specifically assess:
A The vendor's marketing budget
B Whether the transfer meets the PDPA Transfer Limitation Obligation (comparable protection abroad)
C The colour scheme of the vendor's app
D The vendor's office rent
Q63. The primary OUTPUT of a completed DPIA should be:
A A press release
B A documented record of risks, mitigation measures, decisions, and residual risk sign-off
C A customer marketing list
D A staff bonus plan

DPMP Quiz Q64-Q69

6 questions covering Data Protection Management Programme (DPMP). Source range: Q64-Q69.

Answer distribution: A: 1, B: 5, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q64. An organisation has a privacy policy but no data inventory, no breach plan, and no assigned DPO duties. Its most significant DPMP gap is:
A Marketing collateral
B Lack of operational accountability structures (governance, data mapping, incident response)
C Office decor
D Number of social media followers
Q65. A DPO is appointed but their name/contact is not made available to the public. This most directly breaches:
A Consent Obligation
B The Accountability Obligation's requirement to make DPO business contact information available
C Retention Limitation
D Notification Obligation
Q66. Under PDPA, appointing a DPO:
A Transfers all legal liability to the DPO personally
B Does not absolve the organisation of its own compliance responsibilities
C Removes the need for any policies
D Is optional and carries no expectation
Q67. Which is the BEST evidence that a DPMP is operating effectively, rather than merely existing on paper?
A A thick policy binder no one reads
B Records of training, periodic reviews, incident drills, and updated risk assessments
C A single signature from the CEO years ago
D A logo redesign
Q68. An organisation retains customers' personal data indefinitely “just in case.” This most directly conflicts with:
A The Retention Limitation Obligation (cease retention when purpose no longer served and no legal need)
B The Consent Obligation only
C The Notification Obligation only
D No obligation at all
Q69. Integrating data protection clauses into HR, procurement, and IT processes reflects which DPMP principle?
A Treating data protection as a siloed, one-department task
B Embedding accountability across the organisation's operations
C Outsourcing all compliance
D Avoiding documentation

Risk Quiz Q70-Q75

6 questions covering Risk Management. Source range: Q70-Q75.

Answer distribution: A: 0, B: 6, C: 0, D: 0.

Tap any card to reveal the correct answer. All answer choices stay visible for active recall.

Q70. A risk has low likelihood but catastrophic impact (e.g., mass exposure of sensitive health data). The most prudent treatment is usually to:
A Accept it because likelihood is low
B Apply strong mitigating controls and/or transfer mechanisms given the severe impact
C Ignore it
D Increase data collection
Q71. An organisation relies on a cloud vendor's security but never reviews the vendor's controls or contract terms. The key risk-management failing is:
A Over-documentation
B Inadequate third-party oversight / failure to verify and contractually bind the intermediary
C Too much encryption
D Excessive staff training
Q72. “Inherent risk” differs from “residual risk” in that inherent risk is:
A The risk after all controls are applied
B The risk level before any controls/mitigation are applied
C Always zero
D Only relevant to finance
Q73. A risk assessment rates an item “Medium” but the DPO knows regulatory scrutiny on that data type is rising. The best practice is to:
A Never revisit the rating
B Treat risk ratings as dynamic and re-evaluate in light of changing regulatory/threat context
C Lower the rating to reduce workload
D Delete the risk register
Q74. Which control is BEST classified as an administrative (organisational) safeguard rather than a technical one?
A Database encryption
B A documented access-authorisation policy and staff confidentiality undertakings
C Network firewalls
D Multi-factor authentication tokens
Q75. When transferring personal data to a country without comparable data protection law, the most appropriate risk-mitigation measure is to:
A Proceed without conditions
B Put in place contractual clauses/binding measures ensuring a comparable standard of protection
C Rely solely on the recipient's goodwill
D Anonymise nothing and hope for the best

Quick Rules Study prompts

Short reminders distilled from the question bank. Use these before opening the quiz sets.

Breach Triggers Notification

  • Notify the PDPC within 3 calendar days after assessing a breach as notifiable.
  • A breach is notifiable if it is likely to cause significant harm or is of significant scale affecting 500 or more individuals.
  • Contain first, assess promptly, document the reasoning, and review controls after the incident.

DPIA Signals Risk assessment

  • Run a DPIA before high-risk new systems, material changes, sensitive data processing, large-scale processing, or overseas vendor processing.
  • Map personal-data flows, assess risks, decide controls, and record residual-risk sign-off.
  • DPIA supports privacy by design by addressing risks before go-live.

DPMP Evidence Accountability

  • A DPMP is a living programme: governance, policies, processes, training, review, and improvement.
  • Accountability includes appointing a DPO and making DPO business contact information available.
  • Good evidence includes training records, reviews, incident drills, data inventories, and updated risk assessments.

Risk Lens Likelihood × impact

  • Risk combines likelihood and severity of impact.
  • Common treatments are mitigate, transfer, avoid, or accept.
  • Residual risk remains after controls; inherent risk exists before controls.
  • Vendor due diligence and contractual safeguards are central to third-party risk management.

Answer Key All answers

Answers are grouped by part. Open a range below for quick checking.

Foundational Key Q1-Q25

Consolidated answers from the source document.
  1. Q1: B Breach
  2. Q2: B Breach
  3. Q3: C Breach
  4. Q4: B Breach
  5. Q5: B Breach
  6. Q6: C Breach
  7. Q7: C Breach
  8. Q8: B DPIA
  9. Q9: B DPIA
  10. Q10: B DPIA
  11. Q11: A DPIA
  12. Q12: B DPIA
  13. Q13: C DPIA
  14. Q14: B DPMP
  15. Q15: A DPMP
  16. Q16: B DPMP
  17. Q17: A DPMP
  18. Q18: B DPMP
  19. Q19: B DPMP
  20. Q20: A Risk
  21. Q21: A Risk
  22. Q22: B Risk
  23. Q23: A Risk
  24. Q24: B Risk
  25. Q25: A Risk

Intermediate Key Q26-Q50

Consolidated answers from the source document.
  1. Q26: A Breach
  2. Q27: B Breach
  3. Q28: B Breach
  4. Q29: B Breach
  5. Q30: A Breach
  6. Q31: B Breach
  7. Q32: B Breach
  8. Q33: B DPIA
  9. Q34: A DPIA
  10. Q35: B DPIA
  11. Q36: B DPIA
  12. Q37: A DPIA
  13. Q38: B DPIA
  14. Q39: B DPMP
  15. Q40: B DPMP
  16. Q41: A DPMP
  17. Q42: A DPMP
  18. Q43: A DPMP
  19. Q44: A DPMP
  20. Q45: A Risk
  21. Q46: A Risk
  22. Q47: B Risk
  23. Q48: A Risk
  24. Q49: A Risk
  25. Q50: A Risk

Advanced Scenarios Key Q51-Q75

Consolidated answers from the source document.
  1. Q51: B Breach
  2. Q52: B Breach
  3. Q53: B Breach
  4. Q54: B Breach
  5. Q55: B Breach
  6. Q56: B Breach
  7. Q57: B Breach
  8. Q58: B DPIA
  9. Q59: B DPIA
  10. Q60: B DPIA
  11. Q61: C DPIA
  12. Q62: B DPIA
  13. Q63: B DPIA
  14. Q64: B DPMP
  15. Q65: B DPMP
  16. Q66: B DPMP
  17. Q67: B DPMP
  18. Q68: A DPMP
  19. Q69: B DPMP
  20. Q70: B Risk
  21. Q71: B Risk
  22. Q72: B Risk
  23. Q73: B Risk
  24. Q74: B Risk
  25. Q75: B Risk
Breach DPIA DPMP & key Risk