Explanation
Any organization collecting information about EU residents is required to operate with transparency in collecting and using their personal information. Chapter III of the GDPR defines eight data subject rights that have become foundational for other privacy regulations around the world:
Right to access personal data. Data subjects can access the data collected on them.
One of the privacy requirements related to the rights of data subjects is the right to access, which means that individuals have the right to obtain a copy of their personal data, as well as information about how their data is processed, by whom, for what purposes, and for how long. To meet this requirement, an organization's technology stack should incorporate features that allow individuals to have direct access to their data, such as self-service portals, dashboards, or applications. This way, individuals can exercise their right to access without relying on intermediaries or manual processes, which can be inefficient, error-prone, or insecure. References: : CDPSE Review Manual (Digital Version), page 137

Explanation
The strategic goals of the organization should be established first before a privacy office starts to develop a data protection and privacy awareness campaign, because they provide the direction, purpose, and scope of the campaign. The strategic goals of the organization reflect its vision, mission, values, and objectives, as well as its alignment with the relevant privacy laws and regulations, stakeholder expectations, and industry best practices. The privacy office should design and implement the awareness campaign in a way that supports and promotes the strategic goals of the organization, as well as measures and evaluates its effectiveness and impact.
References:
* CDPSE Review Manual, 2023 Edition, Domain 1: Privacy Governance, Section 1.1.2: Privacy Strategy Implementation, p. 19
* CDPSE Review Manual, 2023 Edition, Domain 1: Privacy Governance, Section 1.3.2: Privacy Awareness and Training Program, p. 38-39
* ICO launches data awareness campaign1

Explanation
To ensure the protection of personal data, privacy policies should mandate that access to information system applications be authorized by the business application owner, because they are the ones who are responsible for defining the business requirements, functions, and objectives of the applications. The business application owner can also determine the appropriate level of access for different users or groups based on their roles, responsibilities, and needs. The business application owner can also monitor and review the access control policies and procedures to ensure that they are effective and compliant with the privacy regulations and standards.
References:
* Access Control Policy and Implementation Guides, CSRC
* What is Authorization and Access Control?, ICANN

Explanation
The applicable privacy legislation needs to be identified first to define the privacy requirements to use when assessing the selection of IT systems, because it sets the legal obligations and standards for the organization to comply with when processing personal data. The type of data, the control frameworks, and the technology platforms are all dependent on the privacy legislation that applies to the organization and its data processing activities. Therefore, the privacy legislation is the primary source of privacy requirements for IT systems.
References:
* CDPSE Review Manual, 2023 Edition, Domain 2: Privacy Architecture, Section 2.1.2: Privacy Requirements, p. 75
* Compliance with Cybersecurity and Privacy Laws and Regulations1