As a privacy assessor, what would most likely be the first artifact you would ask for while assessing an organization which claims that it has implemented a privacy program?
A. Privacy risk management framework
B. Records of privacy specific training imparted to the employees handling personal information
C. Personal information management policy
D. Records of deployed privacy notices and statements