CISSP/CCSP Data Privacy Exam CONTEXT

  • OECD

    1. OECD Privacy Principles equal closely to European Union (EU) member nations’ data protection legislation (and cultural expectations), which implement the European Commission (EC) Data Protection Directive (Directive 95/46/EC), and other “EU-style” national privacy legislation
    2. The Privacy Principles
      1. Collection Limitation Principle
        • limits to the collection of personal data (Best answer from exam point of you)  data should be obtained by lawful
      2. Data Quality Principle
        • relative to the purposes for which they are to be used and should be complete, accurate and update 
      3. Purpose Specification Principle
        • purposes for which personal data are collected should be specified
      4. Use Limitation Principle
        • Personal data should not be disclosed, made accessible or otherwise used for purposes.
      5. Security Safeguards Principle
        • Reasonable security safeguards should protect personal data. Preserve confidentiality and integrity 
      6. Openness Principle
        • openness about developments, practices, and policies to personal data
      7. Individual Participation Principle
        1. An individual should have the right:
          1. to obtain from a data controller
          2. to have communicated to him, data relating to him
          3. to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
      8. Accountability Principle
        1. A data controller should be accountable for complying with measures which give effect to the principles stated above.

  • GDPR

    • Data protection impact assessments
      • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimize the data protection risks of a project
        • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm
        • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm
    • GDPR Databreach = 72 Hours
    • Consequences of non-compliance to GDPR with fines of up to 20 million euros or 4% of global turnover
    • Data controller
      •  Is the entity (person, organization, etc.) that determines the why and how to process personal data. For Example, the Bank collects subject data information.
    • Data Processor
      • It is an entity that performs data processing on the controller’s behalf. For Example, Cloud Operator processes information on behalf of the Bank
    • The GDPR sets out seven fundamental principles:
      • Lawfulness, fairness, and transparency
        • abide transparent with data subjects
        • You should indicate in your privacy policy the type of data you collect and why you’re collecting it.
      • Purpose limitation
        • Organizations should only collect personal data for a specific purpose.
      • Data minimization
        • Adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed.
        • exam key point– this is the best way to limit the liability from the data breach
        • Doing so has two significant benefits.
          • in the case of a data breach, the intruder only have access to a limited amount of data
          • data minimization makes it more manageable to keep data accurate and up to date.
      • Accuracy
        • accurate and where necessary kept up to date
        • Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
      • Storage limitation
        • Organizations need to delete personal data when no longer needed.
        • You would have to set the retention period for personal data you collect and justify that this period is necessary for your specific objectives.
        • best way to limit liability 
      • Integrity and confidentiality (security)
        • You must implement efficient anonymization or pseudonymous systems to protect the identity of your clients.
        • Exam Point = In which principle pseudonymization address
        • organizations should encrypt or pseudonymous personal data
    • Binding corporate rules
      • You can make a restricted transfer if both you and the receiver have signed up to a group document called binding corporate rules (BCRs).
      • BCRs are an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entitie
      • You must submit BCRs for approval to an EEA supervisory authority in an EEA country where one of the companies is based
    • Contracts
      • The contract is important so that both parties understand their responsibilities and liabilities.
      • The GDPR sets out what needs to be included in the contract.
      • Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
      • Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.