Privacy: legal implications (local, national, global), data subject, controller vs processor, ownership, inventory/retention, right to be forgotten

5.4 Compliance

📘CompTIA Security+ (SY0-701)

Overview

Privacy compliance in cybersecurity is about protecting personal data — information that can identify an individual — and following the laws and regulations that govern how this data is collected, stored, used, and shared.
Security+ expects you to understand how organizations manage personal data responsibly and comply with privacy laws at different levels — local, national, and global.

🔸 1. Legal Implications (Local, National, Global)

Different regions have different privacy laws. Organizations must understand and comply with all relevant laws depending on where they operate and whose data they handle.

1.1 Local Regulations

  • These are city or regional privacy rules or industry-specific guidelines.
  • Example: A local government may require specific security measures for storing public employee data.
  • Local laws may define:
    • How long data can be kept.
    • How breaches should be reported to local authorities.

1.2 National Regulations

  • These are country-level laws that protect citizens’ personal information.
  • They define:
    • What personal data is.
    • How organizations must collect and use it.
    • How individuals can control their information.
  • Examples include:
    • HIPAA (Health Insurance Portability and Accountability Act) in the U.S. for healthcare data.
    • GLBA (Gramm-Leach-Bliley Act) for financial institutions.
    • CLOUD Act (Clarifying Lawful Overseas Use of Data) for U.S. data stored abroad.

1.3 Global Regulations

  • Apply when organizations handle data from people in other countries.
  • Common examples:
    • GDPR (General Data Protection Regulation) in the European Union — affects any company that processes data of EU residents.
    • APPI (Act on the Protection of Personal Information) in Japan.
    • PIPEDA in Canada.

💡 Exam tip: Even if a company is not based in that country, if it processes or stores data from people in that country, the law still applies.

🔸 2. Data Subject

The data subject is the individual whose personal data is being collected or processed.
Examples in IT:

  • A website visitor filling out a signup form.
  • A customer whose data is stored in a CRM system.
  • An employee’s information in an HR database.

Rights of data subjects usually include:

  • The right to know what data is collected.
  • The right to access their data.
  • The right to correct or delete their data.
  • The right to limit how their data is used or shared.

🔸 3. Controller vs Processor

Understanding these two roles is crucial for compliance.

RoleDefinitionResponsibilitiesExample in IT Context
Data ControllerThe person or organization that determines why and how personal data is processed.– Decides the purpose of data collection.
– Ensures compliance with laws.
– Manages consent and privacy policies.		A company that collects customer emails for marketing.
Data ProcessorThe entity that processes data on behalf of the controller.– Follows the controller’s instructions.
– Implements security controls.
– Not allowed to use data for their own purposes.		A cloud service provider storing those customer emails.

💡 Exam note:
If a processor experiences a data breach, it must report it to the controller, who then reports it to authorities or data subjects as required by law.

🔸 4. Ownership of Data

Data ownership means who has legal rights and control over data.

In most cases:

  • Individuals (data subjects) own their personal data.
  • Organizations are allowed to use or store it only with consent or legitimate business reasons.

Ownership defines who can:

  • Access or modify the data.
  • Share or delete it.
  • Decide on its use and retention.

💡 For Security+:

  • Know that data ownership must be clearly defined in contracts, especially when working with third parties or cloud providers.

🔸 5. Data Inventory and Retention

5.1 Data Inventory

A data inventory (or data map) is a detailed record of:

  • What personal data the organization collects.
  • Where it is stored (databases, cloud, backups).
  • Who has access to it.
  • How it is used or shared.

Maintaining an inventory helps organizations:

  • Identify privacy risks.
  • Respond quickly to data subject requests.
  • Comply with audits and privacy assessments.

5.2 Data Retention

Data retention means how long data is kept before it is deleted or archived.

  • Retention periods are often defined by law, regulation, or company policy.
  • Data should not be kept longer than necessary.
  • Proper deletion or sanitization must occur after the retention period expires.

💡 Example in IT:

  • Logs stored for 90 days for security analysis.
  • Customer data retained for 1 year after account deletion, then securely wiped.

Key exam point:
Retention policies prevent unnecessary exposure of old or unused data and help reduce the impact of data breaches.

🔸 6. Right to Be Forgotten

The Right to Be Forgotten (RTBF) means an individual can request that their personal data be erased or removed from an organization’s systems.

It is a core part of privacy laws such as the GDPR.

When it applies:

  • The data is no longer needed for the original purpose.
  • The individual withdraws consent.
  • The data was collected unlawfully.

IT Responsibilities:

  • Ensure systems can locate and delete personal data upon request.
  • Remove data from databases, backups, and third-party systems (where applicable).
  • Maintain records of deletion requests for audit purposes.

💡 Exam tip: The right to be forgotten is not absolute — data may need to be kept for legal, security, or compliance reasons (like financial records).

🔹 Summary Table

ConceptMeaningKey Security+ Point
Legal implicationsLaws and rules that govern personal data handling.Must follow all relevant laws (local, national, global).
Data subjectThe person whose data is being collected.Has rights to access, correct, or delete their data.
Controller vs ProcessorController decides purpose; processor handles data.Both have legal responsibilities for privacy.
OwnershipDefines who has legal control of data.Data belongs to individuals; organizations are custodians.
Inventory/RetentionTracks where data lives and how long it’s kept.Must document, secure, and delete data per policy.
Right to be forgottenIndividual can request data deletion.Must have a process to erase personal data securely.

🔹 Exam Tips

  • Understand which role (controller or processor) is responsible for what.
  • Be ready to identify privacy principles like consent, data minimization, and purpose limitation.
  • Know the difference between security (protecting data) and privacy (rights and laws about data).
  • Expect questions about data lifecycle management — collecting, storing, sharing, and deleting data.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by