Privacy – CISSP Exam Prep

Here are some common privacy law tenets shared across regulatory standards:

Participation – the data subject should have the option to opt in or opt out.
Limitation – data can only use it for the purpose stated.
Scope – there must be a specific purpose (and it must be legal/ethical), the scope should be include in the notification.
Accuracy – the data must be as accurate as possible, and the data subject should be able to make corrections.
Retention – the data should be kept only as long as it’s needed.
Security – the custodian must protect the data.
Dissemination – the custodian must not share the data without notifying the data subject.
Notification – must notify the user that you’re collecting and creating their data before it’s used, should include purpose of use.

A trick to memorize the privacy tenets is to say the following phrase while noting the bolded letters above:

“PLS (please) Acquire or Reveal Some DoNuts”

Write this mnemonic down on your memorization sheet several times.

Try to understand the difference between the grayer tenets, such as Limitation and Scope, or Notification and Scope.

Some additional privacy concepts that are presented in Domain 1 include:

General Data Protection Regulation (GDPR): also has privacy tenets that are similar, but not the same as the general tenets. There is no guarantee which one you’ll be tested on, so memorize both and what happens with each tenet. You can memorize these with a mnemonic as well: “Public Displays of Affection Sure Interest A Lot of Us.”

Purpose limitation – this means it should be collected for the stated purpose.

Data minimization – this means it should be used for the stated purpose.

Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.

Storage limitation – basically, don’t keep the information longer than needed.

Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.

Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data.

Lawfulness, fairness, transparency: Data must be collected, handled, and destroyed in ways that are legal, fair, and transparent (subject to review/audit).

Personally identifiable information (PII) – This refers to information that can be used to identify someone such as social security number, tax ID number, home address, email address, photograph of the person, fingerprint, credit card number, account number, etc.
Personal or Protected Health Information (PHI) – This refers to information that is protected under health laws such as HIPAA.

The GDPR includes several other provisions:

Right to be forgotten – Individuals have the right to request the erasure of their personal data. The right to be forgotten is a principle established under EU law and regulation. According to the 2018 GDPR, individuals within the EU and EEA have the right to request that a data custodian, controller, owner, or processor delete personal information when it no longer serves its original purpose, becomes obsolete, or is inaccurate.
- Challenges and Conflicts
  - A key concern with the right to be forgotten is its potential conflict with other legal principles, such as:
    - Privacy protections vs. freedom of expression – Ensuring privacy while safeguarding against defamation, libel, and slander can create legal tension.
    - Data retention laws – Some regulations require businesses to retain data for fraud prevention and compliance purposes, which may override deletion requests.
- Global Adoption – Several countries outside the EU and EEA, including Argentina, Brazil, South Korea, and India, have adopted their own versions of the right to be forgotten to enhance privacy protections. In contrast, a 2016 court ruling in China determined that its citizens do not have such a right. However, in 2017, China implemented a cybersecurity law that introduced some similar privacy and data protection requirements. More countries are expected to adopt similar regulations in the future.
- Legal Uncertainty and Compliance
  - This remains an evolving area of international law and privacy regulation. Organizations operating in countries with right to be forgotten laws should seek legal counsel to ensure compliance when handling deletion requests. A September 2019 CJEU decision appeared to limit the GDPR’s application—and specifically the right to be forgotten—to within the EU’s jurisdiction, seemingly reversing a 2014 ruling that extended its reach. As a result, the scope and enforceability of the right to be forgotten, both within and beyond the EU, remains unsettled.
Right of access – Individuals must be informed about who has access to their data, how it is processed, how to obtain a copy, and how to request its deletion under GDPR.
Right to restrict processing – Individuals have the ability to halt data processing activities without necessarily requesting deletion.
Notice of completion – Data subjects must be notified when their requests have been fulfilled.
Right to data portability – Individuals must be able to transfer their data in a commonly used format, ensuring they are not locked into a specific provider.
Right to object – Individuals can challenge data processing activities that do not comply with legal requirements. They also have the right to opt out of specific uses, such as marketing, making it essential to track and respect consent and opt-out preferences.

Some random additional concepts presented in the CBK related to GDPR are the following:

Data portability – this is a GDPR right, and says that an individual can have their data securely transferred from one service or controller to another, and that controllers need to provide a mechanism for such requests to be made, such as a paper form to be submitted that requests the transfer, or maybe an online web form.

Data localization refers to the requirement that data be processed and stored in the country of the data’s origin, or where it was collected. GDPR discusses this principle in the context of the conditions that are required before transmitting EU data outside of the EU.

Profiling – Individuals have the right to avoid being subjected to automated profiling, which involves the evaluation of personal characteristics such as work performance, financial status, health, interests, behavior, location, or movements. This applies when such profiling results in legal consequences or significantly impacts the individual.

For example, automated collection and analysis of a person’s social media activity (e.g., Facebook, Instagram, Twitter/X) or other online information using OSINT tools fall under this category. Prior to conducting any form of profiling—whether automated or manual—explicit consent from the data subject must be obtained and properly documented.

Cross border privacy rules are being put into frameworks to help address transmitting PII across international borders.

The California Consumer Privacy Act (CCPA), highlights the influence of a second driving force: when consumers feel their privacy is at risk, they can effectively advocate for change, prompting significant shifts in legislation and regulation. A third driving force emerges as markets evolve—entrepreneurs recognize opportunities to develop products and services that are safer, more secure, and more privacy-focused.

Although not a perfect match with GDPR, there are many similarities. This legislation represents the strongest privacy protection within the United States but has not been deemed adequate under the GDPR.

For every organization you’ll support as a CISSP, you’ll need to understand legal, regulatory, and industry standards to achieve compliance. Compliance requires collaboration with analysts and architects who define requirements, as well as engagement with legal and privacy professionals.

The Organization for Economic Cooperation and Development (OECD) has some small differences in its privacy tenets:

Collection limitation – limits the collection of personal data
Data quality – accurate and up to date, and relevant to the purpose that it is used
Purpose specification – the purpose should be specified at the time of collection
Use limitation – the data cannot be disclosed or used without consent
Security safeguards – data affords reasonable protection
Openness – with respect to policy and procedure involving personal data
Individual participation – data must be made available to the subject and the subject has specific rights related to the data
Accountability – the data controller is accountable

The EU Digital Markets Act (DMA)

The EU Digital Markets Act is a comprehensive and intricate regulation designed to impose rules on major “gatekeeper” companies, promoting innovation in line with European values. Companies classified as gatekeepers include Amazon, Apple, Meta, and Microsoft.

Key Prohibitions for Gatekeepers:

No preferential treatment – Gatekeepers cannot rank their own services or products higher than those of third parties on their platforms.
No restrictions on external connections – Consumers must be free to engage with businesses outside the gatekeeper’s platform.
No forced retention of preinstalled software – Users must have the option to uninstall any preinstalled apps or software.
No unauthorized tracking – Gatekeepers cannot track users outside their core platform services for targeted advertising without obtaining explicit consent.

Violations of the DMA can result in fines of up to 10% of a company’s global revenue for the first offense, increasing to 20% for repeated infringements. The regulation will officially apply to gatekeepers starting March 2024.