The principles of data protection by design and by default require the data controller shall implement appropriate technical and organizational measures (TOM) for data processing to implement data-protection principles. Which of the following is not true about the principles of data protection by design and by default?
A. TOMs shall be implemented at the time of the determination of the means for processing and at the time of the processing itself.
B. The principles are irrelevant to the amount of personal data collected.
C. The data controller should take into account the state of the art technologies for processing.
D. An approved certification mechanism can demonstrate compliance with the principles.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The principles are irrelevant to the amount of personal data collected.
That obligation applies to:
- the amount of personal data collected,
- the extent of their processing,
- the period of their storage and their accessibility.
Source: Article 25, GDPR
Both the OECD and ISO 29100 provides a privacy framework for organizations to follow. ISO 27701 defines the requirements for Privacy Information Management System (PIMS). The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Most privacy guidelines introduced in privacy frameworks are fulfilled in ISO 27701 and GDPR.
Data Protection by Design
The controller shall implement TOMs to fulfill data-protection principles, as mentioned in the GDPR, both at the time of the determination of the means for processing and at the time of the processing itself.
Taking into account:
- the state of the art,
- the cost of implementation and
- the nature, scope, context and purposes of processing as well as
- the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing,
the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures … which are designed to implement data-protection principles … in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Source: Article 25, GDPR
Privacy by Design and by Default
- Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step.
- Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user.
Source: ics
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
數據保護須基於設計與預設的原則,要求數據控制者應對數據處理實施適當的技術和組織措施(TOM),以實現數據保護原則。 關於數據保護須基於設計與預設,以下哪一項是不正確的?
A. TOM應在確定處理手段時以及在處理本身時實施。
B. 這些原則與收集的個人數據量無關。
C. 數據控制者應考慮到數據處理的最新技術。
D. 批准的認證機制可證明符合這些原則。