The principles of data protection by design and by default require the data controller shall implement appropriate technical and organizational measures (TOM) for data processing to implement data-protection principles. Which of the following is not true about the principles of data protection by design and by default?
A. TOMs shall be implemented at the time of the determination of the means for processing and at the time of the processing itself.
B. The principles are irrelevant to the amount of personal data collected.
C. The data controller should take into account the state of the art technologies for processing.
D. An approved certification mechanism can demonstrate compliance with the principles.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The principles are irrelevant to the amount of personal data collected.
That obligation applies to:
- the amount of personal data collected,
- the extent of their processing,
- the period of their storage and their accessibility.
Source: Article 25, GDPR
Both the OECD and ISO 29100 provides a privacy framework for organizations to follow. ISO 27701 defines the requirements for Privacy Information Management System (PIMS). The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Most privacy guidelines introduced in privacy frameworks are fulfilled in ISO 27701 and GDPR.
Data Protection by Design
The controller shall implement TOMs to fulfill data-protection principles, as mentioned in the GDPR, both at the time of the determination of the means for processing and at the time of the processing itself.
Taking into account:
- the state of the art,
- the cost of implementation and
- the nature, scope, context and purposes of processing as well as
- the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing,
the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures … which are designed to implement data-protection principles … in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Source: Article 25, GDPR
Privacy by Design and by Default
- Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step.
- Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.