Which of the following is responsible for taking into account risks of varying likelihood and severity for the rights and freedoms of one who can be identified, directly or indirectly? (Wentz QOTD)
A. Data owner
B. Information system owner
C. Data controller
D. Data principal
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Data controller.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
It’s not uncommon to treat “data owner” and “data controller” the same. However, it’s not the case. Data controller is specifically used in the context of personal data and privacy, while data owner generally implies the organization has the ownership of data and the data owner is accountable for the protection of data he is delegated.
This question is all about the protection of personal data and quotes the text from GDPR, so “data controller” is more appropriate than “data owner.” One who can be identified directly or indirectly implies the data subject.
Art. 4 GDPR Definitions ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Art. 24 GDPR Responsibility of the controller: Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.
下列哪一項負責考慮可直接或間接識別的人的權利和自由的不同可能性和嚴重程度的風險？ (Wentz QOTD)
C. 數據控制者 (Data controller)
D. 數據主體 (Data principal)