The Official (ISC)2 CISSP CBK Reference. Aaron Kraus
Чтение книги онлайн.

Читать онлайн книгу The Official (ISC)2 CISSP CBK Reference - Aaron Kraus страница 28

СКАЧАТЬ and Human Services and a major media outlet servicing the jurisdiction of the affected parties.

      Data Protection Directive (EU)

      Data Protection Act 1998 (UK)

      The Data Protection Act was established by the United Kingdom Parliament to enact the provisions within the EU's Data Protection Directive. The Data Protection Act established that UK citizens held the legal right to control their personal information and was designed to enforce privacy of personal data stored on computing systems. The Data Protection Act 1998 was later superseded by the Data Protection Act 2018, which was designed to enforce and supplement provisions within the GDPR (discussed in a later section).

      Safe Harbor

      The International Safe Harbor Privacy Principles, often short-handed as just “Safe Harbor,” is an agreement between the United States and European Union, established between 1998 and 2000, that was developed to reconcile differences between U.S. and EU privacy laws. Under Safe Harbor, a U.S. company could self-certify that it met data privacy requirements agreed upon by the United States and European Union. Safe Harbor was ruled invalid by the European Court of Justice in 2015 and replaced with the EU-US Privacy Shield soon after.

      EU-US Privacy Shield

      The EU-US Privacy Shield was the second attempt by the European Union and United States to agree upon principles to mutually regulate the exchange of personal data between the two jurisdictions. The agreement was reached in 2016, less than a year after Safe Harbor was ruled invalid by the European Court of Justice. By 2020, however, the same court declared the EU-US Privacy Shield invalid.

      General Data Protection Regulation (EU)

      NOTE If your organization stores or processes the personal data of EU citizens or residents, then GDPR applies to you, whether or not your company is located in the EU.

      GDPR Article 5 establishes and describes seven principles for processing personal data:

       Lawfulness, fairness, and transparency: Obtain and process personal data in accordance with applicable laws and fully inform the customer of how their data will be used.

       Purpose limitation: Identify “specific, explicit, and legitimate” purpose for data collection, and inform them of such purpose.

       Data minimization: Collect and process the minimum amount of data necessary to provide the agreed-upon services.

       Accuracy: Ensure that personal data remains “accurate and where necessary kept up-to-date.”

       Storage limitation: Personal data may be stored only long as necessary to provide the agreed-upon services.

       Integrity and confidentiality: Ensure appropriate security of personal data, and provide protection against unauthorized access, and accidental loss or destruction. This includes implementing data anonymization techniques to protect your customers' identities, where necessary.

       Accountability: The data controller (i.e., the party that stores and processes the personal data) must be able to demonstrate compliance with all of these principles. Many customers pursue industry-standard certifications, like ISO 27001, to demonstrate accountability and commitment to security and privacy.

      TIP Article 17 within the GDPR establishes a person's “right to be forgotten.” This provision grants the data subject (i.e., the person whose data is being used) the right to have their personal data deleted if one of several circumstances exists and is a critical concept that information security professionals must consider when developing their data storage and retention policies.

      NOTE GDPR Article 33 establishes rules that require data controllers to notify proper authorities within 72 hours of becoming aware of a personal data breach.

      tick GDPR Fines

      The GDPR imposes stiff fines on data controllers and processors for noncompliance.

      Determination

      Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a noncompliant firm:

       Nature of infringement: Number of people affected, damage they suffered, duration of infringement, and purpose of processing

       Intention: Whether the infringement is intentional or negligent

       Mitigation: Actions taken to mitigate damage to data subjects

       Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance

       History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

       Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement

       Data type: What types of data the infringement impacts; see special categories of personal data

       Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

       Certification: Whether the firm had qualified under-approved certifications or adhered to approved codes of conduct

       Other: Other aggravating СКАЧАТЬ