Название: The Official (ISC)2 CISSP CBK Reference
Автор: Aaron Kraus
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119790006
isbn:
Data Protection Directive (EU)
The Data Protection Directive, officially known as Directive 95/46/EC, was enacted by the European Parliament in 1995. The Data Protection Directive aimed at regulating the processing of the personal data of European citizens. Although it has since been superseded by the GDPR (discussed in a later section), the Data Protection Directive was the first major privacy law in the European Union and is considered the foundational privacy regulation in all of Europe.
Data Protection Act 1998 (UK)
The Data Protection Act was established by the United Kingdom Parliament to enact the provisions within the EU's Data Protection Directive. The Data Protection Act established that UK citizens held the legal right to control their personal information and was designed to enforce privacy of personal data stored on computing systems. The Data Protection Act 1998 was later superseded by the Data Protection Act 2018, which was designed to enforce and supplement provisions within the GDPR (discussed in a later section).
Safe Harbor
The International Safe Harbor Privacy Principles, often short-handed as just “Safe Harbor,” is an agreement between the United States and European Union, established between 1998 and 2000, that was developed to reconcile differences between U.S. and EU privacy laws. Under Safe Harbor, a U.S. company could self-certify that it met data privacy requirements agreed upon by the United States and European Union. Safe Harbor was ruled invalid by the European Court of Justice in 2015 and replaced with the EU-US Privacy Shield soon after.
EU-US Privacy Shield
The EU-US Privacy Shield was the second attempt by the European Union and United States to agree upon principles to mutually regulate the exchange of personal data between the two jurisdictions. The agreement was reached in 2016, less than a year after Safe Harbor was ruled invalid by the European Court of Justice. By 2020, however, the same court declared the EU-US Privacy Shield invalid.
General Data Protection Regulation (EU)
The GDPR is considered by most to be the world's strongest data privacy law. GDPR was established in 2016 and replaced the EU's 1995 Data Protection Directive with hundreds of pages of regulations that require organizations around the world to protect the privacy of EU citizens. With this sweeping regulation, companies around the world that do business with European customers have been forced to rethink their approach to data security and privacy. As a CISSP and information security leader, this is one legislation that you'll likely need to be familiar with.
NOTE If your organization stores or processes the personal data of EU citizens or residents, then GDPR applies to you, whether or not your company is located in the EU.
GDPR Article 5 establishes and describes seven principles for processing personal data:
Lawfulness, fairness, and transparency: Obtain and process personal data in accordance with applicable laws and fully inform the customer of how their data will be used.
Purpose limitation: Identify “specific, explicit, and legitimate” purpose for data collection, and inform them of such purpose.
Data minimization: Collect and process the minimum amount of data necessary to provide the agreed-upon services.
Accuracy: Ensure that personal data remains “accurate and where necessary kept up-to-date.”
Storage limitation: Personal data may be stored only long as necessary to provide the agreed-upon services.
Integrity and confidentiality: Ensure appropriate security of personal data, and provide protection against unauthorized access, and accidental loss or destruction. This includes implementing data anonymization techniques to protect your customers' identities, where necessary.
Accountability: The data controller (i.e., the party that stores and processes the personal data) must be able to demonstrate compliance with all of these principles. Many customers pursue industry-standard certifications, like ISO 27001, to demonstrate accountability and commitment to security and privacy.
TIP Article 17 within the GDPR establishes a person's “right to be forgotten.” This provision grants the data subject (i.e., the person whose data is being used) the right to have their personal data deleted if one of several circumstances exists and is a critical concept that information security professionals must consider when developing their data storage and retention policies.
GDPR Chapter 4 contains several articles that establish requirements related to the data controller and processor and requires that data processors (i.e., an organization that stores and processes PII on behalf of a data controller) prioritize security and privacy. Of particular interest, Article 25 requires “data protection by design and by default”; this is a huge directive that codifies what security professionals have been recommending as best practice for years.
NOTE GDPR Article 33 establishes rules that require data controllers to notify proper authorities within 72 hours of becoming aware of a personal data breach.
The GDPR imposes stiff fines on data controllers and processors for noncompliance.
Determination
Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a noncompliant firm:
Nature of infringement: Number of people affected, damage they suffered, duration of infringement, and purpose of processing
Intention: Whether the infringement is intentional or negligent
Mitigation: Actions taken to mitigate damage to data subjects
Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance
History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement
Data type: What types of data the infringement impacts; see special categories of personal data
Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
Certification: Whether the firm had qualified under-approved certifications or adhered to approved codes of conduct
Other: Other aggravating СКАЧАТЬ