Aaron Kraus - The Official (ISC)2 CISSP CBK Reference

The Data Protection Act was established by the United Kingdom Parliament to enact the provisions within the EU's Data Protection Directive. The Data Protection Act established that UK citizens held the legal right to control their personal information and was designed to enforce privacy of personal data stored on computing systems. The Data Protection Act 1998 was later superseded by the Data Protection Act 2018, which was designed to enforce and supplement provisions within the GDPR (discussed in a later section).

The International Safe Harbor Privacy Principles, often short-handed as just “Safe Harbor,” is an agreement between the United States and European Union, established between 1998 and 2000, that was developed to reconcile differences between U.S. and EU privacy laws. Under Safe Harbor, a U.S. company could self-certify that it met data privacy requirements agreed upon by the United States and European Union. Safe Harbor was ruled invalid by the European Court of Justice in 2015 and replaced with the EU-US Privacy Shield soon after.

The EU-US Privacy Shield was the second attempt by the European Union and United States to agree upon principles to mutually regulate the exchange of personal data between the two jurisdictions. The agreement was reached in 2016, less than a year after Safe Harbor was ruled invalid by the European Court of Justice. By 2020, however, the same court declared the EU-US Privacy Shield invalid.

The GDPR is considered by most to be the world's strongest data privacy law. GDPR was established in 2016 and replaced the EU's 1995 Data Protection Directive with hundreds of pages of regulations that require organizations around the world to protect the privacy of EU citizens. With this sweeping regulation, companies around the world that do business with European customers have been forced to rethink their approach to data security and privacy. As a CISSP and information security leader, this is one legislation that you'll likely need to be familiar with.

NOTEIf your organization stores or processes the personal data of EU citizens or residents, then GDPR applies to you, whether or not your company is located in the EU.

GDPR Article 5 establishes and describes seven principles for processing personal data:

Lawfulness, fairness, and transparency: Obtain and process personal data in accordance with applicable laws and fully inform the customer of how their data will be used.

Purpose limitation: Identify “specific, explicit, and legitimate” purpose for data collection, and inform them of such purpose.

Data minimization: Collect and process the minimum amount of data necessary to provide the agreed-upon services.

Accuracy: Ensure that personal data remains “accurate and where necessary kept up-to-date.”

Storage limitation: Personal data may be stored only long as necessary to provide the agreed-upon services.

Integrity and confidentiality: Ensure appropriate security of personal data, and provide protection against unauthorized access, and accidental loss or destruction. This includes implementing data anonymization techniques to protect your customers' identities, where necessary.

Accountability: The data controller (i.e., the party that stores and processes the personal data) must be able to demonstrate compliance with all of these principles. Many customers pursue industry-standard certifications, like ISO 27001, to demonstrate accountability and commitment to security and privacy.

TIPArticle 17 within the GDPR establishes a person's “right to be forgotten.” This provision grants the data subject (i.e., the person whose data is being used) the right to have their personal data deleted if one of several circumstances exists and is a critical concept that information security professionals must consider when developing their data storage and retention policies.

GDPR Chapter 4contains several articles that establish requirements related to the data controller and processor and requires that data processors (i.e., an organization that stores and processes PII on behalf of a data controller) prioritize security and privacy. Of particular interest, Article 25 requires “data protection by design and by default”; this is a huge directive that codifies what security professionals have been recommending as best practice for years.

NOTEGDPR Article 33 establishes rules that require data controllers to notify proper authorities within 72 hours of becoming aware of a personal data breach.

The GDPR imposes stiff fines on data controllers and processors for noncompliance.

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a noncompliant firm:

Nature of infringement: Number of people affected, damage they suffered, duration of infringement, and purpose of processing

Intention: Whether the infringement is intentional or negligent

Mitigation: Actions taken to mitigate damage to data subjects

Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance

History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement

Data type: What types of data the infringement impacts; see special categories of personal data

Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

Certification: Whether the firm had qualified under-approved certifications or adhered to approved codes of conduct

Other: Other aggravating or mitigating factors, including financial impact on the firm from the infringement

Up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

Controllers and processors under Articles 8, 11, 25–39, 42, 43

Certification body under Articles 42, 43

Monitoring body under Article 41(4)

Up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9

The data subjects' rights under Articles 12–22

The transfer of personal data to a recipient in a third country or an international organization under Articles 44–49

Any obligations pursuant to member state law adopted under Chapter IX

Any noncompliance with an order by a supervisory authority

In this section, we compare and contrast different investigation types, including administrative, criminal, civil, and regulatory investigations. For each investigation type, we discuss who performs the investigation, the standard for collecting and presenting evidence, and the general differences between the types.