Privacy Requirements Compliance and the CISSP Exam

By Lawrence C. Miller, Peter H. Gregory

Privacy and data protection laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse. Privacy laws are one area in which the United States lags behind many others, particularly the European Union (EU) and its General Data Protection Regulation (GDPR), which has defined increasingly restrictive privacy regulations that regulate the transfer of personal information to countries (including the United States) that don’t equally protect such information. The EU GDPR privacy rules include the following requirements about personal data and records:

  • Must be collected fairly and lawfully, and only after the subject has provided explicit consent.
  • Must only be used for the purposes for which it was collected and only for a reasonable period of time.
  • Must be accurate and kept up to date.
  • Must be accessible to individuals who request a report on personal information held about themselves.
  • Individuals must have the right to have any errors in their personal data corrected.
  • Individuals must have the right for their information to be expunged from an organization’s information systems.
  • Personal data can’t be disclosed to other organizations or individuals unless authorized by law or consent of the individual.
  • Transmission of personal data to locations where equivalent privacy protection cannot be assured is prohibited.