What is GDPR, who does it apply to, and what are its key principles?
GDPR (General Data Protection Regulation): EU comprehensive data protection law effective May 2018. Replaces the 1995 Data Protection Directive with a unified, stricter framework. Who it applies to: any organization anywhere in the world that processes personal data of EU/EEA residents. A US company with European customers must comply with GDPR for those customers' data. Key principles: (1) Lawfulness, fairness, transparency (must have legal basis for processing). (2) Purpose limitation (data collected for specific purposes only). (3) Data minimization (collect only what is necessary). (4) Accuracy (keep data accurate and up to date). (5) Storage limitation (keep data only as long as necessary). (6) Integrity and confidentiality (appropriate security). (7) Accountability (controller is responsible and must demonstrate compliance). Penalties: up to 4% of global annual turnover or EUR 20M (higher of the two) for serious violations; up to 2% or EUR 10M for less serious violations. Enforcement: National data protection authorities in each EU member state; GDPR also allows data subjects to bring private legal claims.
What is personal data under GDPR? What examples does the regulation cover?
Personal data (GDPR definition): any information relating to an identified or identifiable natural person (the data subject). Identifiable means the person can be identified directly or indirectly. GDPR's definition is intentionally broad. Examples of personal data: name, home address, email address, phone number, photograph, bank account numbers, credit card numbers, IP address (yes, an IP address is personal data under GDPR), location data, cookie identifiers and online identifiers, health data, genetic data, biometric data (fingerprints, facial recognition data), political opinions, religious beliefs, sexual orientation. Why IP addresses are personal data: an IP address, combined with other information a company typically possesses, can be used to identify an individual. Courts and regulators have confirmed this. Sensitive categories (higher protection): health data, genetic data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation. Processing sensitive categories requires explicit consent or another specific legal basis. Exam trap: IP addresses and cookie identifiers are personal data under GDPR even though they seem like technical identifiers.
What are the individual rights under GDPR?
GDPR grants data subjects eight key rights: (1) Right to be informed: know what data is collected, why, and how it is used (privacy notices). (2) Right of access: request a copy of all personal data held (subject access request). (3) Right to rectification: correct inaccurate or incomplete personal data. (4) Right to erasure (right to be forgotten): request deletion when data is no longer needed, consent withdrawn, or data was unlawfully processed. (5) Right to restrict processing: request that processing be paused while accuracy is disputed or objection is being considered. (6) Right to data portability: receive personal data in a structured, machine-readable format and transfer it to another controller. (7) Right to object: object to processing for direct marketing (must be honored unconditionally) or legitimate interests (may be overridden by compelling grounds). (8) Rights related to automated decision-making: not be subject to solely automated decisions with significant effects; right to human review. Exam focus: right to erasure (right to be forgotten) is the most commonly tested GDPR right. Organizations must be able to locate and delete all instances of an individual's data across all systems including backups.
What is the right to be forgotten (right to erasure) and what are its limits?
Right to erasure (GDPR Article 17): individuals can request deletion of their personal data when specific conditions are met. When the right applies: (1) Data is no longer needed for the purpose it was collected. (2) Individual withdraws consent and no other legal basis exists. (3) Individual objects to processing and no overriding legitimate interest exists. (4) Data was processed unlawfully. (5) Deletion is required by a legal obligation. What erasure requires: organizations must delete the data from all locations — production databases, backup archives, transaction logs, analytics systems, replicas. "Deleting" from the production database while retaining backups does not constitute GDPR-compliant erasure. When the right does NOT apply: when retention is required for compliance with a legal obligation (e.g., financial records required by law), for the exercise of legal claims, for public interest purposes (health, scientific research), for freedom of expression and information. Practical challenge: organizations must have processes to identify all copies of an individual's data across all systems and delete them completely. This is why data inventories are essential — you cannot delete data you cannot find. Exam point: GDPR right to erasure applies to all copies including backups.
What are the four data roles and who holds each?
Four distinct data roles in privacy governance: Data Owner: senior business executive (VP, director, department head) with organizational accountability for a data category. Makes classification, access, and retention policy decisions. Accepts residual risk. NOT a technical role. Data Controller: GDPR term for the entity that determines the purpose and means of processing personal data. Bears primary GDPR legal accountability. Cannot fully outsource this accountability to processors. Data Processor: entity that processes personal data on behalf of and under instructions from the controller. Does not independently determine purpose or use. Bound by a Data Processing Agreement (DPA). Examples: payroll companies, cloud providers handling customer data. Data Custodian / Steward: technical role implementing day-to-day data protection controls. Assigns sensitivity labels, enforces access controls, applies encryption, maintains backups, monitors access logs. Implements policy set by the owner; does not make governance decisions. Relationships: Owner sets the policy → Controller determines lawful basis → Custodian implements controls → Processor handles data under instructions. Exam trap: data owner is ALWAYS a senior business leader, never a DBA or security analyst. A DBA is a custodian.
What distinguishes a data controller from a data processor?
The key distinction is WHO determines the purpose and means of processing. Data Controller: decides WHY data is processed (the purpose) and HOW it is processed (the means). Examples: a hospital decides to collect patient health records for treatment purposes. An e-commerce company decides to collect customer purchase history for marketing personalization. The controller is the entity with the strategic decision-making authority over the data. Data Processor: processes data according to the controller's instructions without independently determining the purpose or means. Examples: a payroll company that processes employee salary data per employer instructions. A cloud provider that stores data without accessing it for its own purposes. A marketing firm that sends emails using a retailer's customer list per the retailer's instructions. When a processor becomes a controller: if a processor starts making its own decisions about what to do with the data (new purposes, sharing with additional parties), it becomes a co-controller with additional GDPR obligations. GDPR accountability: controllers bear primary accountability. When a processor causes a breach through its own failures, the processor is liable for those failures — but the controller also remains accountable to regulators for its choice and oversight of the processor. Controllers cannot fully outsource GDPR accountability to processors. Required document: Data Processing Agreement (DPA) between every controller and each of its processors.
What is a data inventory and why is it critical for privacy compliance?
Data inventory (data map / records of processing activities): a structured catalog of all personal data and sensitive data that an organization collects, stores, processes, or transmits. Under GDPR, formally called "Records of Processing Activities" (Article 30). What it documents per data category: data type and description, data owner (accountable executive), storage location (database, cloud, file server), format (structured/unstructured, encrypted/unencrypted), sensitivity classification (public/internal/confidential/restricted), retention period, update frequency. Why it is critical: (1) Privacy compliance: you cannot protect data you do not know exists. (2) Right to erasure: you cannot delete data you cannot find. (3) Right of access: you cannot provide a data subject with their data if you cannot locate all instances. (4) Breach response: you cannot scope a breach notification without knowing what data was in compromised systems. (5) Retention compliance: you cannot enforce deletion schedules without knowing where data lives. Who maintains it: data custodians maintain the inventory; data owners are accountable for its accuracy for their data categories; the privacy team or DPO (Data Protection Officer) oversees the overall ROPA. Exam point: a missing data inventory is identified as a root cause for privacy compliance failures in many breach investigations.
What is data retention policy and what drives retention decisions?
Data retention policy: defines how long each category of data must be kept and when it must be securely deleted. Balances regulatory minimums against privacy maximums. Regulatory minimums: certain data must be retained for specific minimum periods. HIPAA: medical records 6 years from creation or last use. SOX: financial records and audit logs 7 years. PCI DSS: cardholder data limited to the minimum necessary for business/legal needs (some transaction data required for disputes). Privacy maximums: GDPR storage limitation principle requires that personal data not be kept longer than necessary for the purpose for which it was collected. Indefinite retention violates GDPR. Organizations must justify why they still need each data category they hold. Legal hold exception: when data is subject to a legal hold (litigation hold), normal deletion schedules are suspended. Data relevant to active or anticipated litigation must be preserved even if its standard retention period has expired. Secure deletion: retention schedules must reach ALL copies: production databases, backup archives, transaction logs, analytics systems, replicas. Deleting from production while retaining in backups does not constitute compliant deletion. Exam rule: minimum retention = regulatory floor (can keep longer but not shorter). Maximum retention = privacy ceiling (GDPR requires deletion when no longer needed).
Privacy levels: local, national, and global frameworks
Privacy obligations exist at three jurisdictional levels and organizations must comply with all applicable levels simultaneously. Local / regional: US state privacy laws. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California residents rights over their data. Virginia CDPA, Colorado CPA, Connecticut CTDPA, and growing number of state laws with similar rights. Local requirements may be stricter than national laws and apply whenever the organization has customers in that jurisdiction. National (US examples): sector-specific laws rather than a single comprehensive national privacy law. HIPAA (healthcare), COPPA (children under 13), FERPA (student education records), GLBA (financial institutions), CCPA/state laws (patchwork). Global: GDPR is the most influential global privacy regulation. Extraterritorial scope means it applies to any organization with EU resident customers regardless of location. GDPR has inspired similar laws: Brazil's LGPD, Canada's PIPEDA (being updated), UK GDPR (post-Brexit equivalent), Japan's APPI, South Korea's PIPA. Exam approach: when a scenario describes EU residents' data = GDPR applies. When it describes healthcare PHI = HIPAA applies. When it describes children under 13 = COPPA applies. Multiple frameworks can apply simultaneously.
What is a data subject and why is privacy defined from their perspective?
Data subject (GDPR term): any identified or identifiable natural person whose personal data is collected, stored, or processed. Privacy law is designed to protect data subjects' control over their own information. Examples: a hospital patient whose medical records are collected is a data subject. An e-commerce customer whose purchase history is tracked is a data subject. An employee whose HR records are maintained is a data subject. A website visitor whose IP address and cookies are collected is a data subject. Why privacy is defined from their perspective: privacy protects individuals' autonomy over their own information. Without privacy protection, organizations could collect, use, and share personal data in ways that individuals did not anticipate and did not consent to. GDPR's framework places the individual (data subject) at the center: the individual grants consent, has the right to access and delete their data, and can enforce their rights through regulators and courts. Data subject vs. data owner (Security+ terminology): in Security+ exam context, "data owner" refers to the senior business executive accountable for a data category — NOT the individual the data is about. The individual the data is about = data subject. This distinction is sometimes tested. Exam note: privacy = protection of data subjects' rights over their own information. Security = protection of systems and data from unauthorized access.
What is the data custodian role, and how does it differ from data owner?
Data Custodian (Data Steward): the technical role responsible for implementing and maintaining the day-to-day controls that protect data. Works below the data owner in the governance hierarchy. Custodian responsibilities: assigning sensitivity labels (public, internal, confidential, restricted) based on the owner's classification decisions, configuring role-based access controls for each classification tier, applying and managing encryption at rest and in transit, maintaining and testing backup integrity, monitoring access logs and investigating anomalies, implementing data masking and tokenization where required. Data Owner responsibilities: setting the classification policy (deciding what classification level applies to the data), deciding who may access the data and under what conditions, setting the retention period, accepting residual risk on behalf of the business unit, reviewing and approving exemption requests for the data. Key distinction: owner decides WHAT the policy is. Custodian implements HOW that policy is enforced. Owner sets the speed limit; custodian installs the traffic enforcement cameras. Who is NOT the data owner: database administrators, security analysts, IT staff — these are custodian-level roles regardless of how much technical control they have over the data. Data ownership is a business accountability role, not a technical one.
How do privacy and security differ? Why both are needed?
Security: protects systems and data from unauthorized access, theft, modification, and destruction. Focuses on threats from adversaries. Addresses confidentiality, integrity, and availability (CIA triad). Security asks: "Are unauthorized parties accessing our data?" Privacy: governs how personal data is collected, used, and shared with individuals' knowledge and consent. Focuses on how organizations handle data — including authorized handling. Privacy asks: "Are we using personal data in ways that respect individuals' expectations and legal rights?" Key difference: a security breach is an unauthorized access event. A privacy violation can occur without any breach: sharing customer data with a marketing partner without consent is a privacy violation, even if the data was never "breached." A bank that requires customers to share medical history to apply for a car loan has a privacy issue, not a security issue. Why both are needed: security without privacy = you protect data from attackers but may misuse it yourself. Privacy without security = you have good data use policies but attackers steal the data anyway. Together: security provides the controls; privacy provides the governance for how those controls are applied and for what purpose data is collected and used. Exam point: privacy compliance ≠ security. Privacy requires additional governance beyond the CIA triad.