Privacy Frameworks and GDPR
Privacy is the right of individuals to control how their personal information is collected, used, and shared. Unlike security (which protects systems and data from unauthorized access), privacy focuses on ensuring that even authorized data handling respects individuals' expectations and legal rights. Privacy obligations exist at multiple jurisdictional levels.
Privacy Levels
Privacy regulations exist at different levels of geographic scope, and organizations must comply with all applicable regulations wherever they operate and wherever their customers reside.
- Local and regional privacy laws: Many US states have enacted their own privacy legislation. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California residents rights over their personal data. States like Virginia, Colorado, and Connecticut have enacted similar laws. Local regulations may apply to specific industries or data types even when national laws do not.
- National privacy laws: The United States has sector-specific national privacy laws rather than a single comprehensive national privacy law. HIPAA protects health information. COPPA (Children's Online Privacy Protection Act) protects personal information of children under 13. FERPA (Family Educational Rights and Privacy Act) protects student education records. GLBA protects financial customer information.
- Global privacy laws: The European Union's GDPR is the most influential global privacy regulation. Its extraterritorial scope means it applies to any organization anywhere in the world that processes personal data of EU residents, regardless of where the organization is located.
GDPR (General Data Protection Regulation)
GDPR is the EU's comprehensive data protection law that came into full effect in May 2018. It fundamentally changed how organizations must handle personal data of EU residents and has influenced privacy regulations worldwide.
- Key principle: Under GDPR, individuals (data subjects) control their personal data. Organizations that collect or process personal data do so with the individual's consent and subject to the individual's rights. Organizations are stewards, not owners, of personal data.
- What constitutes personal data under GDPR: Any information relating to an identified or identifiable natural person. Examples include: name, home address, email address, phone number, photograph, bank account information, IP address, location data, cookie identifiers, health data, genetic data, and biometric data. GDPR defines personal data broadly to encompass any identifier that can directly or indirectly identify an individual.
- Right to be forgotten (Right to Erasure): Under GDPR Article 17, individuals have the right to request that an organization delete their personal data when: (1) the data is no longer needed for the purpose it was collected, (2) the individual withdraws consent, (3) the individual objects and there is no overriding legitimate interest, (4) the data was processed unlawfully, or (5) deletion is required to comply with a legal obligation. Organizations must be able to locate and delete all instances of an individual's data across their systems — including backups — to comply with erasure requests.
- GDPR extraterritorial scope: GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based. A US company with European customers must comply with GDPR for those customers' data.
- GDPR penalties: Up to 4% of annual global turnover or €20 million (whichever is higher) for serious violations. Up to 2% or €10 million for less serious violations. The 72-hour breach notification requirement was covered in earlier chapters.
Data Subject and Data Roles
Privacy is defined from the perspective of the data subject — the individual whose data is being handled. Understanding who plays which role in the data ecosystem clarifies who is responsible for what in a privacy compliance program.
Data Subject
A data subject is any identifiable natural person whose personal data is collected, stored, or processed. Privacy law exists to protect data subjects' rights over their own information. In a hospital, patients are data subjects. In an e-commerce platform, customers are data subjects. In an employment context, employees are data subjects.
- Data subject rights under GDPR: Right of access (individuals can request a copy of their data), right to rectification (correct inaccurate data), right to erasure (right to be forgotten), right to restrict processing, right to data portability (receive their data in machine-readable format), and right to object to certain processing activities.
Data Owner
The data owner is the senior business executive or officer who has organizational accountability for a category of data. This is a business accountability role, not a technical role.
- Responsibilities: Determining the classification level of the data, deciding who may access it, setting retention periods, accepting residual risk on behalf of the business unit, and ensuring the data is handled in compliance with applicable regulations.
- Key point: The data owner is always a senior business leader (VP, director, department head) — never a technical IT or security role. A database administrator manages the technical infrastructure but is not the data owner.
Data Controller
The data controller is the entity (organization or individual) that determines the purpose and means of processing personal data. The controller decides why data is collected and how it will be used. Under GDPR, the data controller bears primary legal responsibility for compliance.
- Examples: A hospital that collects patient medical records is the data controller. An e-commerce company that collects customer order data is the data controller. The controller cannot outsource its legal accountability — even when a processor causes a breach, the controller remains accountable to regulators for its choice and oversight of the processor.
- Relationship to data owner: In GDPR terminology, the data controller concept maps most closely to what Security+ calls the data owner. Both refer to the entity with primary accountability for the data.
Data Processor
The data processor is an entity that processes personal data on behalf of and under the instructions of the data controller. Processors handle data but do not determine its purpose or scope.
- Examples: A payroll company that processes employee salary data on behalf of an employer is a data processor. A cloud provider that hosts customer data without accessing it for its own purposes is a data processor. A marketing firm that sends emails on behalf of a retailer using the retailer's customer list is a data processor.
- Key distinction: A processor that starts making its own decisions about what to do with the data (purpose and means) becomes a controller. The boundary between processor and controller matters legally because the two roles carry different obligations under GDPR.
- Data Processing Agreements (DPAs): Controllers must have formal DPAs in place with processors. The DPA defines what data is processed, for what purpose, under what security requirements, and for how long. Processors must comply with DPA terms and are liable for their own violations of those terms.
Data Custodian / Data Steward
The data custodian (also called data steward) is the technical role responsible for implementing and maintaining the day-to-day controls that protect data. The custodian executes the policies set by the data owner.
- Responsibilities: Assigning sensitivity labels (public, internal, confidential, restricted), configuring access controls for each classification tier, applying encryption to data at rest and in transit, maintaining and testing backups, and monitoring access logs for anomalous activity.
- Key distinction from owner: Owner sets the policy (what classification, who gets access, retention period). Custodian implements the policy technically. A database administrator who encrypts the production database, configures role-based access controls, and monitors query logs is a data custodian.
| Role | Who | Accountable For |
|---|---|---|
| Data Owner | Senior business executive (VP, director) | Classification, access decisions, retention policy, residual risk |
| Data Controller | Organization determining data purpose | GDPR compliance, processor oversight, lawful processing |
| Data Processor | Third party processing on controller's behalf | Following controller instructions, DPA compliance |
| Data Custodian | IT/security technical staff | Implementing access controls, encryption, backups, monitoring |
Data Inventory and Data Retention
Effective privacy management requires knowing what data the organization holds, where it is, who owns it, and how long it must be kept. Data inventories and data retention policies operationalize privacy governance by creating accountability for every category of data in the organization's custody.
Data Inventory
A data inventory is a structured listing of all personal data (and other sensitive data) that the organization collects, stores, processes, or transmits. It is sometimes called a data map or records of processing activities (ROPA) under GDPR.
- What a data inventory documents:
- Data category: What type of data (customer PII, employee health records, payment card data, intellectual property).
- Data owner: Which senior business executive is accountable for this data category.
- Update frequency: How often the data is modified or refreshed (real-time transaction data, quarterly HR updates, annual financial records).
- Format and location: Where the data is stored (database name, cloud storage bucket, file server), in what format, and whether it is encrypted.
- Sensitivity classification: Public, internal, confidential, or restricted — which determines the access controls and handling requirements that apply.
- Retention period: How long the data must be kept before deletion.
- Why data inventory matters for privacy: You cannot protect data you do not know exists. You cannot respond to a data subject access request if you do not know where a person's data is stored. You cannot delete data under a right-to-erasure request if you cannot locate all instances of it. Data inventory is the foundation of privacy compliance operations.
- Data inventory and breach response: When a breach occurs, the incident response team needs to know immediately what data was in the compromised system. A current data inventory enables rapid scoping of breach impact and accurate regulatory notification.
Data Retention
Data retention policy defines how long each category of data must be kept and when it must be deleted. Retention decisions are driven by regulatory requirements, legal hold obligations, business needs, and privacy risk reduction.
- Regulatory retention minimums: Many regulations require data to be retained for a minimum period. HIPAA requires medical records to be retained for 6 years from creation or last use. SOX requires financial records to be retained for 7 years. Payment card transaction data has both minimum retention requirements (for dispute resolution) and maximum retention limits (to limit breach exposure).
- Retention maximums and privacy: Keeping data longer than necessary increases breach exposure without business benefit. GDPR requires that personal data not be kept longer than necessary for the purpose for which it was collected — this is the data minimization principle. A company that retains customer data indefinitely "just in case" is likely violating GDPR.
- Secure deletion: When data reaches the end of its retention period, it must be securely deleted using methods appropriate to the media. Deleting a database record without also purging backups, log archives, and replicas leaves the data in existence despite the deletion action. True deletion must reach all copies including secondary storage locations.
- Legal hold interaction: Retention schedules are suspended for data under legal hold (litigation hold). Normal deletion must not occur for data relevant to active or anticipated litigation, even if the data has passed its standard retention period.