Chapter 117 · Security Program Management

Privacy

Privacy governs how individuals control their personal information. This chapter covers privacy levels from local to global, GDPR and the right to be forgotten, data subjects, the four data roles (Owner, Controller, Processor, Custodian), data inventories, and data retention policies.

Confidential
Report ID: PRIV-2024-001Domain: Security Program ManagementTopic: Privacy Frameworks & GDPR

Privacy Frameworks and GDPR

Privacy is the right of individuals to control how their personal information is collected, used, and shared. Unlike security (which protects systems and data from unauthorized access), privacy focuses on ensuring that even authorized data handling respects individuals' expectations and legal rights. Privacy obligations exist at multiple jurisdictional levels.

Privacy Levels

Privacy regulations exist at different levels of geographic scope, and organizations must comply with all applicable regulations wherever they operate and wherever their customers reside.

GDPR (General Data Protection Regulation)

GDPR is the EU's comprehensive data protection law that came into full effect in May 2018. It fundamentally changed how organizations must handle personal data of EU residents and has influenced privacy regulations worldwide.

GDPR = EU comprehensive privacy law. Personal data = any identifier that can link to a natural person (name, IP, photo, email, bank info). Right to be forgotten = individuals can request deletion of their data. Extraterritorial: applies to any organization with EU-resident customers regardless of location.
Confidential
Report ID: PRIV-2024-002Domain: Security Program ManagementTopic: Data Subject & Data Roles

Data Subject and Data Roles

Privacy is defined from the perspective of the data subject — the individual whose data is being handled. Understanding who plays which role in the data ecosystem clarifies who is responsible for what in a privacy compliance program.

Data Subject

A data subject is any identifiable natural person whose personal data is collected, stored, or processed. Privacy law exists to protect data subjects' rights over their own information. In a hospital, patients are data subjects. In an e-commerce platform, customers are data subjects. In an employment context, employees are data subjects.

Data Owner

The data owner is the senior business executive or officer who has organizational accountability for a category of data. This is a business accountability role, not a technical role.

Data Controller

The data controller is the entity (organization or individual) that determines the purpose and means of processing personal data. The controller decides why data is collected and how it will be used. Under GDPR, the data controller bears primary legal responsibility for compliance.

Data Processor

The data processor is an entity that processes personal data on behalf of and under the instructions of the data controller. Processors handle data but do not determine its purpose or scope.

Data Custodian / Data Steward

The data custodian (also called data steward) is the technical role responsible for implementing and maintaining the day-to-day controls that protect data. The custodian executes the policies set by the data owner.

RoleWhoAccountable For
Data OwnerSenior business executive (VP, director)Classification, access decisions, retention policy, residual risk
Data ControllerOrganization determining data purposeGDPR compliance, processor oversight, lawful processing
Data ProcessorThird party processing on controller's behalfFollowing controller instructions, DPA compliance
Data CustodianIT/security technical staffImplementing access controls, encryption, backups, monitoring
Data Subject = the person the data is about. Owner = senior business accountability (sets policy). Controller = GDPR term for entity determining purpose (primary legal accountability). Processor = processes on controller's behalf under instructions. Custodian = technical implementer of day-to-day controls.
Confidential
Report ID: PRIV-2024-003Domain: Security Program ManagementTopic: Data Inventory & Data Retention

Data Inventory and Data Retention

Effective privacy management requires knowing what data the organization holds, where it is, who owns it, and how long it must be kept. Data inventories and data retention policies operationalize privacy governance by creating accountability for every category of data in the organization's custody.

Data Inventory

A data inventory is a structured listing of all personal data (and other sensitive data) that the organization collects, stores, processes, or transmits. It is sometimes called a data map or records of processing activities (ROPA) under GDPR.

Data Retention

Data retention policy defines how long each category of data must be kept and when it must be deleted. Retention decisions are driven by regulatory requirements, legal hold obligations, business needs, and privacy risk reduction.

Data inventory = catalog of all data: category, owner, format, location, sensitivity, retention period. Required for privacy compliance, breach response, and erasure requests. Retention = how long to keep data; driven by regulation (minimums) and privacy (maximums). Secure deletion must reach all copies including backups and archives.