Data Sovereinty

 Data Sovereignty

Data sovereignty is the idea that data is subject to the laws and regulations of the country or region where it is collected, stored, and processed. It can also refer to the rights of individuals or groups to control and maintain their data.

Data sovereignty is related to data security, cloud computing, network sovereignty, and technological sovereignty. It can also be closely linked to data localization, which is the practice of storing data within a country or region's physical boundaries.

Data sovereignty is essential for several reasons, including:

Data protection

Data sovereignty allows businesses to protect their data from unauthorized access or breaches.

Business continuity

Data sovereignty ensures businesses can access their data during a disaster or disruption.

Competitive advantage

Data sovereignty can be a competitive advantage for businesses committed to protecting customer data.

Some examples of data sovereignty include:

The EU's General Data Protection Regulation (GDPR)

California's Consumer Privacy Act (CCPA)

Indigenous data sovereignty, which asserts the rights of Native nations and Indigenous Peoples to govern their own data

 Data Processor

A data processor is an entity that processes personal data for a data controller, following the controller's instructions. Data processors can be individuals, businesses, public authorities, or legal entities.

Here are some responsibilities of a data processor:

Data security

Data processors must ensure that the data is secure and confidential.

Compliance

Data processors must ensure their processing complies with the General Data Protection Regulation (GDPR).

Data subject rights

Data processors must ensure that the rights of data subjects are protected.

Data processor agreement

Data processors must enter into a data processor agreement with the data controller.

Data processors can include:

Calculators

Computers

Cloud service providers

Third-party companies, such as payroll or email marketing companies

Call centers

Data processors are different from data controllers, who decide how and why to collect and process data. Data processors are contractually bound to follow the instructions of the data controller.

 Data Controller

A data controller is a person or entity that determines how and why personal data is processed. They are responsible for the lawfulness of the processing, protecting the data, and respecting the data subject's rights.

Some of the responsibilities of a data controller include:

Deciding how to collect, store, use, alter, and disclose personal data

Providing information to data subjects

Ensuring there is a legitimate basis for processing activities

Giving effect to data subjects' rights under the GDPR

Ensuring that there is appropriate security for data processed

A data controller can be a legal person, such as a business, public authority, agency, or other body. In some cases, EU or Member State law may determine the controller and the purposes and means of processing personal data.

A data controller may delegate the processing to another party, called the data processor. For example, if a gym hires a printing company to produce invitations for a promotional event, the gym controls the personal information, and the printing company is the data processor.

 Right to be Forgotten

The right to be forgotten, also known as the right to erasure, is the right to have private information removed from search engines and other directories. This right was established in the European Union in 2014 and is now codified in the General Data Protection Regulation (GDPR).

The right to be forgotten allows individuals to request that search engines remove specific results for queries related to their name. Search engines must consider whether the information is inaccurate, irrelevant, or excessive and if there is a public interest in keeping it available.

The right to be forgotten applies when:

The data is no longer needed for its original purpose

The data subject has withdrawn their consent

The data subject has objected to the processing

The data was unlawfully processed

The data must be erased to comply with a legal obligation

Regulations and Standards

 

Regulations and Standards to know for the exam

     NIST RMF: Supply chain risks
ISO 27001: Organization meets the security standards
ISO 27002: Classifies security controls
ISO 27017 & 27018: Cloud security
ISO 27701: Personal data & privacy
ISO 31000 / 31K: Risk assessments
GDPR: European Union / International Standards
·         Data owners, data controllers, data processors, & data protection officer
·         Data owner: responsible for determining how the data may be used
·         Data controller: responsible for the protection of privacy & website user rights
·         Data Protection Officer: Independent advocate for care & use of customer information, & responsible for ensuring the organization is complying with relevant laws
PCI DSS:
·         Credit cards
·         Assign a unique ID to each person with computer access
·         Regularly test security systems and processes
SSAE SOC reports:
·         SOC 2 Type I: Assess system design on a specific date
·         SOC 2 Type 2: Identifies the effectiveness of security controls over a date range

GDPR ( General Data Protextion Regulation)

 GDPR - Things to know for the exam

The General Data Protection Regulation regulates the protection of personal data for residents of the European Union.

The GDPR outlines the roles and responsibilities of data controllers and data processors.

The data controller is responsible for protecting privacy & website user rights.

The data protection officer (DPO) can advocate for the care and use of customer information.

A data protection officer ensures the organization complies with all relevant laws.

The data controller (sometimes called the data owner) is responsible for the data's use.

A data processor uses and manipulates the data on behalf of the data controller.