2 cissp ® Official Study Guide Eighth Edition



Download 19,3 Mb.
Pdf ko'rish
bet183/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   179   180   181   182   183   184   185   186   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Data Processors 
Generically, a data processor is any system used to process data. However, in the context of 
the GDPR,
data processor
has a more specifi c meaning. The GDPR defi nes a data proces-
sor as “a natural or legal person, public authority, agency, or other body, which processes 
personal data solely on behalf of the data controller.” In this context, the
data controller
is 
the person or entity that controls processing of the data. 
U.S. organizations previously complied with the U.S. Department of 
Commerce Safe Harbor program to comply with EU data protection 
laws. However, the European Court of Justice invalidated that program 
in 2015. Instead, companies were required to comply with the (now-
defunct) European Data Protection Directive (Directive 95/46/EC). The 
GDPR (Regulation EU 2016/679) replaced Directive 95/46/EC, and it became 
enforceable on May 25, 2018. It applies to all EU member states and to all 
countries doing business with the EU involving the transfer of data.
As an example, a company that collects personal information on employees for payroll is 
a data controller. If they pass this information to a third-party company to process payroll, 
the payroll company is the data processor. In this example, the payroll company (the data 
processor) must not use the data for anything other than processing payroll at the direction 
of the data controller. 
The GDPR restricts data transfers to countries outside the EU. Organizations must com-
ply with all of the requirements within the GDPR. Companies that violate privacy rules 
in the GDPR may face fi nes of up to 4 percent of their global revenue. Unfortunately, it is 
fi lled with legalese, presenting many challenges for organizations. As an example, clause 
107 includes this statement: 
“Consequently the transfer of personal data to that third country or 
international organisation should be prohibited, unless the requirements 
in this Regulation relating to transfers subject to appropriate safeguards, 
including binding corporate rules, and derogations for specifi c situations 
are fulfi lled.”
The European Commission and the U.S. government developed the EU-US Privacy Shield 
program to replace a previous program, which was known as the Safe Harbor program. 
Similarly, Swiss and U.S. offi cials worked together to create a Swiss-US Privacy Shield 
framework. Both programs are administered by the U.S. Department of Commerce’s 
International Trade Administration (ITA). 
Organizations can self-certify, indicating that they are complying with the Privacy 
Shield principles through the U.S. Department of Commerce. The self-certifi cation process 

182
Chapter 5 

Protecting Security of Assets
consists of answering a lengthy questionnaire. An official from the organization provides 
details on the organization, with a focus on the organization’s privacy policy including the 
organization’s commitment to uploading the seven primary Privacy Shield Principles and 
the 16 Privacy Shield Supplementary principles.
The Privacy Shield principles have a lot of depth, but as a summary, they are as follows: 

Notice
: An organization must inform individuals about the purposes for which it
collects and uses information about them.

Choice
: An organization must offer individuals the opportunity to opt out.

Accountability for Onward Transfer
: Organizations can only transfer data to other 
organizations that comply with the Notice and Choice principles.

Security
: Organizations must take reasonable precautions to protect personal data.

Data Integrity and Purpose Limitation
: Organizations should only collect data that 
is needed for processing purposes identified in the Notice principle. Organizations are 
also responsible for taking reasonable steps to ensure that personal data is accurate, 
complete, and current.

Access
: Individuals must have access to personal information an organization holds 
about them. Individuals must also have the ability to correct, amend, or delete infor-
mation, when it is inaccurate.

Recourse, Enforcement, and Liability
: Organizations must implement mechanisms to 
ensure compliance with the principles and provide mechanisms to handle individual 
complaints.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   179   180   181   182   183   184   185   186   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish