Isaca CDPSE - Certified Data Privacy Solutions Engineer

According to the General Data Protection Regulation (GDPR), data subjects have the right to withdraw their consent for processing their personal data at any time. However, this right does not apply when the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1) of the GDPR1.

References: 1: Article 7(3) and Article 89(1) of the GDPR

Pseudonymization is a technique that replaces or removes direct identifiers from personal data, such as names, addresses, or social security numbers, with pseudonyms, such as codes, tokens, or random values. However, pseudonymization does not eliminate the possibility of re-identification, as the original data can still be linked back to the pseudonyms using additional information or techniques. Therefore, if a database containing pseudonymized personal data is breached, the IT privacy practitioner should be most concerned about the risk of re-identification, which could compromise the privacy and security of the data subjects. The other options are less relevant or important than the risk of re-identification.

References: CDPSE Review Manual, 2021, p. 62

However, the risks associated with long-term retention have compelled organizations to consider alternatives; one is data archival, the process of preparing data for long-term storage. When organizations are bound by specific laws to retain data for many years, archival provides a viable opportunity to remove data from online transaction systems to other systems or media.

Data archiving is the process of moving data that is no longer actively used to a separate storage device for long-term retention. Data archiving helps to reduce the cost and complexity of data storage, improve the performance and availability of data systems, and comply with data retention policies and regulations. Data archiving should document controls relating to periods of retention for personal data, such as the criteria for determining the retention period, the procedures for deleting or anonymizing data after the retention period expires, and the mechanisms for ensuring the integrity and security of archived data. References: : CDPSE Review Manual (Digital Version), page 123

The data owner is the person or entity who has the ultimate authority and responsibility for the protection of personal data collected by an organization. The data owner defines the purpose, scope, classification, and retention of the personal data, as well as the rights and obligations of the data subjects and other parties involved in the data processing. The data owner also ensures that the personal data is handled in compliance with the applicable privacy laws and regulations, as well as the organization’s privacy policies and standards. The data owner may delegate some of the operational tasks to the data processor, data custodian, or data protection officer, but the accountability remains with the data owner.

References: CDPSE Review Manual, 2021, p. 81

API keys are codes that are used to identify and authenticate an application or user when accessing an API. API keys could be stored insecurely, such as in plain text, in public repositories, or in unencrypted files. This could expose the API keys to unauthorized access, theft, or misuse by malicious actors, who could then access the API and the data it contains. This could result in data breaches, privacy violations, fraud, or other damages.

References:

ISACA Certified Data Privacy Solutions Engineer Study Guide, Domain 3: Privacy Engineering, Task 3.4: Implement privacy engineering techniques to protect data in applications and systems, p. 106-107.

What Is an API Key? | API Key Definition | Fortinet

Validating the privacy framework is a responsibility of the audit function in helping an organization address privacy compliance requirements, as it would help to verify and validate the effectiveness and adequacy of the privacy framework implemented by the organization to comply with privacy principles, laws and regulations. Validating the privacy framework would also help to identify and report any gaps, weaknesses or issues in the privacy framework, and to provide recommendations for improvement or remediation. The other options are not responsibilities of the audit function in helping an organization address privacy compliance requirements. Approving privacy impact assessments (PIAs) is a responsibility of management or governance function in helping an organization address privacy compliance requirements, as they would have authority and accountability for approving PIAs conducted by project teams or business units before implementing any system, project, program or initiative that involves personal data processing activities. Managing privacy notices provided to customers is a responsibility of operational function in helping an organization address privacy compliance requirements, as they would have direct contact and interaction with customers and would be responsible for providing clear and accurate information about how their personal data is collected, used, disclosed and transferred by the organization. 

The vulnerability that would have the greatest impact on the privacy of information is private key exposure, because it would compromise the encryption and decryption of the information, as well as the authentication and integrity of the communicating parties. A private key is a secret and unique value that is used to encrypt or decrypt data, or to sign or verify digital signatures. If an attacker gains access to the private key, they can read, modify, or impersonate the data or the sender, which would violate the confidentiality, integrity, and authenticity of the information12.

References:

CDPSE Review Manual, Chapter 2 – Privacy Architecture, Section 2.3 – Privacy Architecture Implementation3.

CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2 – Privacy Architecture, Section 2.4 – Remote Access4.

Data privacy and data security are related but distinct concepts that are both essential for protecting personal data. Data privacy is about ensuring that personal data are collected, used, shared and disposed of in a lawful, fair and transparent manner, respecting the rights and preferences of the data subjects. Data privacy also involves implementing policies, procedures and controls to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Data privacy protects users from unauthorized disclosure of their personal data, which may result in harm, such as identity theft, fraud, discrimination or reputational damage.

Data security is about safeguarding the confidentiality, integrity and availability of data from unauthorized or malicious access, use, modification or destruction. Data security also involves implementing technical and organizational measures to prevent or mitigate data breaches or incidents, such as encryption, authentication, backup or incident response. Data security prevents compromise of data, which may result in loss, corruption or disruption of data.

References:

The Difference Between Data Privacy and Data Security - ISACA, section 1: “Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways.”

Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 1: “Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its life cycle.”