BigID for Data Privacy

Question 1

Privacy cannot be easily addressed by today’s classification or cataloging tools. It
requires people and residency views. It requires

Answer 1

knowledge of context (where is it,

who created it, who is accessing it etc).

Question 2

PII

Answer 2

Personally Identifiable Information

Question 3

PI

Answer 3

Personal Information

Question 4

PII can be used on its own or with other

information to

Answer 4

identify, contact, or locate a single person, or an individual in context

Question 5

PI describes

Answer 5

a broad range of data that can be linked or linkable to an individual

Question 6

PI is non-synonymous with PII and

significantly broader

Answer 6

It covers social media posts, photographs, lifestyle preferences, transaction histories and even IP addresses

Question 7

PII refers to a relatively narrow data set such as

Answer 7

name, address, birth date, Social Security number and financial information such as
credit card numbers or bank accounts that can be used to identify a person

Question 8

Private Data” is NOT a synonym with

Answer 8

“Personal Data”, and is not a term that should be used in a privacy context. It
only applies in classification discussions and data governance in the context of private data vs public data.

Question 9

The European General Data Protection Regulation applies to

Answer 9

any entity that collects, stores and processes GDPR-related data in the EU -
whether or not the entity or the data subject are domiciled in the EU. Applies to organizations (private, government, non-profit) conducting business in the EU even if they don’t have an office there

Question 10

The driving intent of GDPR is that privacy considerations become an integral
component of how business collect and process customer or employee data for EU
residents. Designed to

Answer 10

foster responsibility and transparency, the GDPR introduces not only obligations for organizations but most significantly rights for individuals whose data is being collected - including access rights, explicit and revocable consent requirements, data portability and the Right-to-Be-Forgotten (ie erasure of data).

Question 11

Subject Rights Puts the Customer in the Driver’s Seat. Organizations need to have

Answer 11

explicit consent to collect data, and only

attributes that are covered by purpose of use limitations

Question 12

GDPR mandates that data subjects have access to

Answer 12

all the data that a covered entity stores about them, and the ability to modify and delete the data

Question 13

In effect, under GDPR, organizations don’t

Answer 13

own their customer data, but they are responsible for the data they store

Question 14

Organizations that have customer data are either

Answer 14

controllers (with direct responsibility), or processors (that perform operations on behalf of controllers under defined contractual terms)

Question 15

GDPR expands the definition of what constitutes personal data to

Answer 15

any data that can be tied to a specific individual

Question 16

Traditional data discovery tools are designed to find personally identifiable data based on pattern matching. They don’t

Answer 16

associate the data they find back to individual, and can’t infer what could be
considered personal data based on identifiability and context.

Question 17

GDPR outlines a set of principles that

Answer 17

controllers need to adhere to in order to
protect and maintain data privacy for all personal data - not just attest to and
provide evidence of controls for securing sensitive data (as defined under PCI
DSS or even NY DFS Cybersecurity, for example).

Question 18

GDPR Key Principles: Accountability

Answer 18

can the controller provide an accurate and comprehensive accounting of whose data they have, where the data it is, and how it’s being processed, stored and accessed?

Question 19

GDPR Key Principles: Transparency

Answer 19

Can the processor demonstrate and attest that they are only collecting the data they should based on consent agreements and defined use of purpose

Question 20

GDPR Key Principles: Traceability

Answer 20

Can organizations determine how they collected personal data, which system the data came from and where it is stored

Question 21

GDPR Key Principles: Risk-based Framework

Answer 21

GDPR requires controllers to think about the probability of a failure in controls and safeguards, and then gauge the harm
resulting from a failure to an individual’s privacy.

Question 22

GDPR compliance does not automatically

guarantee

Answer 22

CCPA compliance

Question 23

CCPA fines can reach

Answer 23

$7,500 per violation, with no cap

Question 24

CCPA Consumer Data Rights Obligations Rights

Answer 24

Right to Know, Right to Access, Right to Disclosure, Right to Opt Out and Right to Delete.

Right to know if personal information is sold and to whom, and right to refuse selling personal information

Question 25

CCPA Consumer Data Rights Obligations Obligation

Answer 25

Obligation to build and maintain data inventory & processing registry

Obligation to determine and monitor identifiability of data

Question 26

CCPA Expanded definition of “personal information”

Answer 26

Personal information is data linked or linkable to a CA consumer or household, not just PII

Question 27

CCPA Accountability In Data Processing

Answer 27

Operationalized opt-out & delineation between sold, transferred, and processed data

Question 28

With CCPA, we introduce the concept of personal information, which is

Answer 28

similar to personal data under GDPR, and NOT similar to PII.

Question 29

Personal information replaces PII with a much broader definition based on

Answer 29

linkable, not identifiable, and as a by-product will reduce the value of traditional tools focusing on just the identifiable capabilities.

Question 30

Data Subject Access Requests give individuals the right to

Answer 30

access their personal data.
• Can be made verbally, electronically or in writing
• Response is required within one month
• In most circumstances, fees may not be charged

Question 31

Recent real-world cases prove that data subjects’ rights can be one of most
nuanced and

Answer 31

challenging areas of modern privacy regulations

Question 32

The DPIA (Data Protection Impact Assessment) is a report card for

Answer 32

organizations on how well they protect personal data

Question 33

Unlike a traditional PIA (privacy impact assessment), which is a reactive, survey-based and manually-intensive rough evaluation of privacy risk, DPIAs involve

Answer 33

a complete rethink of data flows to protect private data using automation and real insights into data context

Question 34

DPIAs introduce two significant changes over PIAs

Answer 34

• DPIAs should be completed before a new service is launched (rather than at regular intervals for existing services)
•Organizations need to proactively assess personal data collection/processing risk, and determine if adequate controls
and protections are in place to mitigate this risk

Question 35

The elements of a DPIA: A systematic description of the processing operations and purposes

Answer 35

What and why are we processing this data?

Question 36

The elements of a DPIA: An assessment of the necessity and proportionality of the processing operations given these purposes

Answer 36

Is there really a need to collect all this data?

Question 37

The elements of a DPIA: An assessment of the risks to data subject rights

Answer 37

How does collecting this data affect the data subject?

Question 38

The elements of a DPIA: The measures needed to address the risks

Answer 38

What controls and mechanisms do we need to protect the data and data subject, and to comply with the law?

Question 39

Ideally, a DPIA should be built from and based on

Answer 39

actual data flows and systems mapping,
and help to keep evaluation processes in alignment across business units and functional roles. After all, security teams and privacy officers have different points of departure for understanding risk.

Question 40

What many organizations discover as they embark on tackling their first Privacy Impact Assessment (PIA) are the usual set of challenges and inefficiencies entailed with filling out templates and conducting surveys to determine data location, ownership and usage. Without visibility into actual data the manual assessment process is

Answer 40

slow, expensive, error prone and hard to maintain.

Question 41

Article 15

Answer 41

Right of access for the data

BigID can generate a Data Subject Access Report which provides an inventory of what data is stored for a given data
subject, where, and for what purpose of use. A Data Portability report can also be generated for providing this
information to the data subject. Like other functionality in BigID, this capability is accessible via the UI, and programmatically via the API.

Question 42

Article 16

Answer 42

Right to rectification

BigID facilitates a Data Subject’s request for data rectification, and an organization’s compliance with said request
across all applicable data sources and repositories.

Question 43

Article 17

Answer 43

Right to erasure (“right to be
forgotten”)

BigID can trigger a deletion workflow process which provides detailed information about location of all applicable data
subject information. The deletion request can be routed using BigID’s integrated workflow system, or via integration
with a customer’s ticketing system

Question 44

Article 30

Answer 44

Records of processing activities

BigID Business Flow Mapping module facilitates automated and collaborative creation of documentation necessary to
provide full record of personal data processing activities.

Question 45

Article 33

Answer 45

Notification of a
breach to the DPA

BigID inventory reflects the identities of the data subjects whose information is stored in each data source. In case of
a breach, BigID can generate an exact list of data subjects directly impacted by the breach who must be notified. BigID
can also indicate risk to the data subject, in order to determine whether there is a need to notify the DPA.

Question 46

Cross-Border Data

Transfers

Answer 46

BigID helps detect the transfer of data across countries and geographies by monitoring audit logs and collaboration
tasks which collect additional information from the business owners.