Data Privacy Flashcards
What is the information life cycle?
Creation and receipt - create data internally or receive data from a 3rd party
Distribution - Records are sorted and stored
Use - Make business decision, create products and services
Maintenance - Ongoing data retrieval and data transfers
Disposition - Archiving or disposal of data
What is a PIA?
Privacy impact assessment.
This is a way of understanding how new processes or projects will affect customer and corporate data privacy.
What is the difference between proprietary information, PII, and PHI?
Proprietary information
Data that is the property of an organization. Such as trade secrets or other data unique to an organization.
PII - Personally identifiable information
Data that can be used to identify an individual, such as your name, address, phone number, biometric information, etc.
PHI - Protected health information
Health information associated with an individual, such as health status, health care records, payments for health care, etc.
What is tokenization?
This is a way of using your personal data….without actually using your personal data.
This replaces sensitive data with a non-sensitive placeholder.
SSN 266-12-1112 is now 691-61-8539
Common with credit card processing, you will use a temporary token during payment(especially if you are using NFC).
We are able to tie together tokens and credit card numbers because we have a single database that matches those up.
This isn’t hashing or encryption. The original data and token are not mathematically related.
Lightweight too because you don’t need to use the amount of CPU needed for encryption.
What is data minimization?
This is only collecting the data needed to perform the minimum function.
This is relevant in HIPAA and GDPR who both have a “minimum necessary” rule.
What is data masking?
Data masking is data obfuscation.
Shows the data exists, without being able to see any of it.
May only be hidden from view and exist in storage intact.
This is like when you get a receipt that has your credit card number as:
“****2512”
What is anonymization?
This is taking existing data and making it impossible to identify individual data in a dataset.
Allows for data use without privacy concerns.
Many different anonymization techniques: hashing, masking, etc.
An example of this would be if you were trying to analyze customer purchases and you changed the name phone number and address from the data, but left intact the product name, quantity, total, and sale date.
Anonymization cannot be reversed.
What is pseudo-anonymization? or pseudonymization.
Similar to anonymization but it may be reversible.
This would be done by replacing personal information with pseudonyms, and is often used to maintain statistical relationships in data.
Probably reversible.
One of the ways to do this would be to present a different name every time the record is accessed.
You might have a consistent replacement as well where a name is always changed to the same alternate name.
What is a Data owner?
This is a person in the organization that is responsible for specific data, often a senior officer.
For example, the VP of sales owns the customer relationship data.
Or the Treasurer owns the financial information.
Who is a data controller?
Data controller are responsible for the purposes and means by which personal data is processed.
Who is a data processor?
Data processors are the people who process data on behalf of the data controller.
Can be a third party.
Lets do an example:
At your company they outsource your payroll to a 3rd party company.
Payroll department at your company are the (data controllers) and define payroll amounts and timeframes.
The company you have hired are (data processors) because they process the payroll and store employee information.
Who is a data custodian?
Same as a data steward.
The words are interchangeable.
This is the name for people who are responsible for data accuracy, privacy, and security.
They associate sensitivity labels to the data.
They also keep your organization compliant with all applicable laws and standards related to the data.
They will also implement security controls and control who can access what information.
Who is a DPO?
Data protection officer.
This is a higher seniority member in your company who is responsible for the organizations data privacy, in a managerial type role.
They will set policies, implement processes and procedures, and more.
