cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dmease
Newcomer I

Query on content of ISC2 Course: GDPR for Security Professionals - A Framework for Success

Hi,

 

Please forgive my potential naivety here, however I am a little confused, and it may be down to specific wording and nuances...

 

In Module 1, there is an initial 'GDPR facts' with two important points:

- The GDPR does not include privacy

- The GDPR does not talk about personally identifiable data

 

Firstly, the testimonial in Module 1 @ approx 02:08 notes that privacy is a key pillar.  Secondly, Article 4 notes "'personal data' means any information relating to an identified or identifiable natural person ('data subject')"

 

I have to admit I am a little confused here...  I thought one of the key points was around identifying which personal data is collected and protected.  Any guidance and comments on this would be sincerely appreciated!

 

Many thanks,

4 Replies
AppDefects
Community Champion

Remember that GDPR was exported from the EU; hence, a heavy reliance on the use of the term "Personal Data (PD)". I'm not going to say that the definition of PD is equivalent to the term "Personally Identifiable Information", which is more prevalent in the USA and Canada, but it is close enough for a framework. GDPR includes both security and privacy controls to protect PD, PII, and sensitive information – sure it does not cover the gamut of Classified Uncontrolled Information (CUI) that NARA prescribes but yeah, that is another topic for another day. Data Subjects are equivalent to people😉

dmease
Newcomer I

Cheers AppDefects!

 

It mirrors my thinking, which is why I posted.  A GDPR course hosted on the ISC2 site has the two key facts stated in the opening materials, which does not make sense to me.  I will look to follow up with... somebody...  I have a technical support link, but no details regarding who I would reach out to if I have a problem with course content!

 

Thanks again,

AlecTrevelyan
Community Champion


@dmease wrote:

Hi,

 

Please forgive my potential naivety here, however I am a little confused, and it may be down to specific wording and nuances...

 

In Module 1, there is an initial 'GDPR facts' with two important points:

- The GDPR does not include privacy

- The GDPR does not talk about personally identifiable data

 

Firstly, the testimonial in Module 1 @ approx 02:08 notes that privacy is a key pillar.  Secondly, Article 4 notes "'personal data' means any information relating to an identified or identifiable natural person ('data subject')"

 

I have to admit I am a little confused here...  I thought one of the key points was around identifying which personal data is collected and protected.  Any guidance and comments on this would be sincerely appreciated!

 

Many thanks,


Yes, those 2 points I've highlighted in blue above are just badly worded.

 

To be correct they should say:

 

- The text of the GDPR does not include the word "privacy" (other than in one footnote)

- The text of the GDPR does not include the phrase "personally identifiable data"

 

Of course privacy and personally identifiable data are significant themes running throughout the text even if they don't use those specific words or phrases.

 

Steve-Wilme
Advocate II

The terms 'personal data' and 'special categories of data' are used in the GDPR text.  PII is generall a US/Canadian term for personal data.  If you examine the definitions in article 4 of GDPR it's pretty clearly worded.  The definition of 'processing' is also useful to examine as it's broader than you'd imagine. 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS