Module 48: Data Privacy & Data Protection Principles
You can encrypt everything perfectly and still violate privacy law if you collected the data without a legal basis.
Data Privacy focuses on:
- Lawful collection
- Proper use
- Transparency
- Individual rights
- Consent
- Minimization
Data Protection focuses on:
- Safeguards
- Access control
- Encryption
- Retention controls
- Secure disposal
CRISC evaluates alignment between privacy obligations and risk governance.
What the exam is really testing
When privacy appears, CRISC is asking:
- Is data collected lawfully?
- Is consent managed?
- Is retention limited?
- Are rights supported?
- Is cross-border transfer controlled?
- Is data classified?
- Is breach notification structured?
- Is accountability defined?
Privacy failures create regulatory, financial, and reputational risk.
Core privacy principles
Common privacy principles include:
- Lawfulness & fairness
- Transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity & confidentiality
- Accountability
CRISC does not test legal language — but tests risk implications.
Data minimization
Collect only what is necessary.
Over-collection increases:
- Breach impact
- Regulatory penalties
- Monitoring burden
- Liability exposure
CRISC frequently tests over-retention and over-collection.
Purpose limitation
Data should be used only for:
- The purpose it was collected for
- Lawfully authorized uses
Using data beyond its stated purpose increases regulatory risk.
Consent & legal basis
Privacy governance requires:
- Defined legal basis for processing
- Consent tracking (if applicable)
- Withdrawal mechanisms
- Documentation
Lack of documented legal basis increases compliance risk.
Data subject rights
Organizations must be able to:
- Provide access to personal data
- Correct inaccurate data
- Delete data (where applicable)
- Restrict processing
- Provide portability (in some jurisdictions)
Failure to operationalize rights creates governance gaps.
Data protection controls
Data protection includes:
- Encryption at rest and in transit
- Access control
- Logging & monitoring
- Data masking
- Tokenization
- Secure backup
- Secure disposal
Privacy without security controls is ineffective.
Example scenario
An organization collects additional personal data “just in case” it may be useful in the future.
Primary privacy concern?
A. Violation of data minimization principle
B. Strong innovation
C. Reduced inherent risk
D. Strong KPI
Correct answer:
A. Violation of data minimization principle
Over-collection increases liability.
A tougher one
Data is encrypted and access-controlled, but employees use customer data for analytics unrelated to the original purpose.
What principle is violated?
A. Confidentiality
B. Availability
C. Purpose limitation
D. Segregation of duties
Correct answer:
C. Purpose limitation
Privacy governs use — not just protection.
Cross-border data transfers
Privacy governance must evaluate:
- Data residency requirements
- Cross-border restrictions
- Vendor processing locations
- International data transfer safeguards
Cross-border misalignment increases regulatory exposure.
Privacy governance structure
Mature privacy governance includes:
- Defined data owners
- Privacy officer or function
- Policy framework
- Risk assessment integration
- Third-party due diligence
- Incident response coordination
- Monitoring & reporting
Privacy must integrate with enterprise risk management.
Breach notification
Privacy frameworks often require:
- Defined reporting timelines
- Regulatory notification
- Affected individual notification
- Impact assessment
- Escalation procedures
Failure to notify appropriately increases penalties.
Third-party privacy risk
Organizations must evaluate:
- Vendor data processing practices
- Contractual safeguards
- Sub-processor transparency
- Data return and destruction
- Monitoring obligations
Outsourcing processing does not outsource accountability.
The most common exam mistakes
The exam loves the security-vs-privacy distinction. If every answer you pick is about encryption or access controls, you are thinking like a security engineer, not a risk manager. Privacy is about lawful use, purpose limitation, consent, and retention — all of which can be violated even when the data is technically well-protected. Another trap: assuming that outsourcing data processing to a vendor transfers your accountability. It does not.
An organization maintains strong technical controls but cannot identify where personal data resides across systems.
What risk remains MOST significant?
A. Strong mitigation
B. Improved KPI
C. Reduced inherent risk
D. Lack of data visibility and governance control
Correct answer:
D. Lack of data visibility and governance control
You cannot govern what you cannot see.
Quick knowledge check
1) Data minimization primarily reduces:
A. KPI tracking
B. Breach impact and regulatory exposure
C. Encryption overhead
D. Risk appetite
Answer & reasoning
Correct: B
Less stored sensitive data reduces liability.
2) Privacy differs from security because privacy primarily governs:
A. Encryption strength
B. Lawful and appropriate data use
C. Firewall configuration
D. Availability
Answer & reasoning
Correct: B
Privacy governs use and rights.
3) Failure to manage cross-border data transfers most directly increases:
A. Inherent risk reduction
B. KPI performance
C. Risk avoidance
D. Regulatory compliance risk
Answer & reasoning
Correct: D
Cross-border misalignment creates regulatory exposure.
Final takeaway
Data Privacy & Data Protection require:
- Lawful collection
- Data minimization
- Purpose limitation
- Defined legal basis
- Rights management
- Strong safeguards
- Vendor governance
- Breach notification discipline
- Retention alignment
- Executive accountability
Remember: security protects data, but privacy governs how it is used. Privacy risk is regulatory and reputational risk, not just technical exposure. Keep that distinction clear and you will navigate these questions well.