Module 48: Data Privacy & Data Protection Principles
Security protects data.
Privacy governs how data is used.
Data Privacy focuses on:
- Lawful collection
- Proper use
- Transparency
- Individual rights
- Consent
- Minimization
Data Protection focuses on:
- Safeguards
- Access control
- Encryption
- Retention controls
- Secure disposal
CRISC evaluates alignment between privacy obligations and risk governance.
What the exam is really testing
When privacy appears, CRISC is asking:
- Is data collected lawfully?
- Is consent managed?
- Is retention limited?
- Are rights supported?
- Is cross-border transfer controlled?
- Is data classified?
- Is breach notification structured?
- Is accountability defined?
Privacy failures create regulatory, financial, and reputational risk.
Core privacy principles
Common privacy principles include:
- Lawfulness & fairness
- Transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity & confidentiality
- Accountability
CRISC does not test legal language — but tests risk implications.
Data minimization
Collect only what is necessary.
Over-collection increases:
- Breach impact
- Regulatory penalties
- Monitoring burden
- Liability exposure
CRISC frequently tests over-retention and over-collection.
Purpose limitation
Data should be used only for:
- The purpose it was collected for
- Lawfully authorized uses
Using data beyond its stated purpose increases regulatory risk.
Consent & legal basis
Privacy governance requires:
- Defined legal basis for processing
- Consent tracking (if applicable)
- Withdrawal mechanisms
- Documentation
Lack of documented legal basis increases compliance risk.
Data subject rights
Organizations must be able to:
- Provide access to personal data
- Correct inaccurate data
- Delete data (where applicable)
- Restrict processing
- Provide portability (in some jurisdictions)
Failure to operationalize rights creates governance gaps.
Data protection controls
Data protection includes:
- Encryption at rest and in transit
- Access control
- Logging & monitoring
- Data masking
- Tokenization
- Secure backup
- Secure disposal
Privacy without security controls is ineffective.
Example scenario
An organization collects additional personal data “just in case” it may be useful in the future.
Primary privacy concern?
A. Strong innovation
B. Violation of data minimization principle
C. Reduced inherent risk
D. Strong KPI
Correct answer:
B. Violation of data minimization principle
Over-collection increases liability.
Slightly harder scenario
Data is encrypted and access-controlled, but employees use customer data for analytics unrelated to the original purpose.
What principle is violated?
A. Confidentiality
B. Purpose limitation
C. Availability
D. Segregation of duties
Correct answer:
B. Purpose limitation
Privacy governs use — not just protection.
Cross-border data transfers
Privacy governance must evaluate:
- Data residency requirements
- Cross-border restrictions
- Vendor processing locations
- International data transfer safeguards
Cross-border misalignment increases regulatory exposure.
Privacy governance structure
Mature privacy governance includes:
- Defined data owners
- Privacy officer or function
- Policy framework
- Risk assessment integration
- Third-party due diligence
- Incident response coordination
- Monitoring & reporting
Privacy must integrate with enterprise risk management.
Breach notification
Privacy frameworks often require:
- Defined reporting timelines
- Regulatory notification
- Affected individual notification
- Impact assessment
- Escalation procedures
Failure to notify appropriately increases penalties.
Third-party privacy risk
Organizations must evaluate:
- Vendor data processing practices
- Contractual safeguards
- Sub-processor transparency
- Data return and destruction
- Monitoring obligations
Outsourcing processing does not outsource accountability.
The most common exam mistakes
Candidates often:
- Confuse security and privacy.
- Focus only on encryption.
- Ignore purpose limitation.
- Forget retention risk.
- Overlook regulatory reporting obligations.
- Assume vendor liability eliminates accountability.
CRISC evaluates accountability discipline.
Slightly uncomfortable scenario
An organization maintains strong technical controls but cannot identify where personal data resides across systems.
What risk remains MOST significant?
A. Strong mitigation
B. Lack of data visibility and governance control
C. Reduced inherent risk
D. Improved KPI
Correct answer:
B. Lack of data visibility and governance control
You cannot govern what you cannot see.
Quick knowledge check
1) Data minimization primarily reduces:
A. KPI tracking
B. Breach impact and regulatory exposure
C. Encryption overhead
D. Risk appetite
Answer & reasoning
Correct: B
Less stored sensitive data reduces liability.
2) Privacy differs from security because privacy primarily governs:
A. Encryption strength
B. Lawful and appropriate data use
C. Firewall configuration
D. Availability
Answer & reasoning
Correct: B
Privacy governs use and rights.
3) Failure to manage cross-border data transfers most directly increases:
A. Inherent risk reduction
B. Regulatory compliance risk
C. Risk avoidance
D. KPI performance
Answer & reasoning
Correct: B
Cross-border misalignment creates regulatory exposure.
Final takeaway
Data Privacy & Data Protection require:
- Lawful collection
- Data minimization
- Purpose limitation
- Defined legal basis
- Rights management
- Strong safeguards
- Vendor governance
- Breach notification discipline
- Retention alignment
- Executive accountability
Security protects data.
Privacy governs how it is used.
CRISC rewards candidates who understand that:
Privacy risk is regulatory and reputational risk — not just technical exposure.