My Subject Matter
technology-infrastructure

Data Privacy & Security Updated · Jul 3, 2026

A sourced reference on Data Privacy & Security.

What is the GDPR and who does it apply to?

The General Data Protection Regulation (GDPR) is EU law enforced since May 25, 2018, governing how organizations collect, store, and process personal data of EU residents. It applies to any organization worldwide that handles EU residents' data, regardless of where the organization is headquartered.

Sources
Data protection in the EU
official · European Commission · 2024-01-01
·

What are the maximum fines under GDPR?

GDPR fines reach up to €20 million or 4% of a company's total global annual turnover—whichever is higher—for the most serious violations. A lower tier caps fines at €10 million or 2% of global turnover for less severe infringements such as failing to maintain records.

Sources
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
official · European Data Protection Board · 2023-05-24
·

What is the California Consumer Privacy Act (CCPA) and what rights does it grant?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, grants California residents the right to know what personal data businesses collect, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising those rights.

Sources
California Consumer Privacy Act (CCPA)
official · California Department of Justice – Office of the Attorney General · 2023-07-01
·

How does the California Privacy Rights Act (CPRA) differ from the CCPA?

The CPRA, effective January 1, 2023, expanded CCPA by adding the right to correct inaccurate personal data, new restrictions on sensitive personal information, stricter data retention rules, and creating the California Privacy Protection Agency (CPPA) as a dedicated enforcement authority.

Sources
CPPA Regulations – California Privacy Rights Act
official · California Privacy Protection Agency · 2024-03-29
·

What legally constitutes a data breach and when must it be reported?

A data breach is a security incident in which personal data is accidentally or unlawfully accessed, disclosed, altered, lost, or destroyed. Under GDPR, controllers must notify their supervisory authority within 72 hours of becoming aware; affected individuals must also be notified if the breach poses a high risk to their rights.

Sources
Personal Data Breaches
official · European Union Agency for Cybersecurity (ENISA) · 2024-01-01
·

What is Zero Trust security and how does it work?

Zero Trust is a cybersecurity model operating on the principle of 'never trust, always verify.' No user, device, or network segment is trusted by default—every access request must be authenticated, authorized, and continuously validated regardless of whether it originates inside or outside the network perimeter.

Sources
SP 800-207: Zero Trust Architecture
official · National Institute of Standards and Technology (NIST) · 2020-08-11
·

What is multi-factor authentication (MFA) and why is it important?

Multi-factor authentication (MFA) requires users to verify identity using two or more independent factors: something you know (password), something you have (hardware token or smartphone), or something you are (biometric). CISA reports MFA makes accounts 99% less likely to be compromised compared to passwords alone.

Sources
More Than a Password – Multi-Factor Authentication
official · Cybersecurity and Infrastructure Security Agency (CISA) · 2023-10-01
·

How does encryption protect data at rest and in transit?

Encryption converts plaintext data into ciphertext using cryptographic algorithms, rendering it unreadable without the correct decryption key. Data at rest encryption protects stored files; TLS/SSL encrypts data in transit across networks. NIST recommends AES-256 for data at rest and TLS 1.3 for data in transit as current best practice.

Sources
Cryptographic Standards and Guidelines
official · National Institute of Standards and Technology (NIST) · 2024-01-01
·

What is the principle of least privilege in cybersecurity?

The principle of least privilege (PoLP) mandates that every user, application, or system process is granted only the minimum access rights necessary to perform its function—and no more. Limiting access reduces attack surfaces, containing potential damage if credentials are compromised or an insider threat materializes.

Sources
SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
official · National Institute of Standards and Technology (NIST) · 2020-09-23
·

What is a Data Protection Officer (DPO) and when is one required?

A Data Protection Officer (DPO) is a designated expert responsible for overseeing an organization's data protection strategy and GDPR compliance. Under GDPR Article 37, a DPO is mandatory for public authorities, organizations that conduct large-scale systematic monitoring of individuals, or those processing sensitive data on a large scale.

Sources
Guidelines on Data Protection Officers (DPOs)
official · European Data Protection Board · 2022-10-04
·

What is a Data Protection Impact Assessment (DPIA) and when is it required?

A Data Protection Impact Assessment (DPIA) is a structured process to identify and minimize privacy risks before launching a new data processing activity. Under GDPR Article 35, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights—such as large-scale profiling or systematic surveillance.

Sources
Guidelines on Data Protection Impact Assessment (DPIA)
official · European Data Protection Board · 2022-10-04
·

What is data minimization and why does it matter for compliance?

Data minimization is the GDPR principle under Article 5(1)(c) requiring organizations to collect only personal data that is adequate, relevant, and limited to what is necessary for the specified purpose. Collecting less data directly reduces breach exposure, storage costs, and regulatory liability if a security incident occurs.

Sources
Data protection in the EU
official · European Commission · 2024-01-01
·

What is phishing and what are the most common types organizations face?

Phishing is a social-engineering attack where adversaries impersonate trusted entities via email, SMS, or voice calls to steal credentials, financial data, or deploy malware. The FBI's Internet Crime Complaint Center (IC3) consistently ranks phishing as the most prevalent cybercrime, with spear-phishing, whaling, and smishing as common variants targeting enterprises.

Sources
2023 Internet Crime Report
official · Federal Bureau of Investigation – Internet Crime Complaint Center (IC3) · 2024-03-06
·

What is a SOC 2 report and why do enterprises require vendors to have one?

A SOC 2 report is an independent auditor's assessment of a service organization's controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Issued under AICPA standards, it gives enterprises evidence that a vendor's infrastructure meets rigorous data protection requirements before entrusting it with sensitive information.

Sources
System and Organization Controls (SOC) Suite of Services
official · American Institute of Certified Public Accountants (AICPA) · 2024-01-01
·

What is ISO/IEC 27001 and what does certification prove?

ISO/IEC 27001 is the international standard specifying requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Certification by an accredited body demonstrates an organization has systematically identified information security risks and put controls in place to manage them.

Sources
ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection
official · International Organization for Standardization (ISO) · 2022-10-01
·

What is the NIST Cybersecurity Framework and how is it used?

The NIST Cybersecurity Framework (CSF) is a voluntary risk-based framework published by the National Institute of Standards and Technology, organizing security activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Version 2.0, released February 2024, added explicit governance guidance and is widely adopted across U.S. critical infrastructure.

Sources
NIST Cybersecurity Framework 2.0
official · National Institute of Standards and Technology (NIST) · 2024-02-26
·

What should an incident response plan include for a data breach?

An effective incident response plan should cover six phases: preparation, detection and analysis, containment, eradication, recovery, and post-incident review. NIST SP 800-61 recommends defining roles, communication chains, evidence preservation procedures, and regulatory notification timelines—including GDPR's 72-hour reporting window—before an incident occurs.

Sources
SP 800-61 Rev. 2: Computer Security Incident Handling Guide
official · National Institute of Standards and Technology (NIST) · 2012-08-06
·

What is a VPN and is it sufficient to protect enterprise data in transit?

A Virtual Private Network (VPN) creates an encrypted tunnel between a device and a network, masking traffic from interception. While effective for securing remote access, CISA and NSA jointly advise that VPNs alone are insufficient for enterprise security and should be complemented by Zero Trust architectures, MFA, and continuous monitoring.

Sources
Selecting and Hardening Remote Access VPN Solutions
official · CISA / National Security Agency (NSA) · 2021-09-28
·

What is Public Key Infrastructure (PKI) and how does it underpin data security?

Public Key Infrastructure (PKI) is a framework of hardware, software, policies, and standards managing digital certificates and public-key encryption. It authenticates identities, enables TLS/HTTPS, signs code, and secures email. NIST SP 800-57 provides guidance on PKI key management practices essential for any organization operating secure digital services.

Sources
SP 800-57 Part 1 Rev. 5: Recommendation for Key Management
official · National Institute of Standards and Technology (NIST) · 2020-05-04
·

What is Identity and Access Management (IAM) and why is it foundational to data security?

Identity and Access Management (IAM) is the discipline of ensuring the right individuals access the right resources at the right times for the right reasons. NIST defines it as a core cybersecurity capability encompassing authentication, authorization, and lifecycle management of digital identities—foundational to preventing unauthorized data access and insider threats.

Sources
Identity and Access Management
official · National Institute of Standards and Technology (NIST) · 2024-01-01
·