Privacy Concepts and Data Rights

Privacy vs Security

Security keeps data confidential, intact, and available. Privacy governs the responsible handling of information about people — it adds questions of purpose, consent, notice, minimization, sharing, retention, deletion, and individual rights. You can have strong security and still violate privacy (for example, securely storing data you had no basis to collect).

Security+ Objective 5.4 names the roles explicitly:

The same company can be a controller in one relationship and a processor in another: a payroll provider is a processor for a client's employee records but a controller for its own staff data. The roles drive obligations: the controller chooses purposes and answers data-subject requests; the processor must act only on instructions, protect the data, and notify the controller of breaches. A clear line separates governance roles from privacy-law roles — a data owner and custodian are internal accountability assignments, while controller, processor, and data subject describe the legal relationship around personal data.

Privacy Principles

Anonymization vs Pseudonymization (frequently confused)

• Anonymization removes identifiers irreversibly — the result generally falls outside personal-data rules because re-identification is not feasible.
• Pseudonymization replaces identifiers with a token (a reversible key held separately) — still personal data because it can be re-linked.
• Tokenization and data masking reduce exposure for specific fields (for example, masking all but the last four digits of a card).

The exam trap: assuming pseudonymized or encrypted data is automatically non-personal. It is not — if it can be reversed or linked, privacy obligations still apply.

Two more roles round out the privacy program. A privacy officer (or Data Protection Officer) owns the privacy strategy, oversees a privacy impact assessment (PIA) for new high-risk processing, and is the contact for regulators and data subjects. A data inventory (the record of what personal data you hold, where it lives, and why) is the prerequisite for almost every privacy task: you cannot honor a deletion request, set a retention period, or assess sovereignty for data you have not mapped.

Security+ expects you to pair a privacy principle with a concrete control — minimization with a tighter intake form, purpose limitation with consent tracking, sovereignty with regional-hosting clauses.

Retention, Deletion, and the Right to Be Forgotten

A fitness app collects names, emails, workout history, device IDs, and optional location. Product wants to keep everything forever for analytics; the privacy team refuses. The final retention schedule keeps account data while active, billing records for the required accounting period, security logs for the approved investigation window, and aggregated usage metrics with no direct identifiers. Optional location history — more sensitive and not core — is deleted after a shorter period.

The right to be forgotten (right to erasure) lets an individual request deletion when continued processing is no longer justified. A defensible workflow:

1. Verify the requester is the data subject or an authorized agent.
2. Locate the data across production, support tools, analytics, backups, and vendor/processor systems.
3. Check exceptions — legal hold, fraud investigation, tax/statutory retention, or active contractual need.
4. Delete, anonymize, or restrict the eligible records.
5. Record completion evidence without retaining unnecessary personal detail.

Compliance Traps

• Keeping personal data indefinitely because storage is cheap (violates minimization and retention).
• Sharing data with a processor without contract terms for deletion and return.
• Treating pseudonymized or encrypted personal data as non-personal in every case.
• Deleting records that are under legal hold.
• Fulfilling deletion in the main app but forgetting backups, exports, tickets, and vendors.
• Repurposing collected data without checking notice, consent, or legal basis (purpose limitation).

One more concept Security+ ties to privacy is breach notification. When personal data is exposed, both the controller's duty to notify affected data subjects and regulators and the processor's duty to notify the controller are governed by privacy rules and often a contractual clock (commonly framed as "without undue delay" or a fixed window such as 72 hours).

The breach-notification path, the retention schedule, and the right-to-erasure workflow are the three privacy procedures most likely to appear as a scenario, so know that each one must reach beyond the primary application into backups, exports, support tickets, and every processor that received the data — incomplete fulfillment is itself a compliance failure.