1. Describe the technical measures and safeguards that organizations can implement to ensure compliance with the GDPR's data protection principles, including data minimization, encryption, and pseudonymization. Provide real-world examples of how these measures can be applied. answer:The 7 principles of the GDPR Seven guiding principles lie at the heart of how GDPR aims to ensure data privacy and otherwise protect personal data across the EU and European Economic Area (EEA). 1. Accountability The accountability principle runs through the entirety of GDPR compliance, and it puts the obligation on organizations to not only put the correct technical and structural measures in place for compliance but also to be able to demonstrate how they comply with GDPR requirements. 2. Lawfulness, fairness, and transparency This principle states that processing activities must be conducted lawfully, fairly, and in a way that’s transparent to the data subject. Lawfulness means that you process personal data only based on one of the six lawful grounds set out under GDPR. For special categories of data (e.g., biometric data), the processing is only lawful under a more restricted set of conditions. Fairness means not deceiving or misleading data subjects with your data collection activities. This requires accounting for the way in which data subjects could be impacted by your use of their data, such as in cases of profiling. Fairness also applies to how you deal with data subject access requests and other data subject rights. Transparency requires your organization to be open and clear to data subjects about the processing of personal data. Important elements here include avoiding jargon and having information about data processing activities easily accessible. 3. Purpose limitation Purpose limitation means you can only collect data for a legitimate and specific purpose that you’ve informed the data subject about. Typically, if you want to use the data for any other purpose, you need to obtain fresh consent. 4. Data minimization The data minimization principle requires you to identify and collect only the minimum quantity of personal data required for the specific purpose you’ve previously outlined and informed the data subject about. This principle helps avoid situations where organizations collect more data than what’s necessary or relevant for their purpose in case they might need this data in the future. 5. Accuracy The accuracy principle mandates that you take reasonable measures to ensure personal data is both up-to-date and factual. This includes cases where a data subject exercises the right to rectification of inaccurate or out-of-date personal data so that you correct or update the information. 6. Storage limitation The storage limitation principle is another rule that traces back to the purpose of processing personal data. This principle mandates that you don’t keep personal data for any longer than it’s needed based on the legitimate purpose for which you process it. You can retain data for longer periods when it’s processed solely for public interest archiving, scientific or historical research, or statistical purposes. 7. Integrity and confidentiality This is the main data security principle of GDPR and states that you must have appropriate security measures in place to protect the personal data you hold. Cybersecurity enters the equation in terms of how you protect electronic information and the systems on which you store data. An important point about this principle is that it doesn’t define a specific set of security controls to implement; rather, it states that you should implement security measures that are proportionate to the risk that your processing poses. 2. Explain the concept of Privacy by Design and Default as mandated by GDPR. How can software and system architects incorporate these principles into the development of IT systems to facilitate data privacy and compliance from the outset? answer:7 Principles of Privacy by Design and Default Privacy by Design and Default is founded on seven core principles that guide the integration of privacy into the design and development of systems, products, and business practices. These principles ensure that privacy is treated as a fundamental consideration from the outset rather than as an afterthought. The principles of every Privacy by Design and Default strategy are as follows: 1. Proactive data protection Privacy by Design and Default advocates for a proactive approach to privacy protection. It encourages organizations to identify and mitigate privacy risks before they materialize, rather than reacting to privacy breaches after they occur. Example: When developing a new mobile app that collects user data, organisations should proactively implement encryption and access controls to protect user information, reducing the risk of data breaches. 2. Privacy as the default setting This principle emphasizes that privacy should be the default setting for all systems and processes. Individuals should not be required to take extra steps to protect their privacy; it should be automatically safeguarded. Example: A social media platform can set user profiles to private by default, ensuring that user information is not visible to the public unless users choose 3. Data minimization Organisations should only collect and process the data that is absolutely necessary for the intended purpose. Unnecessary data collection should be avoided. Example: An e-commerce website should only request the information required for shipping and billing, rather than asking for excessive personal details. 4. Full lifecycle protection Privacy protection should encompass the entire lifecycle of data, from collection and storage to deletion. Data should be secure at every stage. Example: An online banking platform should employ encryption during data transmission, secure data storage, and a robust data deletion process for closed accounts. 5. Visibility and transparency Privacy by Design and Default promotes transparency in data practices. Individuals should be informed about how their data is used and have control over its use. Example: A subscription-based news website should have a clear privacy policy explaining data usage and provide options for users to opt out of data collection or choose their preferences. 6. Robust security Implement robust security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Example: An online healthcare portal should employ strong encryption to protect patient records and implement strict access controls for healthcare professionals. 7. Respct for user privacy This is perhaps the most fundamental principle of Privacy by Design and Default. Companies must respect individuals' privacy and give them control over their own data. They should allow individuals to have agency and autonomy over their personal information. Example: An email marketing platform should allow users to easily unsubscribe from email lists and delete their account and associated data if they choose to do so. 3. Discuss the role of cryptographic techniques in ensuring data security and compliance with data protection regulations like GDPR and CCPA. Elaborate on the advantages and challenges of using encryption and hashing in data handling. answer:GDPR:Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, for these companies. In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key. The Regulation also recognizes these risks when processing personal data and places the responsibility on the controller and the processor in Art. 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger the taken security measures have to be and the more measures must be taken. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress. When choosing a method one must also apply the criteria catalogue above. To answer the question of what is currently considered “state of the art” data protection officers usually rely on the definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines. Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR. CCPA:Cryptography Techniques: Everything You Need to Know By Simplilearn Last updated on Jan 6, 202317760 Cryptography Techniques: Everything You Need to Know Table of Contents Encryption AlgorithmsHow do Various Cryptographic Algorithms Work?Overview of Cryptography TechniquesCryptography and its TypesTechniques Used For CryptographyView More Cryptography is the practice and study of techniques for secure communication in the presence of third parties. It is also used to set up a secure connection between two systems. Cryptography uses mathematics (primarily arithmetic and number theory) to provide confidentiality, integrity, and authenticity for messages under certain conditions. It includes confidentiality by ensuring that information cannot be read or tampered with in transit, where unauthorized parties could intercept and read. The first thing to know about cryptography is that there is no single universal method for encrypting your message. There are many ways to do it, each with its advantages and disadvantages. Today's most common encryption methods are public and symmetric key cryptography. Many cryptographic algorithms arise naturally out of their use in other contexts, such as digital signature schemes or encryption techniques for secure electronic commerce over insecure networks such as the Internet. For example, RSA cryptosystems were initially developed to solve integer factorization. Cryptography is sometimes used by criminals to avoid detection and allow illicit messages to be passed along without interception. It is also used by public-key cryptosystems such as RSA, which are widely used in security protocols. Become a Certified Ethical Hacker! CEH v12 - Certified Ethical Hacking CourseEXPLORE PROGRAMBecome a Certified Ethical Hacker! Encryption Algorithms A cryptography algorithm is a method of encryption and decryption that uses a mathematical formula to convert plain text into cipher text and back again. The cryptography encryption algorithm is a type of cipher used for data confidentiality and integrity in a computer system. It uses an encryption key to convert plaintext into ciphertext, which is then sent over a network, such as the Internet, to a destination where the receiver will decrypt it. Cryptography encryption algorithms are commonly used in commercial electronic commerce, online banking, and other applications where confidentiality is essential. These encryption algorithms include Data Encryption Standard (DES), Triple DES, Blowfish, and CAST-256. There are several types of encryption algorithms; these include block ciphers and stream ciphers. A block cipher encrypts blocks of plaintext and decrypts them one at a time. A stream cipher encodes multiple characters or characters from a file in a single operation. How do Various Cryptographic Algorithms Work? Cryptographic algorithms have a basic algorithm that produces a key, and then they each use this key to encrypt and decrypt information. But there are many ways to go about it. One way is to use a block cipher, which takes several bytes and converts them into a more extended sequence of bytes. This process is called encryption. The other way is to take a block cipher, convert it into something smaller, and then convert it back into the original block size. This process is called decryption (or deciphering). These algorithms can be symmetric or asymmetric, depending on the algorithm used. Symmetric algorithms use the same key to encrypt and decrypt the data, while asymmetric algorithms use two separate keys, one to encrypt and one to interpret the data. The algorithms also use a message authentication code (MAC) to ensure the message's integrity. Become a Certified Ethical Hacker! CEH v12 - Certified Ethical Hacking CourseEXPLORE PROGRAMBecome a Certified Ethical Hacker! Overview of Cryptography Techniques The study of cryptography has been active since the invention of electronic digital communications. Today, cryptography has become indispensable in almost all areas of life. From banking and government to transportation, telecommunications, and even shopping malls, cryptography helps keep our data secure against spying and hacking. The basic idea behind cryptography is to use an encryption key to encrypt information so that only those who have access to it can read it. All other people will see random letters instead of the original message. To decrypt a message, all you need is the correct key. Cryptography is not limited to computer science or mathematics; it involves mathematics from other fields, such as economics, statistics, and physics. It also requires engineering because most cryptographic algorithms are based on mathematical principles such as linear algebra (matrixes) and number theory (arithmetic). Cryptography and its Types Cryptography is the practice and study of techniques for securing communications, information, and data in an unreadable format for unauthorized users. It protects information and communications through codes so only those for whom the information is intended can read and process it. There are three main types of cryptography: symmetric key encryption, asymmetric key encryption, and public-key encryption. Symmetric key encryption: This type of encryption uses the same key to encrypt and decrypt messages. The keys used in this type of encryption must be kept secret by both parties, making them vulnerable to attack by hackers. Symmetric keys are most commonly used for public key systems. Asymmetric key encryption: This type of encryption uses two keys instead of one. One key is used for encryption, and another key is used for decryption. These keys do not have to be kept secret because they are only used once per message and can be reused multiple times. Asymmetric keys are most commonly used in public-key systems. Public-key encryption: Public-key systems use a pair of mathematically related keys that cannot be derived from each other without knowing the different keys (a process known as factoring). This means that even if someone finds your private key, they will only be able to derive your public key (and vice versa). Techniques Used For Cryptography The most commonly used techniques in cryptography, are, Symmetric Key Cryptography, Asymmetric Key Cryptography, Hashing, Secret Sharing, Digital Signatures, Elliptic Curve Cryptography, Quantum Cryptography, Steganography, Zero-Knowledge Proofs, Homomorphic Encryption. 4. Explore the technical challenges associated with cross-border data transfers under GDPR. How can organizations implement adequate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to facilitate international data flows while ensuring compliance? ANSWER:Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group. Approval of binding corporate rules Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. This procedure may involve several supervisory authorities since the group applying for approval of its BCRs may have entities in more than one Member State. The competent authority communicates its draft decision to the European Data Protection Board, which will issue its opinion on the binding corporate rules. When the BCRs have been finalised in accordance with the EDPB opinion, the competent authority will approve the BCRs. A list of BCRs approved under the GDPR is available here. Authorisations of supervisory authorities on the basis of Directive 95/46/EC remain valid until amended, replaced or repealed, if necessary, by that supervisory authorities. An overview of pre-GDPR BCRs SCC: SCCs, also known as model clauses or model contracts, are contractual agreements between data exporters and data importers. These clauses facilitate the transfer of personally identifiable information (PII) from the European Economic Area (EEA) to countries outside the EEA, ensuring that the PII remains protected in accordance with EU data protection standards. In the U.K., SCCs are primarily governed by the Data Protection Act 2018, which incorporates the requirements of the EU General Data Protection Regulation (GDPR) into U.K. law. The SCCs are designed to ensure that the transferred PII is subject to the same level of protection as provided within the U.K. and the EEA. SCCs provide a legal framework designed to safeguard the fundamental rights and freedoms of individuals when their personal data is transferred across borders. By including SCCs in data transfer agreements, organizations can demonstrate their commitment to protecting PII in compliance with relevant data protection regulations. 5. Analyze the technical implications of complying with California Consumer Privacy Act (CCPA) requirements, particularly in terms of data access and deletion requests. How can organizations architect their data infrastructure to efficiently respond to consumer requests while maintaining compliance? ANSWER:The CCPA (as well as GDPR) was a response to these concerns, and it gave people rights on their data and added regulations on organizations that store, process, and distribute the data. It gives people the following rights on their data. Right to Notice: CCPA requires businesses to inform consumers when personal information is being collected during online interactions. They must also disclose how they intend to use the collected data. Right to Access: CCPA grants consumers the right to ask a business to disclose categories and specific sections of personal data collected during online interactions. Companies must also tell consumers what types of information are shared with third parties. Right to Opt-out: Consumers have the right to decline their personal information being sold by a business. Businesses are prohibited from discriminating against consumers who exercise this right. Right to Request Deletion: CCPA gives consumers the right to request personal information to be deleted. Businesses must comply with a consumer's request unless a type of data is required to be saved by the law. 6. Explain the technical aspects of implementing a robust Access Control Mechanism to comply with data protection regulations. Discuss the role of authentication, authorization, and auditing in maintaining data security and privacy. ANSWER:Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users. Most large organizations use role-based access control to provide their employees with varying levels of access based on their roles and responsibilities. This protects sensitive data and ensures employees can only access information and perform actions they need to do their jobs. An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks. An organization may let some individuals create or modify files while providing others with viewing permission only. One role-based access control example is a set of permissions that allow users to read, edit, or delete articles in a writing application. There are two roles, a Writer and a Reader, and their respective permission levels are presented in this truth table. Using this table, you can assign permissions to each user. The terms data protection and data privacy are often used interchangeably, but there is an important difference between the two. Data privacy defines who has access to data, while data protection provides tools and policies to actually restrict access to the data. Compliance regulations help ensure that user’s privacy requests are carried out by companies, and companies are responsible to take measures to protect private user data. Data protection and privacy is typically applied to personal health information (PHI) and personally identifiable information (PII). It plays a vital role in business operations, development, and finances. By protecting data, companies can prevent data breaches, damage to reputation, and can better meet regulatory requirements. Data protection solutions rely on technologies such as data loss prevention (DLP), storage with built-in data protection, firewalls, encryption, and endpoint protection. 7. How do Distributed Ledger Technologies (DLTs) such as blockchain impact compliance with data protection regulations like GDPR and CCPA? Discuss the technical challenges and benefits of using blockchain for data transparency and security. ANSWER:Distributed ledger technology (DLT) is the technological infrastructure and protocols that allow simultaneous access, validation, and record updating across a networked database. DLT is the technology blockchains are created from, and the infrastructure allows users to view any changes and who made them, reduces the need to audit data, ensures data is reliable, and only provides access to those that need it. KEY TAKEAWAYS Distributed ledgers are maintained by a network of nodes, each of which has a copy of the ledger, validates the information, and helps reach a consensus about its accuracy. Distributed ledgers have been around for decades but have become more well-known, researched, used, and developed since Bitcoin was introduced. Distributed ledgers can be used in nearly every industry where data is collected and used. All blockchains are distributed ledgers, but not all distributed ledgers are blockchains. Though DLT enhances accountability, security, and accessibility, it is still complex, difficult to scale, and not subject to strong regulation. 8. Investigate the technical challenges of ensuring the right to be forgotten (Data Erasure) under GDPR, especially in complex IT infrastructures and cloud environments. What strategies can organizations employ to effectively erase personal data from distributed systems? ANSWER:General Data Protection Regulation (GDPR) GDPR automatically became law in each member state without the need for local implementation, aiming to modernise and harmonise data privacy laws between the Member States, and introduced one legal framework to improve enforcement and reduce costs for organisations, hopefully encouraging economic growth across Europe [5]. GDPR also aims to improve and expand the rights for data subjects, giving them control over the collection and processing of their personal data [1]. GDPR contains 99 Articles, which are challenging for small organisations to understand and become compliant [5]. A brief overview of the key elements of GDPR are shown in Figure 1. Sci 03 00003 g001 550Figure 1. Overview of the key elements of the General Data Protection Regulation (GDPR). GDPR is applicable globally to any organisation that collects, stores, processes or monitors a European residents’ personal data, regardless of location and nationality, and includes free goods and services [6]. It covers both computerised and hard copy fileable data. Under GDPR, the data protection authorities will have the ability to impose sanctions with possible publicity and can impose significant fines of up to EUR 20 million [1]. Compensation may also be payable to individuals whose rights have been breached. GDPR introduces four new roles, which are: Data Subject: A data subject is a natural living person who can be identified directly or indirectly [1]. A data subject is anybody residing in the EU, not just EU citizens. Data Protection Officer: A Data Protection Officer (DPO) (Data Protection must have specialist skills and expertise to oversee GDPR compliance, ensuring obligations are met from the highest level of management; they are the point of contact for the supervisory authority and monitor the organisation’s compliance with the law. The DPO can either be an employee or outsourced service. Under GDPR, whilst it is mandatory for all organisations to appoint (DPO), small organisations with less than 250 employees are exempt. Data Processor: A data processor is an organisation that process data as per instructed by their data controller like cloud hosting providers [5]. GDPR recognising the complexity of modern-day data processing relationships identifies that data processors play a vital part in the protection of European citizens data and so introduced direct rules for data processors such as record keeping and reporting data breaches. Data Controller: The data controller is the organisation that collects, processes and stores PII and must be able to demonstrate GDPR compliance, which means the burden of proof lies with them [7]. Under GDPR, consent must be freely given, specific, informed and unambiguous [8]. All EU contracts must be valid and reflect the individual’s new rights. PII is any information that can be used on its own, or combined with another bit that can be used to identify a living EU resident such as name, address, IP address, Personal Public Service Number (PPSN), account details, etc. PII is either Sensitive PII or Non-sensitive, where sensitive PII could cause harm to a data subject if breached, and therefore, must be encrypted both in transit and at rest [9]. Whilst non-sensitive PII will not cause harm to a data subject, and therefore can be unencrypted. The key obligations imposed on organisations by GDPR are illustrated. Data Protection Impact Assessment (DPIA): DPIA aims to identify potential risks involved the collection, processing and storage of PII, the impact on the privacy of the data subject and identify ways to mitigate those issues [8]. Transparency: An organisation must have a granular level of transparency into their PII from consent, collection, processing and storage for the full life cycle of that data and mandatory clauses (EU, 2016). Data Minimization: PII can only be collected and processed where there is an identifiable reason why it is needed and should be kept no longer than is necessary for the purpose for which it was collected, and no additional data can be obtained [8]. Security: Organisations must ensure that technological and organisational methods are in place to securely protect PII as per industry standard and best practices [7]. Implementing an IS0 27001 compliant ISMS would assist in achieving compliance [10]. A data controller must report a data breach to the data Protection Commissioner within 72 h and notify data subjects unless there is no risk of harm [7]. GDPR has increased and strengthened the rights of a data subject [11]. Right to Erasure (“Right to Be Forgotten”) Article 17 of the EU General Data Protection Regulation (GDPR), the Right to Erasure (“Right to Be Forgotten”), was originally known as Right to be Forgotten (RTBF) but is now called the Right to Erasure [12]. This right proves to be the toughest data subject right to operationalise and even the second most difficult GDPR obligation in practice overall [13]. The Right to Erasure (“Right to Be Forgotten”) is a fundamental data subject right to ask from a controller that all their PII be erased and the controller must do so without undue delay and free of charge in accordance with GDPR Article 17 [8]. This right does not only apply to search engines, but to any organisation that collects, processes or stores PII. If you used to be an Eircom customer and you are not anymore, then you can ask them to remove it. That is the Right to Erasure (“Right to Be Forgotten”. The term “Right to be Forgotten” is a concept which originated from individuals need to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatised as a consequence of a specific action performed in the past.” [14]. This concept has been practiced in the European Union (EU) and Argentina since 2006 [15] and there have been many discussions and debates over the years surrounding it with regard to its vagueness and concerns about its impact on the right to freedom of expression, its interaction with the right to privacy and whether creating a RTBF would decrease the quality of the internet through censorship and re-writing of history. Other concerns relate to problems such as revenge porn sites appearing in search engine listings for an individual’s name or references to petty crimes committed many years prior still linked and displayed as part of an individual’s footprint [16]. In 1995, the EU adopted the European Data Protection Directive, Directive 95/46/ec, to regulate the processing of personal data aiming to secure potentially harmful private information relating to an individual [16]. On 13 May 2014, in the Google Spain v AEPD and Mario Costeja González case, the European Court of Justice ruled that people have the right to be forgotten, solidifying it as a human right. The irony of it all is that Mr Gonzalez intention was to obscure that information, but it resulted in becoming worldwide publicity. Courts worldwide have been referring to the European Court of Justice (2014) ruling on the right to be forgotten [17]. Then, in 2016, under the introduction of the General Data Protection Regulation, this principle was modernised to bring it in alignment with digitalisation [18]. Grounds upon which a data subject can exercise the right to be forgotten are as follows [18]. The data is no longer required for the purpose that it was originally collected. The data subject withdraws consent. The data subject objects to the processing and there are no overriding legitimate grounds. The PII was processed unlawfully. The PII must be erased for legal obligations. Processing of children’s PII collected via information society services. Organisations must erase PII upon receipt of a valid request and this must be done within 30 days and free of charge [19]. If it is not carried out and without undue delay, then the data subject can report this to the Data Protection Commission. So, organisations now need to be concerned about their employees, customers and suppliers as well as authorities. Organisations must also erase PII once it expires. This is quite a complex task for most small organisations and they must understand what PII they retain, why they need this data, how long it can be retained, and they need to identify and locate PII throughout the entire hybrid cloud infrastructure including excel, work, PowerPoint, backups, etc. Most do not have a clear understanding of where all the PII they retain is stored, including third parties. In fact, with the expanded definition of PII, they may not have a full understanding of all the data that should be classified as PII. Adding to this is the complexity of the data landscape within a hybrid cloud infrastructure. Additionally, they will not have the expertise or resources needed to undertake such a task. When using cloud services or third parties, both must understand what PII they have and why they have it and the liabilities involved. Retaining expired PII is a liability because if a breach occurs, compensation pay outs will not only apply to existing clients but also to clients an organisation no longer has. Organisations must have a system in place to easily identify, locate and report all PII for that one data subject and a system to identify, locate and report all PII that has expired, so it can be reviewed and deleted promptly. They must have this documented, so it can easily be followed and used to demonstrate that they have procedures in place to meet compliance. Automation will be an important part of this compliance to identify, locate and report all PII as having employees randomly looking through personal data would be a privacy issue. Many organisations tended to store extra data in case it may be useful later as storage was cheap, and it was easier than putting processes in place to check for obsolete data and removing same, now this must be erased and only the data relevant retained. It may be impossible to truly enforce the right to be forgotten, e.g., data is really outside the control of an organisation with the use of smart phones which enables an individual to take pictures of personal data, or an individual taking a screen print etc., and these could be distributed to various other locations by the click of a button using their private email, or removable devices. Another consideration is deleted files are not erased as they are still contained on the hard drive, even after emptying the recycle bin, thus enabling the recovery of PII [20]. It can be impossible to delete a single record for some PII without impacting on other PII, e.g., microfiche; therefore, it is not feasible to destroy this without losing other data that is still required by the organisation [21]. There are also built in features like Volume Service Shadow (VSS) whereby data can easily be recovered once deleted [9]. Deleted data can also be recovered in an SQL server database using Log Sequence Numbers (LSNs) or by using a third-party software like SQL Database Repair [22]. Data deleted is recoverable but if erased properly is permanently removed [23]. In some cases [24], it is possible to recover almost all deleted browsing activity. PII can be held on any device that has permanent memory like desktop, printer, laptop, external hard drives, etc., so deciding whether to overwrite or destroy will depend on whether the organisation will use the device again [10]. With the introduction of GDPR, small organisations must monitor and manage their PII. Under GDPR, PII references any information that can be used to identify a specific living individual. Personal identifiers are displayed in the diagram above; however, due to technology, the scope has expanded to include IP address, login credentials, social media posts, geolocation, biometric, genetic and behavioural data. This expanded scope increases security and privacy challenges. Adding to this mixture is the challenges of direct and indirect personal data/information [25]. GDPR is applicable to automated PII, manual filing and pseudonymised PII [10]. Under GDPR, personal data references special categories of personal data [8], which include genetic data and biometric data that uniquely identifies an individual. Exclusions are data relating to crime [26]. Personal data can be broadly categorised as structured, semi-structured and unstructured. Structured data/information references data that is highly organised, for example, data stored in a relational database like SQL or stored in an excel spreadsheet. This type of data is easy to find, filter and search [27]. Semi-Structured-Data/information references data that cannot neatly fit inside a relational database; however, it does have some structural properties allowing for analysis [28]. Unstructured data/information references data which is unorganised and does not have a pre-defined model. It cannot neatly fit inside a relational database and is incredibly difficult to identify, locate, manage and use, like word. This data does not fit into relational databases and is the data that organisations struggle with when trying to meet Right to Erasure (“Right to be Forgotten”) compliance, as it is impossible to scrutinise, and therefore must be metamorphosed into structured format, otherwise it is of no use to the organisation [27]. Unstructured content is typically text-heavy and multimedia, which is estimated to represent more than 80% of the overall business information created and used. The volume of unstructured data held in various repositories within a hybrid environment increases continuously, resulting in the identification and location of same becoming more and more difficult to manage [26] 9. Describe the technical measures for ensuring the security of IoT (Internet of Things) devices and compliance with privacy regulations. Discuss the role of device authentication, encryption, and secure firmware updates in maintaining data privacy. ANSWEWR:IoT security encompasses the strategies and techniques used to safeguard Internet of Things (IoT) systems from cyber threats and vulnerabilities. This comprehensive approach involves, among other things, the protection of devices, networks, and the data they handle. It’s achieved through the implementation of robust security protocols, encryption standards, diligent firmware updates, and so on. The dynamic nature of IoT security is full of ongoing challenges, due to the regular discovery of flaws in IoT systems. Effective security management hinges on several core practices: the fortification of system components, maintaining up-to-date firmware, implementing access management, active threat monitoring, and prompt response to identified security gaps. By securing IoT devices and work environments, you lower the risk of them becoming the entry points to other parts of the network. Secure devices won’t leak sensitive data. IoT security weaknesses span across diverse sectors, affecting everything from automobiles and energy grids to wearable technology and home automation systems. Recent studies, for example, have revealed vulnerabilities in webcams, making them susceptible to hacking attempts that could breach networks. Similarly, security loopholes in smartwatches have exposed users to privacy infringements by allowing cybercriminals to track wearers’ locations. The realm of IoT security is vast and complex. However, with vigilance and proper safeguards in place, it is possible to substantially mitigate the risks and protect sensitive data across various applications. 10. Discuss the technical intricacies of complying with e-commerce regulations, such as the Electronic Commerce Directive in the European Union. How can online businesses ensure compliance with data protection and consumer rights while providing a seamless user experience? ANSWER:Ecommerce Legal Requirements in the EU All eCommerce businesses operating in the European Union (EU) must adhere to specific legal regulations. Understanding and complying with these legal rules ensures companies' smooth operation and promotes consumer confidence in the digital marketplace. ‍ The EU has implemented a comprehensive framework of regulations to ensure consumer protection, data privacy and fair competition in the digital marketplace. However, it is important to note that eCommerce policies in the EU may vary from country to country. ‍ Understanding EU eCommerce legislation can be overwhelming, especially for those new to the market. Fortunately, we are here to help. In this guide, we will explain everything you need to know about European legislation for eCommerce. With our assistance, you will navigate the legal landscape confidently, avoiding any accidental breaches of rules and potential penalties. EU eCommerce Legislation Explained One of the most significant regulations on data protection and privacy in the EU is the General Data Protection Regulation (GDPR), which came into effect in May 2018 and aims to protect the personal data of EU residents. What the document means for eCommerce businesses is that their customers have the following rights: ‍ The right of access: customers must be able to access information about how their data is used. The right to data portability: if they wish to do so, customers can transfer their data from one company to a different one. The right to erasure: if a customer wants all their data removed from a business’s database, the company must obey. The right to be informed: customers need to be informed that a business will collect and retain their data and must consent. The right to rectification: customers have the right to have their data updated if they find it outdated or incorrect. The right to restrict processing: customers can request not to have their data processed despite their records staying in the system. The right to object: customers can choose not to have their data processed. ‍