Certified Information Privacy Professional (CIPP): Common - Privacy vs. Data Protection vs. Security

CIPP (US?&?EU) – Study Guide
Topic: Privacy?vs?Data?Protection?vs?Security

What This Is

Privacy, data protection, and security are three overlapping but distinct pillars of any compliance program. Privacy is the legal and ethical right of individuals to control how their personal information is collected, used, and shared. Data protection is the set of statutory rules (e.g., GDPR, CCPA, HIPAA) that obligate organisations to handle that information responsibly. Security is the technical and organisational safeguards that keep data safe from accidental loss or malicious attack.

Real?world snapshot: A multinational retailer collects employee payroll data in Germany, stores it on a cloud server in the United States, and uses a third?party analytics vendor to generate sales forecasts. The retailer must respect the employees’ privacy expectations, comply with the EU?GDPR’s data?protection duties, and implement robust security controls to protect the data while it moves across borders.

Key Terms & Provisions

• Privacy: The individual’s right to decide when, how, and to what extent personal information is disclosed. (U.S.?privacy law – “right of control”; EU – “fundamental right” under Art.?8 ECHR).
• Data Protection: Statutory obligations that govern the lawful processing of personal data. (GDPR Art.?5?6; CCPA §?1798.100; HIPAA Privacy Rule §?164.502).
• Security: The set of technical, administrative, and physical measures that protect data from unauthorised access, alteration, or destruction. (GDPR Art.?32; HIPAA Security Rule §?164.308).
• Controller (GDPR): The entity that determines the purposes and means of processing personal data. Example: a U.S. e?commerce site deciding to collect email addresses for marketing.
• Processor (GDPR): A party that processes data on behalf of the controller. Example: a cloud?hosting provider that stores the e?commerce site’s customer database.
• Covered Entity (HIPAA): A health?care provider, health?plan, or health?care clearinghouse that transmits PHI.
• Business Associate (HIPAA): Any person or entity that performs a function involving PHI on behalf of a covered entity (e.g., a billing service).
• Legitimate Interest (GDPR): A lawful basis for processing that balances the controller’s legitimate business purpose against the data subject’s rights. Must be documented in a Legitimate?Interest Assessment (LIA).
• Opt?in Consent (EU ePrivacy Directive & GDPR): Prior, explicit, and freely given consent before placing non?essential cookies or processing special categories of data.
• Opt?out (CCPA/CPRA): Consumers may direct a business not to sell their personal information; the business must honor the “Do Not Sell” request.
• Data Protection Impact Assessment (DPIA): Required under GDPR Art.?35 when processing is likely to result in a high risk to individuals (e.g., large?scale profiling).
• Breach Notification Deadline: GDPR – 72?hours after becoming aware of a breach (Art.?33); CCPA – 60?days after discovery (Cal.?Civil Code §?1798.82).

Step?by?Step / Process Flow

1. Identify the Data Set – Map the personal data you collect, its source, and its flow (e.g., employee payroll-US cloud-analytics vendor).
2. Determine the Legal Basis – Decide whether you rely on consent, contract, legitimate interest, or another GDPR ground; for U.S. law, check whether the data falls under CCPA, HIPAA, or sector?specific statutes.
3. Conduct a DPIA / Risk Assessment – If the processing is high?risk (large?scale, profiling, cross?border), complete a DPIA (GDPR) or a “reasonable security” assessment (HIPAA).
4. Implement Security Controls – Apply encryption, access?control, monitoring, and incident?response procedures that meet Art.?32 (GDPR) or the HIPAA Security Rule.
5. Document & Communicate – Record the lawful basis, DPIA findings, and security measures; update privacy notices, cookie banners, and contracts (controller?processor agreements).
6. Monitor & Respond – Continuously audit compliance, handle data?subject requests, and be ready to notify regulators and affected individuals within the statutory deadline.

Common Mistakes

CIPP Exam Insights

1. Opt?in vs. Opt?out – The exam loves to ask which regime requires explicit consent before processing (EU) versus a passive “do?not?sell” mechanism (CCPA). Remember: EU = opt?in; California = opt?out.
2. Controller vs. Processor Duties – Expect a scenario where a cloud provider (processor) must not decide the purpose of processing; only the controller can. The processor’s obligations are limited to following the controller’s instructions and maintaining security.
3. HIPAA Covered Entity vs. Business Associate – A common trap: a software vendor that stores PHI for a hospital is a Business Associate, not a Covered Entity, and must sign a BAA.
4. Legitimate Interest Assessment (LIA) vs. DPIA – LIA is a risk?based test for GDPR’s legitimate?interest basis; a DPIA is required when the processing is high?risk (e.g., large?scale profiling). The exam may give you a scenario and ask which one you need.

Quick Check Questions

1. Scenario: An EU citizen contacts a U.S.?based SaaS provider asking for deletion of all their data. The provider argues the request is outside its jurisdiction.
   Answer: The provider must comply (GDPR Art.?17) because the SaaS service targets EU residents (e.g., EU?language site, EU?based customers).
   Why: Territorial scope is based on targeting EU data subjects, not physical presence.

2. Scenario: A hospital (Covered Entity) uses a third?party transcription service to convert audio notes to text. The service stores the transcripts on its own servers.
   Answer: The transcription service is a Business Associate and must sign a BAA.
   Why: Any entity that creates, receives, or transmits PHI on behalf of a Covered Entity is a Business Associate under HIPAA.

3. Scenario: A retailer wants to place a “remember?me” cookie on a visitor’s browser without a consent banner because the cookie is strictly necessary for the shopping cart.
   Answer: This is permissible under the ePrivacy Directive/GDPR because the cookie is strictly necessary for the service requested.
   Why: Only non?essential cookies require opt?in consent; essential cookies are exempt.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?3 – Applies to any entity offering goods/services to, or monitoring the behaviour of, EU data subjects – no physical EU presence needed.
2. CCPA/CPRA “Do?Not?Sell” – Must be honoured within 15?days of receipt; failure = up to $7,500 per violation.
3. HIPAA Breach Notification – 60?days to notify the Secretary of HHS and affected individuals.
4. GDPR Art.?32 – Requires a risk?based approach: pseudonymisation, encryption, and regular testing are “appropriate technical and organisational measures.”
5. Maximum GDPR Fine – €20?million or 4?% of global annual turnover, whichever is higher.
6. Right to Data Portability (GDPR Art.?20) – Only for data “provided by the data subject” and in a structured, commonly used format.
7. Legitimate Interest Balancing Test – Three steps: (1) Identify a legitimate interest, (2) Necessity test, (3) Balancing test.
8. DPIA Trigger – Large?scale processing of special categories, systematic profiling, or monitoring of publicly accessible areas.
9. CCPA “Sale” Definition – Any disclosure of personal information for monetary consideration, including data?brokerage.
10. HIPAA Security Rule – Safeguard Categories – Administrative, Physical, and Technical safeguards; each must be documented in a Security Management Process.

Good luck – you’ve got the concepts, the terminology, and the exam tricks you need to ace the privacy portion of CIPP?US and CIPP?EU!