Page 342 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 342
Commerce. The self-certification process consists of answering a
lengthy questionnaire. An official from the organization provides
details on the organization, with a focus on the organization’s privacy
policy including the organization’s commitment to uploading the
seven primary Privacy Shield Principles and the 16 Privacy Shield
Supplementary principles.
The Privacy Shield principles have a lot of depth, but as a summary,
they are as follows:
Notice: An organization must inform individuals about the
purposes for which it collects and uses information about them.
Choice: An organization must offer individuals the opportunity to
opt out.
Accountability for Onward Transfer: Organizations can only
transfer data to other organizations that comply with the Notice
and Choice principles.
Security: Organizations must take reasonable precautions to
protect personal data.
Data Integrity and Purpose Limitation: Organizations should only
collect data that is needed for processing purposes identified in the
Notice principle. Organizations are also responsible for taking
reasonable steps to ensure that personal data is accurate, complete,
and current.
Access: Individuals must have access to personal information an
organization holds about them. Individuals must also have the
ability to correct, amend, or delete information, when it is
inaccurate.
Recourse, Enforcement, and Liability: Organizations must
implement mechanisms to ensure compliance with the principles
and provide mechanisms to handle individual complaints.
Pseudonymization
Two technical security controls that organizations can implement are
encryption and pseudonymization. As mentioned previously, all
