What are the differences between GDPR(EU), PDPO(Hong Kong), and CISSP(CBK) requirements?

Prepared by the PIA Consultant Team: Mr. Ben Yiu, Data Privacy, IT Security Consultant; Ms. Lee, SRM Project Leader, Cambridge Sustainability CISL BSM; Dr. Danny Ha, ERM Advisor, Cambridge CISL BSM, CPERM ISO 31000, CRP, CISSP, CDPSE, CEO @OneNet, Chairman @APC (Academy of Professional Certification) Websites: OneNet?https://onenet99.wixsite.com/onenet and Academy of Professional Certification?https://apcaudit12.wixsite.com/apcert

? 2021 OneNet Co. and Academy of Professional Certification (APC) All right reserved. Updated: 15 April 2021

Executive Summary

The report provides a comparison of the privacy requirements of the EU's General Data Privacy Regulations (the "GDPR"), HK's Personal Data (Privacy) Ordinance (the "PDPO") and CISSP (CBK). Besides comparing the difference of specific provisions in GDPR and PDPO, the report also highlights the fundamental difference of the underlying principles of these 2 laws. In short, the GDPR is a much more stringent and far-reaching law with more explicitly defined requirements than PDPO. To help achieve compliance with the privacy requirements of these laws, a risk assessment for compliance with common privacy requirements is included in the next section. However, the assessment is by no means an exhaustive enumeration of privacy requirements and interested parties should seek help from privacy solution experts to address their unique privacy challenges. Please write to [email protected] for more information.

Introduction

The EU's General Data Privacy Regulations (the "GDPR") and HK's Personal Data (Privacy) Ordinance (the "PDPO") are both data protection and privacy legal frameworks that share similar core principles regarding privacy. However, GDPR, being a more up-to-date law (enforced in 2018) with considerations of changes in technology and how organizations use personal data, is much more stringent and more far-reaching than the PDPO (enforced in 1996, amended in 2012).?The requirements of GDPR are generally more explicitly defined than that of PDPO. CISSP privacy requirements summarize the common tenets of the popular laws in the US and EU and regulations regarding data protection and privacy and highlight some unique requirements of these laws. Below is a summary of the requirements of GDPR, PDPO and CISSP's privacy requirements.

Principles of GDPR

Art 5 of GDPR state that

1. Personal data must be

• Processed lawfully, fairly and transparently.
• Collected only for specific legitimate purposes.
• Adequate, relevant and limited to what is necessary.
• Accurate and, where necessary, kept up to date.
• Stored only as long as is necessary.
• Processed in a manner that ensures appropriate security.

2. The data controller is responsible for, and have appropriate measures and records to demonstrate compliance with the privacy and data protection requirements.

Principles of PDPO

The 6 data protection principles (DDPs) are

DPP1 Purpose and Manner of Collection

• Personal data must be collected lawfully and fairly for a relevant purpose
• Data subjects must be notified of the purpose of data collection and the classes of person to whom the data may be transferred.
• Data collected should be necessary but not excessive

DPP2 Accuracy and Duration of Retention

• Personal data must be accurate and should not kept for a period longer than is necessary to fulfil the purpose for which it is used.

DPP3 Use of Data

• Personal data is used for the purpose for which the data is collected or for a directly related purpose unless voluntary and explicit consent is obtained from the data subject.

DPP4 Data Security

• The data user must safeguard personal data from unauthorized or accidental access, processing, erasure, loss of use.

DPP5 Openness and Transparency

• The data user must personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.

DPP 6 Access and Correction

• The data subject must be given access to his personal data and to make corrections where the data is inaccurate.

CISSP privacy requirements:

• Ensures organization's security policy and practices fulfill the legal obligations to:

1. protect the data collected and maintained.
2. follow the collection limitation principle, that collection of data is limited to only what is needed.
3. collect data by lawful and fair methods, and only with the knowledge and/or consent of the individual
4. disclose what data they collect, why they collect it, and how they use the information
5. notify affected individuals and companies in case of data breaches
6. adhere to and ensure compliance with any other government regulations, which the organization operating in the jurisdiction of, regarding privacy and data protection

• Ensure the use of security controls, or security baselines and relevant standards, to protect privacy is included in an organization's security policy and complied with relevant laws.
• Awareness of privacy concerns of technical solutions

Ref: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Major Differences in GDPR and PDPO

(some more comparison hidden)

Ref: Stephen Kai-yi Wong, EU GDPR and HK PDPO: What’s the Difference?, 2018

While there are more differences between the provisions of GDPR and PDPO besides those shown above, the major differences can be highlighted below. IT Security professional like CISSP should be aware of these differences when establishing and implementing the security policy for an organization under the jurisdiction of GDPR and PDPO.?

Organization Accountability ...

Data Processor Obligations ...

Individual Rights ...

Fines and Penalties ...

Data Protection Officer and Data Privacy Impact Assessment ...

(some paragraphs have been hidden, please write to [email protected])

CISSP Privacy Requirements

While CISSP privacy requirements summarized above are not legally binding, compliance with these requirements implies compliances with many common tenets and requirements of data protection and privacy laws. CISSP required security professionals to implement security policies in compliance with data protection and privacy laws which the organization is under jurisdiction like GDPR and PDPO mentioned above, if applicable. In addition, security professionals like CISSP should be aware of many other well-known standards and regulations at a definition and purpose level, and address their requirements if necessary.

CISSP should be aware of potential risks in data protection and infringement of privacy when adopting technical solutions into the security policies. For example, retina scan, while being the most accurate biometric authentication method, could pose a potential risk of privacy infringement as retina scan involve recognition of blood vessel patterns at the back of the eye, which could reveal health conditions like high blood pressure and pregnancy, which are sensitive personal data protected in many privacy laws. Other scenarios include website privacy, mobile device monitoring and email security in the workplace, which involve the processing of a lot of personal data.

Conclusion

Achieving compliance with the privacy requirements of GDPR and PDPO is an extremely complicated task due to the extensive provisions of these legal frameworks. Organizations under the jurisdiction of these privacy laws should seek help from security and privacy solution experts like CISSP, CDPSE, who have the knowledge and experience to implement best practice to achieve this goal.

Note that compliance with privacy requirements is not a one-time task, but a continuous endeavour. Privacy requirement compliance should be regularly reviewed and apply improvement measures if any. For organizations operating under the jurisdiction of GDPR and PDPO, ie. An EU organization operating in Hong Kong or a Hong Kong organization involving business activities with EU individuals, it is recommended that they should also beware of the upcoming Personal Information Protection Law(the "PIPL" Draft) by China, which was released in Oct 2020, when they will review their privacy requirement compliance in the future, as they may be under the jurisdiction of PIPL when they extend business to China or have business with China citizens. This report will not address the requirement of PIPL until the provisions are officially enforced in the future.

PIPL Effective Nov. 1, 2021:

Translation: Personal Information Protection Law of the People's Republic of China (Effective Nov. 1, 2021), August 20, 2021?|?Rogier Creemers and Graham Webster

中华人民共和国个人信息保护法（2021年8月20日第十三届全国人民代表大会常务委员会第三十次会议通过）https://society.people.com.cn/gb/n1/2021/0820/c1008-32202129.html

https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-effective-nov-1-2021

https://www.pcpd.org.hk/tc_chi/resources_centre/publications/books/files/pcpd_china_pipl_book2021.pdf

Consultant Team:

Mr. Ben Yiu, CISSP, CDPSE, Data Privacy & IT Security Consultant, OneNet;

Ms. Lee, SRM Project Leader, Cambridge Sustainability CISL BSM, OneNet;

Dr. Danny Ha, ERM Advisor, EPA/PIA/PCA Consultant, ISO TC Members, CPERM ISO 31000, ISO 27001 LA, ISO 9001 LA, CRP, CISSP, CDPSE, CISA, CISM, CRISC, CEO @OneNet, Chairman @APC (Academy of Professional Certification)

Websites:

OneNet?https://onenet99.wixsite.com/onenet

Academy of Professional Certification?https://apcaudit12.wixsite.com/apcert

? 2021 OneNet Co. and Academy of Professional Certification (APC) All right reserved. Updated: 15 April 2021