Security And Privacy - Overview

Updated: 2020-12-29
  • Legal: What can we do
  • Compliance: What must we do
  • Security: How can we do it
  • Privacy: What should we do

Be careful about special types of data

  • Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
  • Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.

Wipeout vs Takeout

  • Wipeout: all data related to the user will be removed. The right to be forgotten.
  • Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.

Regulartions / Standards

  • GDPR: General Data Protection Regulation (EU)
  • HIPAA: Health Insurance Portability and Accountability Act. (US)
  • PCI-DSS: Payment Card Industry Data Security Standard
  • CCPA: California Consumer Privacy Act, similar to GDPR.


Data subject: the individual that information describes

6 GDPR DSRs: data subject rights

  • the right to be forgotten
  • the right to access
  • the right to portability
  • the right to restriction of processing
  • the right to rectify
  • the right to object

Methods to prove lawfulness of processing

  • contractural necessity: processing required to fulfill an agreement between a company and an individual
  • consent
  • legitimate interests

Controllers vs Processors

  • Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
  • Processors: process data at the direction of another entity

Data governance

  • moral?
  • ethical?
  • legal?
  • fair?


Authn, authz, audit