The demand for data protection and privacy rights of users should compel companies to establish a Privacy by Design culture

Full Answer Section

1. Proactive not Reactive; Preventive not Remedial: Anticipating and preventing privacy issues before they happen.
2. Privacy as the Default Setting: Ensuring that privacy is automatically protected, without requiring users to take any action.
3. Privacy Embedded into Design: Integrating privacy measures into the design and architecture of IT systems.
4. Full Functionality: Positive-Sum, not Zero-Sum: Balancing privacy with other essential functionalities, rather than sacrificing one for the other.
5. End-to-End Security: Lifecycle Protection: Protecting data throughout its entire lifecycle, from collection to deletion.
6. Visibility and Transparency: Keep it Open: Being transparent about how data is being used and protected.
7. Respect for User Privacy: Keep it User-Centric: Prioritizing the interests of the individual and providing strong privacy defaults, appropriate notice, and user-friendly options.

• Public: Data that can be freely shared with anyone.
• Internal: Data that should only be accessed by employees within the organization.
• Confidential: Sensitive data that, if disclosed, could have a significant negative impact on the organization (e.g., trade secrets, customer lists).
• Restricted: Highly sensitive data that requires the highest level of protection (e.g., personally identifiable information (PII), financial data).

• Access Control: Data classification informs the design of access control systems. For example, a database containing "Restricted" data will have much stricter access controls than one containing "Public" data. This includes authentication (verifying user identity) and authorization (determining what actions a user can perform).
• Encryption: The sensitivity of the data, as determined by its classification, dictates whether and how it should be encrypted. Databases holding "Confidential" or "Restricted" data should use strong encryption, both in transit and at rest.
• Auditing and Monitoring: Data classification helps determine which database activities need to be logged and monitored. Accesses to "Restricted" data may be audited more closely than accesses to "Internal" data.
• Data Loss Prevention (DLP): Classification is essential for DLP systems, which are designed to prevent sensitive data from leaving the organization's control. DLP policies are often based on data classifications.
• Storage and Backup: Data classification can influence decisions about where and how data is stored and backed up. "Restricted" data may be stored in more secure locations and backed up more frequently.
• Disaster Recovery: In disaster recovery planning, data classification helps prioritize the recovery of critical systems and data. Systems that store "Restricted" or "Confidential" data may be given higher priority.
• Security Testing: Data classification guides security testing efforts. Testers will focus more on systems that

Sample Answer