Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
5.4 Domain 5 · Security Program Management

Effective Security Compliance

Reporting, consequences, monitoring, and the privacy stack: GDPR, CCPA, HIPAA, controllers vs. processors, the right to be forgotten, due care vs. due diligence.

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Compliance is the discipline of proving that you do what your policies, contracts, and laws require. The Security+ exam separates two camps: compliance reporting (internal and external attestations of where you stand) and compliance monitoring (the ongoing operational work that keeps you in good standing). Around both sits the privacy stack — GDPR, CCPA/CPRA, HIPAA — with its own vocabulary: data subject, controller vs. processor, right to be forgotten, data inventory, retention.

Two distinctions you must keep straight: due diligence (initial investigation — “did we look before we leaped?”) vs. due care (ongoing maintenance — “are we still doing what a reasonable organization would do?”); and controller (decides why and how data is processed) vs. processor (processes data on the controller’s behalf). The exam asks both pairs reliably.

Compliance reporting. Two audiences:

  • Internal — the board, executive management, and the audit committee receive trended dashboards and material findings. Internal reports drive resource allocation and risk acceptance decisions.
  • External — regulators, auditors, and customers receive attestations (SOC 2 reports, ISO certificates, regulator filings, customer security questionnaires). External reporting often has timelines and formats prescribed by the regulator or contract.

Consequences of non-compliance. The exam tests recognition of these categories:

  • Fines — regulatory monetary penalties. GDPR can reach up to 4% of global annual revenue (or €20M, whichever is greater). HIPAA uses a tiered penalty structure. PCI imposes per-incident penalties on the merchant via the acquiring bank.
  • Sanctions — loss of operating privileges (loss of PCI merchant status, suspension of a vendor relationship, removal from approved supplier lists).
  • Reputational damage — brand harm, loss of customer trust, news coverage. Often the largest real cost.
  • Loss of license — banking licenses, broker-dealer registration, or industry-specific operating authority can be revoked.
  • Contractual impacts — breach of customer agreements triggering termination rights, indemnity obligations, and credits.

Compliance monitoring. Keeping the controls operating, not just installed:

  • Due diligence vs. due care. Due diligence is the upfront investigation — “did a reasonable organization look before deciding?” Due care is ongoing maintenance — “is a reasonable organization continuing to act prudently?” Both are required. Exam reliably swaps them.
  • Attestation and acknowledgement — signed confirmations from control owners that controls are operating; user acknowledgements of policies (annual AUP signoff).
  • Internal and external monitoring — self-assessments plus third-party audits.
  • Automation — continuous compliance tooling (Drata, Vanta, Secureframe) that maps controls to evidence automatically and continuously.

Privacy — legal implications by scope. Privacy is layered:

  • Local / regional — US state laws (California’s CCPA/CPRA, Virginia CDPA, Colorado CPA) and similar subnational frameworks.
  • National — sectoral and country-level laws (US: HIPAA for health, GLBA for finance; Canada: PIPEDA).
  • Global — cross-border frameworks (GDPR in the EU/UK, APEC CBPR).

Privacy roles and concepts. Data subject = the individual the data is about. Controller = decides the purposes and means of processing personal data (the “why” and “how”). Processor = processes personal data on behalf of the controller. Ownership = who controls the data inside your organization (typically a data owner role per 5.1). Data inventory = a record of what personal data you hold, where, and why. Retention = keep only as long as needed; delete or anonymize past the lawful basis.

Right to be forgotten. GDPR Article 17: data subjects can request erasure of their personal data when there is no overriding lawful basis to keep it. The right is not absolute — it has carve-outs for legal holds, freedom of expression, public interest, and legal claims. Exam wants both: the right exists, and it has limits.

FrameworkScopeTriggersPenalty pattern
GDPREU/UK personal dataProcessing personal data of EU/UK residentsUp to 4% global revenue or €20M (greater)
CCPA / CPRACalifornia residentsThreshold revenue or data volumesPer-violation civil penalties; private right for breaches
HIPAAUS protected health information (PHI)Covered entities + business associatesTiered penalties; HHS-OCR enforcement
GLBAUS financial institutionsCustomer financial informationRegulator-led enforcement
PCI DSSCardholder data (industry standard)Storing/processing/transmitting card dataBrand penalties via acquirer; loss of merchant status
SOXUS public companiesFinancial reporting integritySEC enforcement; criminal exposure for officers
Privacy roleDecidesDoesExam cue
Data SubjectThe individual the data is about“the customer,” “the patient,” “the user”
ControllerWhy and how data is processedSets purposes, defines lawful basis“determines purposes,” “decides what to collect”
ProcessorProcesses on the controller’s behalf, per instructions“hosts the data,” “runs analytics for us”
Concept pairDefinitionExam cue
Due diligenceInitial investigation; did we look before we leaped?“Pre-acquisition review,” “vendor selection”
Due careOngoing maintenance; are we still acting prudently?“Continuing to patch,” “annual training”
Right to be forgottenGDPR Article 17 erasure right (with exceptions)“EU customer asks to delete all data”
Data minimizationCollect only what you need“Don’t collect SSN if not required”
RetentionKeep only as long as needed“Auto-purge after 7 years”
Key Takeaway

Three reflexes for 5.4: (1) controller decides, processor executes; (2) due diligence is upfront, due care is ongoing; (3) GDPR fines are the big-number scenario — up to 4% global revenue. Right to be forgotten exists but is not absolute (legal holds, legitimate interest).

An EU customer files a written request demanding deletion of all their personal data under GDPR Article 17 (right to be forgotten). Three days later, your general counsel notifies you that the same customer is in active litigation with your firm and a litigation hold is in place — nothing can be deleted. Privacy operations needs to respond to the customer within the GDPR-mandated window.

Scenario
Right-to-be-forgotten vs. Litigation Hold
EU customer · Article 17 request · active litigation
Customer Service“The customer is escalating — they want a complete erasure confirmation today, or they say they will file with the supervisory authority.”
Privacy / Security“Right to be forgotten is not absolute. Article 17 has carve-outs for legal claims, compliance with a legal obligation, and freedom of expression. Litigation hold falls under legal claims. Our response is: acknowledge the request inside the GDPR window, explain the lawful basis for retention (the litigation), and commit to processing the erasure once the legal hold is released.”
Customer Service“Won’t they file anyway?”
Privacy / Security“They can. Supervisory authorities expect a documented lawful basis for any refusal. Document the litigation hold, document the legal advice, document the response. If they file, we have the paper trail. The trap is silently ignoring or quietly deleting some of the data — both are worse than a documented refusal.”
Compensating Action

Legal hold beats erasure request. Document the lawful basis, communicate the basis to the data subject inside the response window, and queue the erasure for execution after the hold lifts. Privacy operations should have a runbook for this collision — it happens often in regulated industries.

Real Talk — Career Context

Privacy roles increasingly sit beside security. The DPO (Data Protection Officer) is a GDPR-mandated role for many organizations and is independent of the CISO — but the CISO’s team usually executes the technical erasure. Knowing the privacy vocabulary (subject, controller, processor, lawful basis, supervisory authority, DPO) is increasingly part of security interviews.

On the exam: “EU citizen wants deletion” → right to be forgotten under GDPR. “Patient asks who accessed their record” → HIPAA right to an accounting of disclosures. “California consumer asks what we sold” → CCPA right to know. Country/region cue → map to the framework.

You run a SaaS HR product. Your customers are employers; their employees are the data subjects. The employer decides what fields to collect, why, and for how long; you simply host the data, run the SaaS application, and provide reports the employer requests. Under GDPR terminology, what is your role — and what is the employer’s role?

Option A
You = Controller; Employer = Processor

Because you hold and operate on the data, you set the purposes; the employer is just a user.

Option B
Employer = Controller; You = Processor

Employer decides why and how the data is processed; you process on the employer’s behalf.

Option B is correct — Employer is Controller, SaaS is Processor

Option B: The controller is the entity that decides the purposes and means of processing personal data. The employer makes those decisions for their employees’ data. The SaaS provider hosts and operates the platform on the employer’s behalf, which is the textbook definition of a processor.

Option A’s trap: It conflates “holds the data” with “decides the purposes.” Custody is not control. The exam frequently tries to turn the SaaS provider into the controller because the SaaS owns the technology — but technology custody and decision authority are different. Watch the verbs: “decides” → controller; “processes on behalf of” → processor.

On the exam: practical implication — processors require a data processing agreement (DPA) from the controller and must follow controller instructions. In healthcare, the analogous concept is the business associate relationship under HIPAA, governed by a BAA.

Due care vs. due diligence flipped
Due diligence = initial investigation. Due care = ongoing maintenance. Both are required. The exam reliably swaps them; remember: diligence comes first, care continues.
Why it is tempting: both are “doing the right thing.” Timing distinguishes them.
Controller vs. processor confusion
The controller decides why and how data is processed. The processor processes on the controller’s behalf. Holding the data is not the same as deciding what to do with it. SaaS providers are usually processors for their customers’ data.
Why it is tempting: “we have it on our servers, so we control it.” Custody is not control under GDPR.
Right to be forgotten treated as absolute
GDPR Article 17 has carve-outs — legal claims, compliance with a legal obligation, freedom of expression, public interest, archiving. A litigation hold or regulatory retention requirement overrides the erasure request.
Why it is tempting: the right sounds total. Always check for an overriding lawful basis to retain.
GDPR fine numbers memorized wrong
GDPR maximum is up to 4% of global annual revenue OR €20M, whichever is greater. Recognize the pattern of “very large fine tied to global revenue” — that points at GDPR.
Why it is tempting: small fines or per-record figures look familiar from US laws. GDPR is global-revenue-percentage scale.
CCPA confused with GDPR
CCPA/CPRA applies to California residents and has different rights (right to know, right to delete, right to opt out of sale). GDPR applies to EU/UK residents. Geographic cue in the question matters.
Why it is tempting: similar privacy concepts. The trigger jurisdiction differs.
Reporting confused with monitoring
Reporting is the snapshot you hand to the board, regulator, or customer. Monitoring is the continuous operational work that keeps the controls running. The exam asks “what is this output?” (reporting) vs. “what activity produces it?” (monitoring).
Why it is tempting: both involve looking at controls. Reporting = artifact; monitoring = activity.
Exam Signal

5.4 patterns to memorize: (1) geography → framework (EU/UK = GDPR, California = CCPA/CPRA, US health = HIPAA, US finance = GLBA); (2) “decides” = controller, “processes on behalf” = processor; (3) due diligence first, due care continuous; (4) right to be forgotten exists but is not absolute.

Quick Check — 5.4 Q1
A US-based marketing analytics SaaS holds personal data on behalf of European retailers. The retailers determine what fields to collect, the lawful basis, and the retention period. Under GDPR, which role does the SaaS occupy?
  • A Data subject
  • B Controller
  • C Processor
  • D Supervisory authority

Correct: C. The retailers determine purposes and means (controller). The SaaS processes on their behalf (processor). The exam rewards “decides” → controller, “processes on behalf” → processor.

A wrong: Data subjects are the individuals whose data is processed.

B wrong: The retailers are the controllers.

D wrong: Supervisory authorities are the regulators (e.g., national DPAs).

Source: CompTIA SY0-701 Objectives v5.0 — 5.4 Effective security compliance

Quick Check — 5.4 Q2
A company conducts a thorough security review of a target firm before completing an acquisition, including code review, controls evaluation, and breach history. Six months later, the acquired entity is integrated and its controls are maintained on the same schedule as the parent. Which pairing BEST describes these activities?
  • A Pre-acquisition = due care; post-integration = due diligence
  • B Pre-acquisition = due diligence; post-integration = due care
  • C Both = due diligence
  • D Both = due care

Correct: B. Due diligence is the upfront investigation (pre-acquisition review). Due care is the ongoing maintenance (post-integration controls operation).

A wrong: Reverses the two definitions.

C wrong: Maintenance is not investigation.

D wrong: Initial investigation is not maintenance.

Source: CompTIA SY0-701 Objectives v5.0 — 5.4

Quick Check — 5.4 Q3
A multinational company is found to have processed EU customer data without an adequate lawful basis for two years. Regulators are weighing penalties. Which fine ceiling is consistent with GDPR enforcement?
  • A $25 per affected record, capped at $1M
  • B 1% of US-segment revenue
  • C Up to 4% of global annual revenue or €20M, whichever is greater
  • D Loss of PCI merchant status

Correct: C. GDPR’s tier-2 maximum is up to 4% of total worldwide annual turnover of the preceding financial year, or €20M, whichever is greater.

A wrong: Per-record schemes are characteristic of some US state laws, not GDPR.

B wrong: GDPR is global revenue, not regional segment.

D wrong: PCI merchant-status loss is a payment-card industry sanction, not a GDPR fine.

Source: CompTIA SY0-701 Objectives v5.0 — 5.4

Related Topics
→ 5.1 Governance→ 5.3 Third-Party Risk→ 5.5 Audits
← 5.3 Third-Party Risk ← All Objectives Next: 5.5 Audits & Assessments →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.