This chapter covers three major data privacy and security regulations: GDPR, HIPAA, and PCI-DSS. You must understand their scope, requirements, and enforcement mechanisms for the SY0-701 exam under Objective 5.4, which focuses on security program management and compliance. These regulations are frequently tested through scenario-based questions that ask you to identify which regulation applies and what specific controls are required. Mastering these frameworks is essential for any security professional involved in policy creation, data protection, or audit preparation.
Jump to a section
Imagine a bank vault that stores cash (personal data) for customers. The bank must follow regulations: GDPR says the vault must be built with specific materials and have a log of every time the vault is opened, and the customer must be told when their cash is accessed. HIPAA says that if the vault is used for medical records, only authorized healthcare staff can open it, and the patient has the right to see who accessed their file. PCI-DSS says that if the vault holds credit card numbers, it must be made of reinforced steel, have a combination lock that changes quarterly, and be monitored by cameras 24/7. Each regulation has its own set of rules, but they all aim to protect the cash (data) from theft or misuse. A bank employee might mistakenly think that following PCI-DSS means they don't need to follow HIPAA for medical records, but each set of rules applies independently based on the type of data. The regulators (like the Federal Reserve for GDPR, HHS for HIPAA, and the card brands for PCI-DSS) can audit the bank and impose fines if the vault doesn't meet their specific requirements. The key is that the bank must identify which types of data it holds and apply all relevant regulations, not just one.
GDPR (General Data Protection Regulation) is a European Union regulation that protects the personal data of EU citizens. It applies to any organization that processes the personal data of EU residents, regardless of where the organization is located. HIPAA (Health Insurance Portability and Accountability Act) is a US law that protects protected health information (PHI) held by covered entities and their business associates. PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards for organizations that handle credit card information, mandated by the major card brands (Visa, Mastercard, etc.).
How They Work Mechanically
GDPR is based on several key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must obtain explicit consent for data processing, provide data breach notifications within 72 hours, and allow individuals to access, correct, or delete their data (right to erasure). Enforcement is through fines up to €20 million or 4% of global annual turnover, whichever is higher.
HIPAA has two main rules: the Privacy Rule and the Security Rule. The Privacy Rule governs the use and disclosure of PHI, requiring patient authorization for non-treatment purposes. The Security Rule specifies administrative, physical, and technical safeguards for electronic PHI (ePHI). Covered entities (healthcare providers, health plans, healthcare clearinghouses) and business associates (e.g., billing companies) must implement policies, conduct risk assessments, and ensure data confidentiality, integrity, and availability. Penalties range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million.
PCI-DSS consists of 12 requirements organized into six goals: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Compliance is validated annually through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) by a Qualified Security Assessor (QSA). Non-compliance can result in fines from the card brands, increased transaction fees, or loss of the ability to process credit cards.
Key Components and Variants
GDPR: Key terms include Data Controller (determines purposes and means of processing), Data Processor (processes data on behalf of controller), Data Protection Officer (DPO) (required for certain organizations), and Supervisory Authority (national data protection authority). Important rights: Right to be forgotten, data portability, and breach notification.
HIPAA: Key terms include Covered Entity, Business Associate, Protected Health Information (PHI) (any health information that identifies an individual), and ePHI (electronic PHI). The Security Rule has three safeguards: Administrative (policies, training), Physical (facility access, workstation security), and Technical (access control, audit controls, integrity controls, transmission security).
PCI-DSS: Key terms include Cardholder Data (CHD) (full PAN, cardholder name, expiration date, service code), Sensitive Authentication Data (SAD) (CVV2, PIN, magnetic stripe data), and Qualified Security Assessor (QSA). Requirements include: encrypting CHD at rest (using AES-256 or stronger) and in transit (TLS 1.2+), restricting access on a need-to-know basis, and regularly testing security systems (quarterly ASV scans, annual penetration tests).
How Attackers Exploit or Defenders Deploy
Attackers target these regulated environments by exploiting weak access controls, unencrypted data, or social engineering. For example, a phishing attack could trick a healthcare employee into revealing credentials, leading to a HIPAA breach. Defenders deploy encryption (e.g., AES-256 for data at rest), access controls (role-based access, multi-factor authentication), and monitoring (SIEM with alerts for unauthorized access). Specific tools include: for PCI-DSS, a vulnerability scanner like Nessus for quarterly ASV scans; for HIPAA, a risk assessment tool like HITRUST CSF; for GDPR, data mapping tools like OneTrust.
Real Command/Tool Examples
PCI-DSS ASV Scan: Use a PCI-approved scanning vendor (e.g., Trustwave) to scan external IPs. A sample scan result might show a vulnerability like CVE-2023-1234 (a critical Apache Struts RCE). The defender must remediate within 30 days or risk non-compliance.
HIPAA Audit Control: Implement logging on a healthcare application. Example syslog entry:
<14>1 2023-10-01T12:00:00Z myehr.com auditd - - user=jdoe action=view resource=patient_12345 status=successGDPR Data Subject Access Request (DSAR): An organization must respond within one month. A tool like Microsoft Purview can search for personal data across Office 365 and export a report.
Summary of Requirements for the Exam
SY0-701 expects you to know the scope (who must comply), key requirements (e.g., breach notification for GDPR, risk assessment for HIPAA, encryption for PCI-DSS), and enforcement (fines, penalties). Be able to differentiate between these regulations in scenario questions.
Identify the Type of Data
The first step in determining which regulation applies is to identify the type of data being processed. If the data is personal data of EU residents (e.g., name, email, IP address, health data), GDPR applies. If the data is protected health information (PHI) such as medical records or insurance claims, HIPAA applies. If the data is cardholder data (PAN, expiration date, CVV), PCI-DSS applies. Data may overlap (e.g., a healthcare payment involves both PHI and cardholder data), requiring compliance with multiple regulations. This step is critical because selecting the wrong regulation is a common exam mistake.
Determine the Entity Type
Next, identify the organization's role. For GDPR, are you a data controller or data processor? Controllers have more responsibilities (e.g., obtaining consent, responding to DSARs). For HIPAA, are you a covered entity (provider, plan, clearinghouse) or a business associate (e.g., IT vendor)? Business associates are directly liable for HIPAA compliance since the Omnibus Rule. For PCI-DSS, are you a merchant (accepts credit cards) or a service provider (processes, stores, or transmits cardholder data on behalf of others)? Service providers have additional validation requirements (e.g., annual ROC). Misidentifying the entity type can lead to incorrect controls.
Assess Applicable Requirements
Based on the data and entity, list the specific requirements. For GDPR: lawfulness of processing, data subject rights, breach notification (72 hours), DPO appointment (if applicable), data protection impact assessment (DPIA). For HIPAA: notice of privacy practices, patient access to records, minimum necessary standard, administrative safeguards (risk analysis, workforce training), physical safeguards (facility access controls), technical safeguards (unique user IDs, automatic logoff, encryption). For PCI-DSS: build secure network (firewall, default passwords), protect cardholder data (encryption, truncation), vulnerability management (antivirus, patch management), access control (unique IDs, need-to-know), monitoring (logging, ASV scans), policy (security policy, incident response). Prioritize based on risk and compliance deadlines.
Implement Controls and Document Compliance
Deploy technical and administrative controls to meet the requirements. For example, implement encryption for data at rest (AES-256) and in transit (TLS 1.2+). Use access control lists (ACLs) and role-based access control (RBAC). Document policies (e.g., data retention, incident response) and evidence of compliance (e.g., risk assessment reports, SAQ, audit logs). For PCI-DSS, complete the SAQ or engage a QSA for a ROC. For HIPAA, conduct a risk assessment and create a risk management plan. For GDPR, maintain a record of processing activities (ROPA). This step is ongoing; compliance requires continuous monitoring and periodic reviews.
Prepare for Audits and Breach Response
Regulations require readiness for audits and data breaches. For GDPR, have a breach response plan that includes notification to the supervisory authority within 72 hours and to affected individuals if there is high risk. For HIPAA, notify affected individuals, HHS, and sometimes the media (if >500 individuals) within 60 days. For PCI-DSS, report any compromise to the card brands and acquirer immediately. Maintain logs and evidence to demonstrate compliance during an audit. Common mistakes include failing to detect a breach in time, not having a documented incident response plan, or neglecting to update policies after a change in data processing. Regular tabletop exercises help ensure readiness.
Scenario 1: Healthcare Provider Data Breach A regional hospital discovers that an employee's laptop was stolen from a car. The laptop contains unencrypted ePHI of 1,000 patients. The security team must determine which regulations apply: HIPAA obviously, but also potentially state breach notification laws and GDPR if any patients are EU citizens. The analyst would check the laptop's encryption status (it was not encrypted, a violation of HIPAA technical safeguards). The response: report to HHS within 60 days (since >500 individuals), notify affected patients, and conduct a risk assessment. Tools: endpoint encryption software (BitLocker) should have been deployed; after the incident, they implement device encryption and mobile device management (MDM). Common mistake: assuming that because the laptop was password-protected, it was compliant—HIPAA requires encryption for portable devices. The analyst should also check if the laptop had remote wipe capability enabled (it did not). Correct response includes immediate remediation: enable encryption, create a policy requiring encryption for all mobile devices, and retrain staff.
Scenario 2: E-commerce Merchant PCI Compliance A small online store processes credit card payments through a third-party gateway but stores cardholder data in its database to process refunds. The store is subject to PCI-DSS. The security engineer notices that the database stores full PANs in plaintext (violation of Requirement 3: protect stored cardholder data). The engineer must implement encryption (AES-256) or tokenization, and ensure that only truncated PANs are displayed in logs. They also need to run quarterly ASV scans (using a PCI-approved vendor like Qualys) and annual penetration tests. A common mistake: assuming that using a payment gateway means no PCI compliance is required—the merchant must still comply if they store, process, or transmit cardholder data. The correct action is to implement encryption, update the SAQ (possibly SAQ D for merchants that store cardholder data), and conduct the scans. The engineer also should verify that the database is not accessible from the internet (firewall rule) and that access is logged.
Scenario 3: Multinational Company GDPR Compliance A US-based SaaS company offers services to EU customers. They collect names, emails, and IP addresses. The compliance officer must ensure GDPR compliance. They conduct a data mapping exercise and discover that personal data is stored on servers in the US without adequate data transfer safeguards (invalidated Privacy Shield). They must implement Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for data transfers. They also need to appoint a DPO (since they process data on a large scale) and establish a process for DSARs. A common mistake: assuming GDPR only applies to EU-based companies—it applies to any company processing data of EU residents. The correct response: update privacy policy, obtain consent (opt-in), implement data minimization, and ensure the right to erasure can be fulfilled within one month. Tools: OneTrust for consent management, encryption for data at rest and in transit, and a data breach notification plan.
What SY0-701 Tests Objective 5.4 covers security program management, including compliance with laws and regulations. The exam expects you to: (1) Identify which regulation applies based on data type and organization; (2) Recognize key requirements (e.g., breach notification timelines, encryption mandates, consent requirements); (3) Understand the consequences of non-compliance (fines, penalties); (4) Differentiate between overlapping regulations (e.g., a healthcare payment involves both HIPAA and PCI-DSS).
Common Wrong Answers 1. Confusing HIPAA and PCI-DSS: Candidates often apply HIPAA to all healthcare data, but if the data is payment card information used for billing, PCI-DSS also applies. The exam may present a scenario where a hospital processes credit card payments—both regulations apply. 2. Assuming GDPR only applies to EU companies: GDPR applies to any organization that processes personal data of EU residents. A US company with EU customers must comply. 3. Mixing up breach notification timelines: GDPR requires notification within 72 hours to the supervisory authority; HIPAA requires notification to HHS within 60 days for breaches >500 individuals. Candidates often swap these. 4. Thinking PCI-DSS is a law: PCI-DSS is a contractual standard, not a law. Non-compliance leads to fines from card brands, not government penalties.
Specific Terms and Acronyms - GDPR: Data Controller, Data Processor, DPO, DSAR, DPIA, Supervisory Authority, Right to be Forgotten - HIPAA: Covered Entity, Business Associate, PHI, ePHI, Privacy Rule, Security Rule, HHS, OCR - PCI-DSS: CHD, SAD, PAN, SAQ, ROC, QSA, ASV, Requirement 3 (encryption at rest), Requirement 4 (encryption in transit)
Trick Questions - A question may say 'A hospital stores patient data on a cloud server.' The answer may involve HIPAA, but if the data includes credit card numbers, PCI-DSS also applies. Look for multiple regulations. - 'An EU citizen's data is processed by a US company.' The answer is GDPR applies, not just US laws. - 'A company fails to encrypt credit card databases.' The violation is PCI-DSS Requirement 3, not HIPAA.
Decision Rule On scenario questions, first identify the data type (personal, health, payment). Then identify the organization's role. Then match the specific requirement (e.g., breach notification timeline). Eliminate answers that cite the wrong regulation or timeline. If multiple regulations apply, choose the answer that includes all relevant ones.
GDPR applies to any organization processing personal data of EU residents, regardless of location.
HIPAA applies to covered entities and business associates handling PHI.
PCI-DSS is a contractual standard, not a law; non-compliance results in fines from card brands.
Breach notification timelines: GDPR 72 hours to supervisory authority; HIPAA 60 days to HHS for >500 individuals.
PCI-DSS requires encryption of cardholder data at rest (AES-256) and in transit (TLS 1.2+).
HIPAA Security Rule has administrative, physical, and technical safeguards.
An organization can be subject to multiple regulations simultaneously (e.g., HIPAA and PCI-DSS for healthcare payments).
These come up on the exam all the time. Here's how to tell them apart.
GDPR
Applies to personal data of EU residents
Requires breach notification within 72 hours
Fines up to €20 million or 4% of global annual turnover
Requires explicit consent for data processing
Grants individuals the right to erasure
HIPAA
Applies to PHI of US individuals
Requires breach notification within 60 days (for >500 individuals)
Fines up to $50,000 per violation, max $1.5 million per year
Requires patient authorization for non-treatment uses
Grants individuals the right to access and amend records
HIPAA Security Rule
Requires risk analysis and risk management plan
Requires encryption of ePHI only if deemed 'addressable' but recommended
Requires unique user IDs and automatic logoff
Enforced by HHS Office for Civil Rights (OCR)
Applies to covered entities and business associates
PCI-DSS
Requires quarterly ASV scans and annual penetration tests
Requires encryption of cardholder data at rest (AES-256) and in transit (TLS 1.2+)
Requires unique IDs and role-based access control
Enforced by card brands through fines and penalties
Applies to merchants and service providers
Mistake
HIPAA only applies to healthcare providers like hospitals and doctors.
Correct
HIPAA also applies to health plans (insurers), healthcare clearinghouses, and business associates (e.g., IT vendors, billing companies) that handle PHI. The Omnibus Rule (2013) extended direct liability to business associates.
Mistake
GDPR only applies to companies based in the European Union.
Correct
GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. A US company with EU customers must comply.
Mistake
PCI-DSS is a federal law with government enforcement.
Correct
PCI-DSS is a contractual standard mandated by the payment card brands (Visa, Mastercard, etc.). Non-compliance results in fines from the brands, not government penalties.
Mistake
If a healthcare organization uses a payment processor, it doesn't need to worry about PCI-DSS.
Correct
The healthcare organization is still a merchant and must comply with PCI-DSS if it stores, processes, or transmits cardholder data. Using a payment processor may reduce scope but does not eliminate compliance requirements entirely.
Mistake
GDPR, HIPAA, and PCI-DSS are mutually exclusive; you only need to follow one.
Correct
An organization can be subject to multiple regulations simultaneously. For example, a hospital that processes credit card payments must comply with HIPAA (for patient data) and PCI-DSS (for payment data). Compliance programs must address all applicable frameworks.
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that directly creates or maintains PHI. A business associate is a person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI, such as a billing company or IT vendor. Under the Omnibus Rule, business associates are directly liable for HIPAA compliance and must enter into a Business Associate Agreement (BAA) with the covered entity. For the exam, remember that both must comply, but the covered entity is ultimately responsible for ensuring BAAs are in place.
Yes, PCI-DSS Requirement 11.3 requires organizations to perform annual penetration testing on the cardholder data environment (CDE). Additionally, quarterly external vulnerability scans must be conducted by an Approved Scanning Vendor (ASV). Internal scans must also be performed quarterly. The penetration test must cover both network and application layers and be performed by a qualified individual. For the exam, remember that scans are quarterly and penetration tests are annual.
A DPIA is a process required under GDPR Article 35 to identify and minimize data protection risks for processing activities that are likely to result in high risk to individuals' rights and freedoms, such as large-scale processing of sensitive data or systematic monitoring. The DPIA must describe the processing, assess necessity and proportionality, and identify measures to mitigate risks. It is required before processing begins. Controllers must consult the supervisory authority if residual risks remain. For the exam, know that DPIA is a GDPR requirement, not HIPAA or PCI-DSS.
The minimum necessary standard is a key principle of the HIPAA Privacy Rule that requires covered entities to limit the use, disclosure, and requests of PHI to the minimum amount necessary to accomplish the intended purpose. For example, a billing clerk should only access patient information needed for billing, not the full medical record. Policies and procedures must identify who needs access to what information. This standard does not apply to treatment disclosures (e.g., a doctor can access full records for treatment). For the exam, remember that minimum necessary is about limiting access to PHI.
Standard Contractual Clauses (SCCs) are legal contracts approved by the European Commission that allow the transfer of personal data from the EU to third countries that do not have an adequacy decision (e.g., the US). They require the data exporter and importer to guarantee adequate data protection measures. SCCs are a mechanism to comply with GDPR's restrictions on international data transfers. They were updated in 2021 to address the Schrems II decision. For the exam, know that SCCs are one way to legally transfer data outside the EU.
The HIPAA Privacy Rule governs the use and disclosure of PHI in any form (paper, oral, electronic) and grants patients rights over their health information. It requires notice of privacy practices and patient authorization for non-treatment uses. The HIPAA Security Rule specifically addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability. The Security Rule is more technical (e.g., encryption, access controls), while the Privacy Rule is more policy-oriented. For the exam, remember that the Security Rule only applies to ePHI, while the Privacy Rule applies to all PHI.
A Qualified Security Assessor (QSA) is an individual certified by the PCI Security Standards Council to assess and validate an organization's compliance with PCI-DSS. QSAs perform on-site assessments and produce a Report on Compliance (ROC) for Level 1 merchants and service providers. They are independent third parties that verify that the organization meets all 12 PCI-DSS requirements. For the exam, know that QSAs are used for validation of PCI compliance, especially for high-volume entities.
You've just covered GDPR, HIPAA, and PCI-DSS — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?