SecProve
Pillar A: CybersecurityA12

Data Security, Privacy & Protection

Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.

Practice A12 (39 questions)
Part of Pillar A: Cybersecurity · Cybersecurity groups the disciplines that share methods, tools, and threat models with Data Security, Privacy & Protection.

What is Data Security, Privacy & Protection?

Data privacy and protection encompasses the legal, technical, and organizational controls that govern how personal and sensitive data is collected, processed, stored, and shared. With the proliferation of global privacy regulations — from the EU's General Data Protection Regulation (GDPR) to California's Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) — organizations must navigate a complex patchwork of requirements that carry severe penalties for noncompliance.

The technical side of data privacy includes Data Loss Prevention (DLP) systems that detect and prevent unauthorized data exfiltration, encryption at rest and in transit, data classification and discovery tools, anonymization and pseudonymization techniques, and privacy-enhancing technologies (PETs) like differential privacy and homomorphic encryption. Privacy by design — embedding privacy considerations into system architecture from the beginning rather than bolting them on afterward — has become a regulatory expectation under GDPR.

The role of the Data Protection Officer (DPO) has emerged as a critical function, and privacy impact assessments (PIAs/DPIAs) are now required before launching systems that process sensitive personal data. The intersection of privacy and AI is creating new challenges around algorithmic fairness, automated decision-making transparency, and the right to explanation.

Why it matters

Data breaches and privacy violations carry regulatory fines that can reach billions of dollars and destroy consumer trust. Privacy is no longer just a legal obligation — it is a competitive differentiator and a fundamental human right.

Data privacy intersects with every security domain — from GRC (compliance frameworks) to cloud security (data residency) to application security (secure data handling). It ensures that security controls serve not just organizational interests but individual rights.

Layer 3

Build, Connect & Operate

Build and run the systems — apps, cloud, data, networks, OT, AI infra, supply chain, quantum engineering.

Other domains in this layer

A2Network SecurityA4Application SecurityA5Cloud SecurityA13Supply Chain SecurityA14OT/ICS SecurityA16Mobile & IoT SecurityA17Cyber-Electronic WarfareC3AI Supply Chain SecurityC4AI Data SecurityC6AI Infrastructure SecurityD5Quantum Networking & CommunicationD6Quantum Security EngineeringA25Security Architecture & Engineering
See how this layer connects to the rest of the domain map →

Standards and frameworks

GDPR (General Data Protection Regulation)European Union
NIST Privacy FrameworkNIST
ISO 27701 (Privacy Information Management)ISO

Roles where this matters

Career paths where this domain shows up as core or recommended.

📋GRC / Compliance AnalystCore

Manage risk, ensure regulatory compliance, and build governance frameworks. Where security meets business strategy.

👑CISO / Security LeaderRecommended

Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.

🔒Privacy Engineer / DPOCore

Build privacy into systems by design. Navigate GDPR, CCPA, and emerging AI privacy regulations.

AI Governance / AI Risk SpecialistRecommended

The policy/controls counterpart to the AI Security Engineer — owns risk frameworks, regulatory mapping (EU AI Act, NIST AI RMF), model documentation, and AI incident response policy.

📦Product Security EngineerCore

Embedded in a product team — owns threat modelling, secure design, libraries, dependency risk, and increasingly the AI-specific hardening of LLM features the product ships.

Certifications that signal this domain

Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.

Core coverage

CCSPProfessional·ISC2Official page →

Certified Cloud Security Professional

Cloud security architecture: shared responsibility, identity, data protection, crypto, and cloud-native detection.

CDPProfessional·(ISC)² / Cyber DefenseOfficial page →

IMI Certified in Data Protection

IMI Certified in Data Protection

CDPSEProfessional·ISACAOfficial page →

Certified Data Privacy Solutions Engineer

ISACA certification for Privacy Engineering. Focus on technical implementation of privacy requirements: Privacy Governance, Privacy Architecture, and Data Lifecycle Management. Bridge between privacy and technology.

CIPAExpert·CompTIAOfficial page →

IMI Certified Identity Protection comptia-advanced-security-practitioner

IMI Certified Identity Protection comptia-advanced-security-practitioner

CIPMProfessional·IAPPOfficial page →

Certified Information Privacy Manager

Running a privacy program end-to-end.

CIPPProfessional·IAPPOfficial page →

IAPP Certified Information Privacy Professional

IAPP Certified Information Privacy Professional

CIPP/CProfessional·IAPPOfficial page →

Certified Information Privacy Professional / Canada

Canadian privacy-law expertise — PIPEDA, provincial regimes (Quebec Law 25, Alberta/BC PIPA), and federal sectoral rules.

CIPP/EProfessional·IAPPOfficial page →

Certified Information Privacy Professional / Europe

GDPR and European privacy law expertise.

CIPP/USProfessional·IAPPOfficial page →

Certified Information Privacy Professional / United States

US federal and state privacy-law expertise.

CIPTProfessional·IAPPOfficial page →

Certified Information Privacy Technologist

Privacy engineering, privacy-by-design in products and platforms.

CISSPExpert·ISC2Official page →

Certified Information Systems Security Professional

Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.

CRFSProfessional·Council of Registered Ethical Security TestersOfficial page →

IMI Certified Red Flag Specialist

IMI Certified Red Flag Specialist

DCPPProfessional·DRI InternationalOfficial page →

DSCI Certified Privacy Professional

DSCI Certified Privacy Professional

EPDPEAssociate·EXINOfficial page →

EXIN Privacy and Data Protection Essentials

EXIN Privacy and Data Protection Essentials

EPDPFAssociate·EXINOfficial page →

EXIN Privacy and Data Protection Foundation

EXIN Privacy and Data Protection Foundation

EPDPPProfessional·EXINOfficial page →

EXIN Privacy and Data Protection Practitioner

EXIN Privacy and Data Protection Practitioner

GCIPProfessional·GIACOfficial page →

GIAC Critical Infrastructure Protection

GIAC Critical Infrastructure Protection

GCP Professional Cloud Security EngineerProfessional·Google CloudOfficial page →

Google Cloud Certified — Professional Cloud Security Engineer

GCP-specific security engineering: identity, VPC SC, secrets, logging, compliance.

HCISPPProfessional·ISC2Official page →

HealthCare Information Security and Privacy Practitioner

ISC2 certification for healthcare security and privacy. Will be retired in December 2026. Focus on data protection, compliance, and risk management in healthcare. Relevant in the US (HIPAA), less so in Europe.

PCI QSAProfessional·PCI Security Standards CouncilOfficial page →

PCI Qualified Security Assessor

PCI Qualified Security Assessor

SC-400Associate·MicrosoftOfficial page →

Microsoft Certified Information Protection Administrator Associate

Microsoft Certified Information Protection Administrator Associate

Also touched

AIGPProfessional·IAPPOfficial page →

Artificial Intelligence Governance Professional

AI risk, governance, and regulatory literacy (EU AI Act, NIST AI RMF).

AWS Security SpecialtyProfessional·Amazon Web ServicesOfficial page →

AWS Certified Security — Specialty (SCS-C02)

Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.

AZ-500Associate·MicrosoftOfficial page →

Microsoft Certified: Azure Security Engineer Associate

Azure-native security engineering: Entra ID, network controls, Defender, Sentinel.

CCISOLeadership·EC-CouncilOfficial page →

Certified Chief Information Security Officer

Executive leadership — governance, program mgmt, finance, and strategic planning for security.

CISAProfessional·ISACAOfficial page →

Certified Information Systems Auditor

IS audit, governance, control testing, and assurance.

CISMLeadership·ISACAOfficial page →

Certified Information Security Manager

Security program management, risk, governance, and incident governance. The manager / CISO-track signal.

CISSP-ISSAPExpert·ISC2Official page →

CISSP Information Systems Security Architecture Professional

Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.

CRAIProfessional·ISACAOfficial page →

ISACA Certified in Risk of Artificial Intelligence (emerging)

AI risk management and governance — emerging blueprint, expect revisions.

CSSLPProfessional·ISC2Official page →

Certified Secure Software Lifecycle Professional

Secure SDLC, threat modelling, secure architecture across product teams.

GSECAssociate·GIAC / SANSOfficial page →

GIAC Security Essentials

Broad defender fundamentals. Often paired with SANS SEC401.

GWEBProfessional·GIAC / SANSOfficial page →

GIAC Certified Web Application Defender

Defender-side AppSec — OWASP Top 10, API security, secure design patterns.

Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.

People shaping this field

Researchers and practitioners worth following in this space.

Max Schrems

Privacy activist and founder of noyb, responsible for Schrems I and II rulings

Ann Cavoukian

Creator of Privacy by Design framework

Daniel Solove

Privacy law scholar and author

Curated resources

Authoritative sources we ground Data Security, Privacy & Protection questions in — frameworks, research, guides, and tools.

European Unionframework

GDPR (General Data Protection Regulation)

Data subject rights, lawful bases for processing, DPO requirements, breach notification (72 hours), cross-border transfers. The global privacy benchmark.

State of Californiaframework

CCPA / CPRA (California Consumer Privacy Act)

Consumer rights (know, delete, opt-out of sale), CPRA additions (correct, limit sensitive data). Compare/contrast with GDPR for jurisdiction-specific questions.

Verizonresearch

Verizon Data Breach Investigations Report (DBIR)

Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.

European Unionframework

GDPR Official Text

Full text of the General Data Protection Regulation. The EU's comprehensive data protection law that applies globally to EU residents' data.

NISTframework

NIST SP 800-122 — PII Confidentiality Guide

Guide to protecting the confidentiality of personally identifiable information. Covers PII identification, impact assessment, and safeguards.

View all resources for A12

More in Cybersecurity

A1

Governance, Risk & Compliance

A2

Network Security

A3

Zero Trust Architecture

A4

Application Security

A5

Cloud Security

A6

Identity & Access Management

Test what you know about Data Security, Privacy & Protection

39 questions available. Beginner to expert questions, scored against the global leaderboard.

Start a QuizSign Up Free