← Concepts
Security Program Management and OversightSY0-701 · Task 5.4

Privacy and data protection compliance — SY0-701

Privacy and data protection compliance for Security+ SY0-701: PII scope, privacy risk, PIAs, and the security-vs-privacy distinction the exam exploits.

WHAT IT IS

Privacy and data protection compliance is an organization's ongoing obligation to handle information in ways that conform to applicable legal, regulatory, and policy requirements governing how personally identifiable information (PII) is collected, maintained, and shared.

Privacy, per the NIST glossary, is defined in three complementary ways across federal guidance:

  • "The right of a party to maintain control over and confidentiality of information about itself." (NISTIR 4734)
  • "Freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual." (NIST SP 800-188 / NISTIR 8053, referencing ISO/IEC 2382)
  • "Assurance that the confidentiality of, and access to, certain information about an entity is protected." (NIST SP 800-130)

Personally identifiable information (PII), per NIST SP 800-122, is "information that can be used to distinguish or trace an individual's identity," whether directly (name, biometric data, social security number) or indirectly, when combined with other linked or linkable information such as medical, educational, financial, or employment records.

Privacy risk, per NIST SP 800-188 and the NIST Privacy Framework (CSWP 01162020), is "the likelihood that individuals will experience problems resulting from data processing, and the impact should they occur."

Together, these three foundations — the definition of privacy, the scope of PII, and the concept of privacy risk — anchor a compliance posture.

Mental model

Think of privacy compliance as a layered obligation: you must identify what PII exists (data inventory), assess the risks that processing creates for individuals (not just for the organization), and then implement and document controls that bring those risks to an acceptable level. The compliance posture answers a regulator's question: "Can you demonstrate, systematically, that you handled this information lawfully?"

The key frame is that compliance is outward-facing (toward individuals whose data is processed and toward regulators) while security controls are inward-facing (protecting the organization's systems). Both are necessary, but they answer different questions.

When to use it

A common point of confusion is treating privacy compliance and security controls as interchangeable. They overlap but are not the same.

DimensionPrivacy complianceSecurity control
Primary concernRights and problems experienced by individuals whose data is processedConfidentiality, integrity, and availability of systems and data
NIST anchorPrivacy risk: "likelihood that individuals will experience problems resulting from data processing" (NIST SP 800-188)Security control: "safeguard or countermeasure … designed to protect the confidentiality, integrity, and availability" (NIST SP 1800-15B)
Typical instrumentPrivacy impact assessment (PIA), privacy notice, system of recordsTechnical or administrative security control
DriverLegal and regulatory requirement tied to data subject rightsRisk management for system and organizational assets
Question answered"Are we handling PII in conformance with applicable requirements?""Are our systems protected against unauthorized access or disruption?"

A privacy impact assessment (PIA), per NIST SP 800-37 Rev. 2, SP 800-53 Rev. 5, and OMB Circular A-130, is "an examination of how information is handled to: (1) ensure conformity with applicable legal, regulatory, and policy privacy requirements; (2) identify risks and effects of collecting, maintaining, and sharing identifiable information in electronic systems; and (3) assess protections and alternative processes to mitigate privacy risks." This is a compliance instrument, not a security audit.

A system of records, per NIST SP 800-122 and NIST SP 800-53 Rev. 5 (citing 5 U.S.C. § 552a(a)(5)), is "a group of any records under the control of an agency from which information is retrieved by an individual's name or by an identifying number, symbol, or other particular assigned to that individual." Systems of records trigger specific legal compliance obligations.

COMMON MISCONCEPTION

Misconception: encrypting or securing PII satisfies privacy compliance requirements.

Candidates often conflate data confidentiality with privacy compliance. The NIST glossary defines data confidentiality as "the protection of sensitive information from unauthorized access and disclosure" (NIST AI 100-2e2025) — this is a security property. Privacy, by contrast, is about an individual's "right … to maintain control over and confidentiality of information about itself" (NISTIR 4734) and about preventing "undue or illegal gathering and use of data" (NIST SP 800-188).

An organization can have strong encryption and access controls (high data confidentiality) while still being out of compliance with privacy requirements — for example, by collecting PII without a stated purpose, retaining it longer than necessary, or failing to conduct a PIA before operating a system of records. Conversely, meeting a privacy compliance obligation does not by itself implement a security control.

The exam exploits this overlap by presenting scenarios where a security measure is technically implemented but the privacy compliance obligation — the PIA, the legal basis for collection, the notice to individuals — has been omitted.

How it shows up on the exam

The cognitive target for this concept is analysis: given a scenario describing an organization's information-handling practices, candidates must identify whether a privacy compliance obligation has been met, missed, or confused with a security measure.

Signal phrases to watch for:

  • "system of records" — triggers a PIA and legal compliance obligation, not just a security review
  • "PII collected / maintained / shared" — cues privacy risk assessment, not only access control
  • "privacy impact assessment" — distinguish this from a security risk assessment; the PIA's purpose is conformity with privacy requirements and protection of individuals, not CIA of the system
  • "individuals may experience problems" — the NIST definition of privacy risk; distinguishes privacy harm from organizational security harm
  • "sensitive information" — per NIST SP 800-150, information whose loss or unauthorized access "could adversely affect … individual privacy"; this triggers compliance obligations, not solely technical controls

Candidates who approach this concept through a pure security lens may miss that a compliance obligation remains even when data is already secured. The question "what is still missing?" in a scenario that already describes encryption or access controls often has a privacy-compliance answer (PIA, notice, lawful basis) rather than a technical-security answer.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.