3.3.1. Data Collection, Location, and Maintenance
💡 First Principle: Data that is never collected cannot be breached. Privacy by design — baked into Domain 3's secure design principles and every privacy regulation — starts with data minimization: collect only what you need, for the specific purpose you've defined, for no longer than necessary.
Data collection principles (drawn from GDPR and common privacy law):
| Principle | Definition | Security Implication |
|---|---|---|
| Purpose limitation | Collect data only for a specific, explicit, legitimate purpose | Cannot repurpose collected data without new legal basis |
| Data minimization | Collect only what is necessary for the stated purpose | Collecting less data = less breach exposure |
| Accuracy | Maintain data in an accurate, up-to-date state | Inaccurate data creates legal and operational risks |
| Storage limitation | Don't retain data longer than necessary | Retention schedules must be defined and enforced |
| Integrity and confidentiality | Protect data using appropriate technical/organizational measures | Classification drives the specific measures required |
Data location and sovereignty — where data physically resides creates legal obligations:
- Data residency: Some regulations require data to stay within specific geographic boundaries (EU GDPR, Russian Federal Law 242-FZ, China PIPL). Cloud deployments must honor residency requirements.
- Data sovereignty: The jurisdiction where data is stored determines which laws apply to it. US cloud providers storing EU data in EU data centers may still be subject to US government access requests (CLOUD Act).
- Multi-tenancy risks: Cloud shared storage means your data coexists with other customers' data. Logical separation must be verified; regulatory requirements may require dedicated storage.
Data maintenance — keeping data accurate and current:
- Inaccurate personal data creates GDPR exposure (right to rectification)
- Inaccurate financial data creates SOX exposure
- Stale access control data (people who've left but retain access) is an insider threat risk
⚠️ Exam Trap: "Data location" on the CISSP means physical storage location (which jurisdiction, which data center) — not logical location (which database, which folder). The physical location determines sovereignty, residency compliance, and government access authority. Knowing only the logical location is insufficient for compliance.
Reflection Question: A US-based company processes EU customer orders through a CRM system. The CRM vendor stores data in US-based data centers with no EU option. The company's legal team has approved Standard Contractual Clauses. Is this arrangement legally compliant? What residual risk exists, and what would eliminate it?
