The system must inform its users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.
Systems usually request information from their users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if users can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate this, it must inform them of this situation.
This requirement is verified in following services
- GDPR-11_2. Processing which does not require identification
- PDPA-6A_26B. Notifiable data breaches
- CMMC-AU_L2-3_3_4. Audit failure alerting
- CMMC-CM_L2-3_4_8. Application execution policy
- HITRUST CSF-11_a. Reporting information security events
- ISA/IEC 62443-SI-3_7. Error handling
- NIST SSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
- OWASP Top 10 Privacy Risks-P3. Insufficient data breach response
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.