Data Protection, Compliance and Intellectual Property
Protecting regulated information and valuable organisational knowledge
Protecting personal, health, payment and creative business assets
Cybersecurity Foundations Training Series
Learning objectives
Recognise personal data, protected health information and payment account data.
Summarise key GDPR, HIPAA and PCI DSS responsibilities at an awareness level.
Apply data minimisation, classification, access control and secure retention principles.
Distinguish trademarks, copyright, patents and trade secrets.
| Compliance begins with accurate scoping. Identify the data, parties, processing, locations, contracts and jurisdictions before selecting controls or making legal conclusions. |
|---|
Why data and intellectual property require protection
Organisations collect personal information, process payments, create software, develop designs and maintain confidential business knowledge. Different laws, contractual standards and intellectual property rights apply according to the data, jurisdiction, industry and relationship between the parties.
This lesson provides awareness rather than legal advice. Organisations should confirm their obligations with qualified legal, privacy and compliance specialists.
Personal data and PII
Personal data, often called personally identifiable information or PII in some contexts, is information relating to an identified or identifiable person. Examples include names, identification numbers, contact details, location data, online identifiers and information that becomes identifying when combined with other records.
The correct definition depends on the applicable law. A field that appears harmless by itself might become personal data when linked with account, device or behavioural information.
Protected health information
Protected Health Information, or PHI, is a defined term under the US HIPAA framework. It covers individually identifiable health information held or transmitted by covered entities and their business associates, subject to the detailed scope and exclusions in the HIPAA rules.
Examples include medical records, treatment information, health-plan information and payment information connected to an individual. Health data often requires stronger confidentiality, access monitoring and disclosure controls because misuse can cause serious personal harm.
Payment account data
Payment card information includes cardholder data and sensitive authentication data. PCI DSS is an industry standard rather than a general law. It applies through payment ecosystem and contractual relationships to entities that store, process or transmit account data, or that might affect the security of the cardholder data environment.
Reducing the amount of payment data handled by the organisation reduces scope and exposure. Hosted payment services and tokenisation can help when they are properly designed and governed.
GDPR awareness
The EU General Data Protection Regulation applies to processing within its territorial scope and also has defined extra-territorial reach. Organisations outside the European Union might fall within scope when offering goods or services to people in the EU or monitoring their behaviour, subject to the regulation’s detailed conditions.
Core principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Controllers must notify the relevant supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours after becoming aware, unless the breach is unlikely to create a risk to individuals’ rights and freedoms. Communication to affected individuals follows separate criteria.
The highest administrative fine tier reaches EUR 20 million or 4 per cent of total worldwide annual turnover from the preceding financial year, whichever is higher. The applicable tier and amount depend on the infringement and statutory factors.
The right to erasure is not absolute. Organisations must assess the request against legal grounds, statutory retention, legal claims, public interest and other exceptions.
HIPAA awareness
HIPAA includes privacy, security and breach-notification requirements for covered entities and business associates. The Security Rule addresses administrative, physical and technical safeguards for electronic PHI.
Breach notification duties vary according to the event and the number of affected individuals. Breaches affecting 500 or more individuals trigger defined notification duties to the US Department of Health and Human Services and, in certain circumstances, the media. Smaller breaches also require reporting under the applicable schedule.
HIPAA is a US healthcare framework and should not be presented as a universal health-data law.
PCI DSS awareness
PCI DSS v4.0.1 organises requirements around secure networks and systems, account data protection, vulnerability management, access control, monitoring and testing, and information security policies and programmes.
Using HTTPS is necessary for protecting web traffic, but PCI DSS compliance requires a wider control environment. Scope, network segmentation, secure configuration, malware protection, software security, strong authentication, logging, testing and governance all matter.
Data protection practices
Collect only the information required for a declared purpose. Avoid retaining data because it might become useful later.
Classify data and apply access according to sensitivity, role and business need. Review access periodically and remove it when duties change.
Protect data at rest, in transit and during processing. Manage cryptographic keys separately from encrypted data and monitor access to sensitive records.
Apply documented retention schedules. Retain records for legal, regulatory and business needs, then dispose of them securely or anonymise them when appropriate.
Prepare for incidents. Maintain breach assessment, evidence preservation, legal escalation and notification procedures that reflect each applicable jurisdiction.
Figure 1. Data minimisation reduces both compliance burden and security exposure.
Intellectual property
Intellectual property refers to creations of the mind and related legal rights. The appropriate protection depends on the asset and the laws of the country or region where protection is sought.
A trademark is a sign that distinguishes the goods or services of one enterprise from those of another. Names, logos and other distinctive signs might qualify.
Copyright protects original creative expression, such as written material, software, images and music. Protection and duration vary by national law. The Berne Convention sets minimum standards, and many countries provide longer terms. Registration requirements and enforcement options also vary.
A patent protects a qualifying invention for a limited period, generally up to 20 years from the filing date, subject to national law, grant and maintenance requirements. Patent rights are territorial, so an application or grant in one jurisdiction does not create universal protection.
Trade secrets protect valuable confidential information while the information remains secret and reasonable protective measures are maintained. Examples include formulas, processes, technical methods and commercial strategies.
Figure 2. Different forms of intellectual property protect different business assets.
Protection mapping
| Asset or data | Primary protection approach | Key operational controls |
|---|---|---|
| Personal data | Applicable privacy and data-protection law | Purpose, lawful basis, notices, minimisation, rights handling, security, retention |
| Health data | Applicable health and privacy law | Restricted access, audit, secure exchange, incident response, disclosure control |
| Payment account data | PCI DSS and payment agreements | Scope reduction, segmentation, secure configuration, access control, monitoring, testing |
| Brand identity | Trademark law | Search, registration strategy, monitoring and enforcement |
| Creative work and software | Copyright law and contracts | Ownership terms, licensing, source control, publication evidence |
| Invention | Patent law and confidentiality before filing | Invention disclosure, patent advice, filing strategy, controlled release |
| Confidential know-how | Trade secret law and contracts | Need-to-know, NDAs, access control, monitoring and exit controls |
Quick knowledge check
1. Which statement best describes PCI DSS?
A. A general privacy law
B. An industry security standard for payment account data
C. A patent registration scheme
D. A business continuity standard
2. Under GDPR, which statement about the right to erasure is accurate?
A. It is absolute in every case
B. It applies only to paper records
C. It is subject to conditions and legal exceptions
D. It requires every record to be deleted after 30 days
3. Which intellectual property right normally protects a distinctive brand logo?
A. Patent
B. Trademark
C. Copyright only
D. Trade secret
4. Why does data minimisation reduce risk?
A. It removes the need for access control
B. It reduces the volume of information exposed, retained and governed
C. It guarantees legal compliance
D. It makes encryption unnecessary
Standards and framework alignment
This lesson uses the following frameworks as complementary references. NIST provides risk and control guidance, ISO/IEC 27001 defines requirements for an information security management system, ISO 22301 addresses business continuity, and SOC 2 evaluates service-organisation controls against the AICPA Trust Services Criteria.
| Reference framework | How it supports this lesson |
|---|---|
| NIST CSF 2.0 and NIST SP 800-53 Rev. 5 | The frameworks support asset identification, data security, access control, privacy risk management, monitoring and incident handling. |
| ISO/IEC 27001:2022 | A risk-based ISMS protects personal data and intellectual property through classification, access control, secure handling, supplier controls and incident management. |
| ISO 22301:2019 | Continuity planning identifies critical information and dependencies so essential processing and records remain available during disruption. |
| SOC 2 Trust Services Criteria | Confidentiality and Privacy address protected information, while Security, Availability and Processing Integrity address the systems that process it. SOC 2 is an attestation report, not an ISO certification. |
References and further reading
1. NIST Cybersecurity Framework (CSF) 2.0, NIST CSWP 29, 2024. https://doi.org/10.6028/NIST.CSWP.29
2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. https://www.iso.org/standard/27001
3. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. https://www.iso.org/standard/75106.html
4. AICPA, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, Revised Points of Focus 2022. https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022
5. NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
6. European Union, General Data Protection Regulation, official text. https://eur-lex.europa.eu/eli/reg/2016/679/oj
7. PCI Security Standards Council, document library. https://www.pcisecuritystandards.org/document_library/