All of these records are important to a business and may be considered sensitive. However, this does not mean that they would fall into the scope of a privacy program. Privacy programs are specifically intended to protect personal information and, of the information presented here, only customer records fall into that category. A cybersecurity program would be interested in protecting all these elements of information.

The three main goals of a cybersecurity program are confidentiality, integrity, and availability. Although privacy and security objectives are often linked and interdependent, privacy is not one of the three cybersecurity objectives.

1. Industry best practice calls for an annual privacy risk assessment designed to analyze the organization's current practices in light of the evolving privacy environment.

The special categories of information under GDPR include information about racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information, health data, and data about a person's sex life or sexual orientation. Other categories of information may be sensitive but do not fit into this definition.

One of the provisions of the notice principle is that organizations should provide notice to data subjects before they use information for a purpose other than those that were previously disclosed.

1. Kara's organization is collecting and processing this information for its own business needs. Therefore, it is best described as the data controller.

ISO 27701 covers best practices for implementing privacy controls. ISO 27001 and ISO 27002 relate to an organization's information security program. ISO 27702 does not yet exist.