PERSONAL DATA PROTECTION IN CYBERSECURITY: INTEGRATION OF RISK MANAGEMENT AND LEGAL MODELS

Abstract

The article examines the critical need to integrate legislative requirements (in particular, GDPR) and technical
cybersecurity mechanisms for effective protection of personal data (PD). The central thesis is that compliance is not the same
as security, and requires the implementation of a proactive approach “privacy by design”. The application of privacy impact
assessment (PIA/DPIA) as a diagnostic tool for identifying risk areas in the PD life cycle is analyzed. A model of comprehensive
risk-based PD protection (CRDP) is proposed, which combines data minimization techniques (tokenization, anonymization)
with the principles of legal control. It is substantiated that practical aspects of protection include not only strengthening
encryption, but also architectural data segregation and the implementation of a role-based access control (RBAC) methodology,
supported by constant legal audit. The study focuses on the methodological gap between abstract legal requirements (such as
the “right to be forgotten” or “data minimization”) and their specific technical implementation. To overcome this gap, a
formalized “legal risk” model is proposed that allows for the quantification of potential regulatory and financial consequences
of non-compliance (fines, lawsuits) and integrates this metric into traditional technical cyber risk matrices. This approach
provides IT security management with the opportunity to make economically sound decisions, prioritizing investments in those
protections that simultaneously minimize both technical vulnerabilities and regulatory threats. The practical significance of the
article lies in the detailed justification of architectural solutions necessary for the implementation of the ICRP, including the
principles of data segregation (separation of identifiers and sensitive information) and the use of tokenization to reduce the
perimeter of the breach. The proposed access control mechanisms, in particular advanced RBAC, integrated with legal roles
(e.g. DPO or compliance officer), allow to ensure that technical permissions directly reflect legal restrictions on access to PD.
This creates a reliable basis for protecting data not only from external threats, but also from internal violations caused by
improper rights management.
Keywords: personal data, GDPR, privacy by design, data loss prevention, risk management, tokenization, legal models,
confidentiality.

References
1. Cavoukian, A. (2015). Privacy by Design: The 7 Foundational Principles. Information and Privacy
Commissioner of Ontario, Canada.
2. The European Parliament and the Council of the European Union. (2016). General Data Protection Regulation
(GDPR) (Regulation (EU) 2016/679).
3. ISO/IEC 27001:2022. (2022). Information security, cybersecurity and privacy protection Information security
management systems Requirements. International Organization for Standardization.
4. Nissenbaum, H. (2016). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford
University Press.
5. National Institute of Standards and Technology (NIST). (2017). Guide to Protecting the Confidentiality of
Personally Identifiable Information (PII). NIST SP 800-122.
6. Agrawal, R., & Srikant, R. (2000). Privacy-preserving data mining. ACM SIGMOD Record, 29(2), 1-12. (Про
концепції анонімізації).
7. Gentry, C. (2019). Fully homomorphic encryption using ideal lattices. STOC '09: Proceedings of the forty-first
annual ACM symposium on Theory of computing, 169–178. (Основи гомоморфного шифрування).
8. U.S. National Archives and Records Administration (NARA). (2020). Records Management: De-identification
and Anonymization.
9. Vetlytska O. S. (2023). Захист конфіденційності у професійній діяльності: модель поведінкового
контролю. Наукові записки: Серія «Технічні науки», 1(3), 20-25.
10. Ristenpart, T., & Kroll, J. A. (2020). Beyond the Boundary: A Framework for Secure and Ethical User Behavior
Analysis. IEEE Security & Privacy, 18(1), 18-25.