4 hours 7 minutes
Welcome to less than five point to communicate data processing awareness.
So when this video will cover the communicate function, category # two data processing awareness and we'll discuss privacy centers.
So in this category of uh the communicate function, we're going to talk about data processing awareness. And this is individuals and organizations have reliable knowledge about data processing practices and associated privacy risks.
And effective mechanisms are used to maintain to increase predictability consistent with
um whether they serve as processors or service providers are really aware of the mechanisms that you have in place to protect privacy risks um
surrounding your data processing practices. So this is where we get into um
uh certain websites having notices um that they're collecting personal data and allowing an individual to opt out of that.
um so that you're putting up those notices on your website or other places so that individuals can see that that you're actually communicating that information to them as well as that you have mechanisms established to obtain feedback from individuals, whether that's through focus groups or surveys um about your data processing practices
and associated privacy risks. So you want to make sure that uh those are the two mechanisms that you have in place um for individuals that you may be processing their data as well as you want to ensure that your systems or products or services um Their design enables data processing visibility.
So you want to make sure that your systems are designed in such a way
that in the event you have to collect information that it's easy to do, that that it produces it in a format that's easily readable. Um For not only those that maybe have this responsibility within your organization, um but that when it's presented to an individual's it's uh easy to see that
so processing visibility becomes important for that reason,
but you also want to make sure you're maintaining records of data disclosures um and records of when you're sharing that data um with other parties. Um So you want to make sure that's maintained and that basically it can be accessed for review or transmission.
So whether that's an auditor needs to see it or you need to be able to disclose those records, say, in the event of a dispute that maybe you didn't handle a data subject access requests properly, that you have those records um that you can produce
as well as that data corrections or deletions um can be communicated to individuals in the uh or organizations in your data processing ecosystem, as we mentioned before in a previous module. That sometimes you may have third parties that are processing data on your behalf, which means that
they will have to help you. Sometimes in the event you receive a data subject access request for where
all pieces of information are stored. They would have to help you provide that or even delete it on your behalf if it's stored on one of their networks. So
data corrections or deletions have to be communicated not just to the individual, but also to those organizations that may be in your data processing ecosystem.
Um But you also want to make sure it can be uh communicated to the individual that may be requesting it because under certain regulations you have time frames in which you have to do this. So you want to communicate to them that you've received their requests.
Um And even that you can
delete their information or unless you have a reason um you know a legal obligation for why it can't be deleted or contractual. Then you can share that with the individual. Um But also making sure that you can maintain the data providence and lineage um And that that can also be accessed. And what's meant by that is basically the flow of the data.
So from where it came into you know where you came from the point you captured the data or it's creating your system
and to all the different areas that data may flow to. You want to be able to discuss that lineage and be able to provide information on that to an individual should it be requested?
And then really P. Seven and P. Eight get into. And a lot of times where most companies are hoping that this is never an issue but you always want to make sure that you have policies processes procedures in place to handle a breach. But 78 get into being able to notify um individuals and organizations in the event.
There is a data breach or an event
where um someone's personal data was accessed without authorization um whether that's hacked
um or say someone had a device that stored personal data and it was lost and wasn't encrypted. Then under certain state guidelines or even other international privacy regulations you may have a duty to disclose to the regulator as well as to the individuals that were impacted by that incident. Um So you need a way to be able to communicate that with um individuals as well as other organizations.
And then you also need to be able to provide mitigation mechanisms for individuals that were affected whether that's credit monitoring services, um allowing them to withdraw their consent. Um and Willie really being able to address um the impacts of those problematic data actions,
um how they affect the individual as well as the impact to your organization or even to other organizations.
but this is where you get into as well what the user's rights and choices
um it may just be it's an all or nothing situation. Um But cookies can be managed and
And then you get into as well the data security integrity and retention. Um This is where you discuss how you're protecting their data um that you know their data isn't compromised, that the same way that it's ingested that you're maintaining the integrity of that. Even when you're doing testing that it doesn't change the integrity of the data
as well as possibly you may include here, how long you may have to retain the data so that they know
um really uh have a guarantee of how long you're keeping that data and then possibly when it will be destroyed. And this is where you may also provide definitions to individuals because if you have to abide by various um privacy regulations, if you have to abide by Gpr
and be compliant with C. C. P. A. And there are other ones out there as well. Maybe even
the Brazilian privacy regulation there may be different definitions. Um you know the G. D. P. Are used data subject um and CCP A. Uses customer. So in not trying to confuse those that are doing work internally or even individuals,
your company may even subscribe to their own definitions when they're talking about
data subjects or what their definition is of personal data. So you really want to define that here so that individuals do know what your definitions are um when they're reading through your documents. So these this list isn't exhaustive, it's just a few of the main points and looking at different privacy centers that I've seen.
And it's a some people do even include if there is a data breach, this may even be the area that you include the information for individuals on that data breach as well as how to access some of those mitigation mechanisms that you may end up putting in place like how to get the credit monitoring set up um that sort of thing. So these can really be what your enterprise is looking forward to be really a one stop shop for an individual
to sort of see what your data processing practices are and even manage their own rights. So it's definitely something to consider when you're looking to,
excuse me, put together um a privacy center if that's something you're looking to do.
So in this video we covered subcategories of communicate, function category number one, and components of a privacy center. I hope you'll join me as we move into module number six.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
This course will provide students with an overview of the CIS Top 20 Critical Security ...
4 CEU/CPE Hours Available
Certificate of Completion Offered