Data Processing Awareness

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours 7 minutes
Video Transcription
Welcome to less than five point to communicate data processing awareness.
So when this video will cover the communicate function, category # two data processing awareness and we'll discuss privacy centers.
So in this category of uh the communicate function, we're going to talk about data processing awareness. And this is individuals and organizations have reliable knowledge about data processing practices and associated privacy risks.
And effective mechanisms are used to maintain to increase predictability consistent with
the organization's risk strategy to protect individuals privacy. So what that's really getting a is that in the previous category, we talked about transparency and having a privacy policy. So this is really getting into the fact that um individuals who you may be processing data for as well as organizations,
um whether they serve as processors or service providers are really aware of the mechanisms that you have in place to protect privacy risks um
surrounding your data processing practices. So this is where we get into um
uh certain websites having notices um that they're collecting personal data and allowing an individual to opt out of that.
um so that you're putting up those notices on your website or other places so that individuals can see that that you're actually communicating that information to them as well as that you have mechanisms established to obtain feedback from individuals, whether that's through focus groups or surveys um about your data processing practices
and associated privacy risks. So you want to make sure that uh those are the two mechanisms that you have in place um for individuals that you may be processing their data as well as you want to ensure that your systems or products or services um Their design enables data processing visibility.
So you want to make sure that your systems are designed in such a way
that in the event you have to collect information that it's easy to do, that that it produces it in a format that's easily readable. Um For not only those that maybe have this responsibility within your organization, um but that when it's presented to an individual's it's uh easy to see that
so processing visibility becomes important for that reason,
but you also want to make sure you're maintaining records of data disclosures um and records of when you're sharing that data um with other parties. Um So you want to make sure that's maintained and that basically it can be accessed for review or transmission.
So whether that's an auditor needs to see it or you need to be able to disclose those records, say, in the event of a dispute that maybe you didn't handle a data subject access requests properly, that you have those records um that you can produce
as well as that data corrections or deletions um can be communicated to individuals in the uh or organizations in your data processing ecosystem, as we mentioned before in a previous module. That sometimes you may have third parties that are processing data on your behalf, which means that
they will have to help you. Sometimes in the event you receive a data subject access request for where
all pieces of information are stored. They would have to help you provide that or even delete it on your behalf if it's stored on one of their networks. So
data corrections or deletions have to be communicated not just to the individual, but also to those organizations that may be in your data processing ecosystem.
Um But you also want to make sure it can be uh communicated to the individual that may be requesting it because under certain regulations you have time frames in which you have to do this. So you want to communicate to them that you've received their requests.
Um And even that you can
delete their information or unless you have a reason um you know a legal obligation for why it can't be deleted or contractual. Then you can share that with the individual. Um But also making sure that you can maintain the data providence and lineage um And that that can also be accessed. And what's meant by that is basically the flow of the data.
So from where it came into you know where you came from the point you captured the data or it's creating your system
and to all the different areas that data may flow to. You want to be able to discuss that lineage and be able to provide information on that to an individual should it be requested?
And then really P. Seven and P. Eight get into. And a lot of times where most companies are hoping that this is never an issue but you always want to make sure that you have policies processes procedures in place to handle a breach. But 78 get into being able to notify um individuals and organizations in the event.
There is a data breach or an event
where um someone's personal data was accessed without authorization um whether that's hacked
um or say someone had a device that stored personal data and it was lost and wasn't encrypted. Then under certain state guidelines or even other international privacy regulations you may have a duty to disclose to the regulator as well as to the individuals that were impacted by that incident. Um So you need a way to be able to communicate that with um individuals as well as other organizations.
And then you also need to be able to provide mitigation mechanisms for individuals that were affected whether that's credit monitoring services, um allowing them to withdraw their consent. Um and Willie really being able to address um the impacts of those problematic data actions,
um how they affect the individual as well as the impact to your organization or even to other organizations.
So one thing I did want to talk about in a way that really help can help encompass all these things we mentioned in the previous lesson about a privacy policy, but something that I am starting to see with certain companies and google to me has a really good example of this is something akin to a privacy center where you're sort of encompassing all of this information um that an individual can go and look at regarding, not just as I mentioned before in the privacy policy about what's being collected and how it's being collected and how it's being protected, um but even where they can go and administered their rights, um you know, look at those notices
and make those decisions in the policy center in an informed manner. And that's what um is really kind of need about these privacy centers is having all that information in one place. And some of the aspects that you'll see in those privacy centers that I'm mentioning here, it will include the the privacy policy, as I mentioned before. That's including, you know, what's collected and how it's been collected,
but this is where you get into as well what the user's rights and choices
we are, and also allowing them to manage those rights and choices from this privacy center. They'll be able to see the cookie policy and um either often um maybe pick and choose the cookies that they're okay with depending on how it's set up for your enterprise or
um it may just be it's an all or nothing situation. Um But cookies can be managed and
you know, a variety of ways that they're just opting out across the board or you're showing each individual cookie and allowing them to maybe check a box for which ones they want to opt into and which ones they don't as well as your terms of use may even be included here whether that's how to use the website or using your product. Um um As well as frequently asked questions about privacy rights or how you're processing data um will be shown here as well as support and contact information whether that's an email address um that goes to maybe a privacy mailbox or if you have a data privacy officer, um their information um just someone that they can contact with. Their complaints concerns or questions regarding your data processing
And then you get into as well the data security integrity and retention. Um This is where you discuss how you're protecting their data um that you know their data isn't compromised, that the same way that it's ingested that you're maintaining the integrity of that. Even when you're doing testing that it doesn't change the integrity of the data
as well as possibly you may include here, how long you may have to retain the data so that they know
um really uh have a guarantee of how long you're keeping that data and then possibly when it will be destroyed. And this is where you may also provide definitions to individuals because if you have to abide by various um privacy regulations, if you have to abide by Gpr
and be compliant with C. C. P. A. And there are other ones out there as well. Maybe even
the Brazilian privacy regulation there may be different definitions. Um you know the G. D. P. Are used data subject um and CCP A. Uses customer. So in not trying to confuse those that are doing work internally or even individuals,
your company may even subscribe to their own definitions when they're talking about
data subjects or what their definition is of personal data. So you really want to define that here so that individuals do know what your definitions are um when they're reading through your documents. So these this list isn't exhaustive, it's just a few of the main points and looking at different privacy centers that I've seen.
And it's a some people do even include if there is a data breach, this may even be the area that you include the information for individuals on that data breach as well as how to access some of those mitigation mechanisms that you may end up putting in place like how to get the credit monitoring set up um that sort of thing. So these can really be what your enterprise is looking forward to be really a one stop shop for an individual
to sort of see what your data processing practices are and even manage their own rights. So it's definitely something to consider when you're looking to,
excuse me, put together um a privacy center if that's something you're looking to do.
So let's have a quick quiz before we move on to the next module. So true or false privacy centers contain terms of use along with the privacy policy and other components. One true or to false.
So the answer here is true as we saw before um there are different components to a privacy center, um but terms of use was definitely something that you could see in a privacy center because, as I said, it serves as a one stop shop for all the information um from a privacy perspective that individuals may need to know about your enterprise.
So in this video we covered subcategories of communicate, function category number one, and components of a privacy center. I hope you'll join me as we move into module number six.
Up Next