4 hours 7 minutes
Welcome To. Less than four point to control data processing management.
In this video we will look at the control function category number two. Data processing management.
So in this category of the control function we're looking at data processing management and where this differs from the previous um
category Where we were looking at the data processing policies, processes and procedures um for how you're handling things internally. Uh This category to me really focuses on have the processes procedures for how an individual can request information from your company.
So you're looking at basically how you're managing data processing from the way you're protecting the individual's privacy.
So this is where you get into a lot of the data subject. Access requests that you could receive um from data elements can be access for review um their access for transmission or disclosure to others
as well as being access for alteration or deletion. Um Under the G. D. P. R. A data subject has the right to um basically view the data that you have on them and if they feel something's wrong have it altered or they can basically ask for you to delete their information.
So that's what you're looking at when you're looking at the subcategories of p. three and p. four.
And then as well as in the previous category we talked about the data lifecycle and part of that life cycle was data destruction. So here it's this is really your
making sure um in this one that you're following those policies, processes and procedures that you put into place and that's really what data processing management about that you've had. You have the written part in that first category. And now this is about managing and making sure that you're complying with the
policies, processes and procedures that you're putting in place
And that's where P5 comes in and that data lifecycle management that you're actually destroying according to your own policy
and that you're able to transmit that data and standardized formats. Um as well as that you have mechanisms for transmitting processing permissions and related that data values with data elements that that's established and in place and having audit log records um uh that they're documented implemented
um and that that is done in accordance with policy
and that you're actually incorporating data minimization. Uh The principle of data minimization because you want to make sure that you're only asking for data that you need before, you know, we really got into this realm of privacy. You know, the thought was collect all the information that you can. But now with a lot of the laws and regulations, it's really about data minimization and really only asking for personal data that's necessary for the purpose that you're trying to carry out.
You want to make sure also that technical measures are implemented to manage data process,
data processing and that you're basically testing those uh those technical measures and assessing them to make sure that they are working properly. Um because the last thing you want is for there to be a data breach or um an issue with the confidentiality
um or availability of data because there's an issue with the technical measures. So you want to make sure that you are continuously monitoring those technical measures that you have in place and then really ensuring that stakeholder privacy preferences are included in your algorithmic design objectives and outputs are evaluated against these preferences. Um Sometimes those stakeholders can be internal
um teams and sometimes they are external. Um you know, if you're
uh an app developer, your stakeholder, maybe the company that you're developing the app for, so if they have certain privacy preferences that they want set and whatever you're developing, you want to make sure that you are encompassing that in the design, because the last thing you want is to not have basically thought of that.
Um and then it becomes an issue basically, after you've completed the uh you know, the concept of the application at that point, um and you're showing it, it's
fine to have to go back at that point, but when you're ready to go into production, it's definitely going to be a different thought process to have to go back and look at. Um you know, did we incorporate that? So that is kind of where you get into privacy by design at a certain point, to make sure that you're having those discussions
if you're looking at something either from a manufacturing standpoint,
um you know, I worked for a medical device at one point and some of those devices were ingesting personal health information. So that was a thought of how are we making these devices so that that information is protected when it is basically ingested into the machine.
And it's the same thing with an app if you're a developer and you're working with your external customers, if they have other requirements, either from a legal or contractual standpoint that they have to be in compliance with, you want to make sure that you're including that.
So that's where data processing management is really looking sure that you're protecting the individual's privacy, um and basically managing those policies, processes and procedures that you've implemented around data processing from that first category.
So in this video we review the subcategories of the data processing management category and I hope you'll join me as we move into the final video in this module.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
This course will provide students with an overview of the CIS Top 20 Critical Security ...
4 CEU/CPE Hours Available
Certificate of Completion Offered