Data Security, Transfer and Deletion
Punit Bhatia
15 years: Data privacy & GDPR
Organization is responsible for the protection of personal data across the data lifecycle. In this video Punit gives us an overview about data security, data transfers and data deletion. He further highlights the common roles under the Privacy Law.
Organization is responsible for the protection of personal data across the data lifecycle. In this video Punit gives us an overview about data security, data transfers and data deletion. He further highlights the common roles under the Privacy Law.
Data Security, Transfer and Deletion
10 mins 24 secs
Key learning objectives:
Understand why personal data security is important
Identify the two common roles under privacy law
Understand when a company can transfer personal data
Overview:
Organisations must protect personal data and ensure that the confidentiality and integrity of personal data are maintained. When personal data is being transferred, a company must ensure that there is adequate protection. Organisations must prepare retention schedules that state what personal data is retained for how long and create strategies for personal data that is no longer necessary for a legitimate purpose.
Why is personal data security important?
Privacy laws require that a company keeps personal data always secure by implementing the best in class and pragmatic measures based on the risk of processing. These measures are often referred to as Technical and Organisational measures or TOMs. Implementation of TOMs is important because it helps to ensure that personal data stays secure and that only authorised persons have access to it for the right reason.
What are the two common roles under privacy law?
- Controller - the company that decides to collect and decide on the purposes of processing
- Processor - the company hired by a controller to process personal data on their behalf
It is possible to have relations like controller-controller when both companies independently decide upon purpose and collection of personal data. There is a joint controller when both companies jointly decide upon purpose and collection of personal data and there is a sub-processor when the processor hires another company for the processing of personal data on behalf of the controller.
When can a company transfer personal data?
GDPR requires companies exchanging personal data to ensure proper security of personal data at all times.
There can be a few scenarios where this is possible:
- Firstly, the transfer between companies in the same jurisdiction i.e. same laws are applicable to both companies
- Secondly, transfer to companies that are not in the same jurisdiction i.e. data is being processed by a company that has different applicable privacy laws
If personal data is to be transferred to a country not in an adequacy list, the controller must assess and ensure adequate safeguards. This can be ensured by:
- Usage of Standard Contractual Clauses (SCCs) - set of contractual clauses that are recommended by the European Commission for inclusion in contracts when personal data is being transferred.
- Usage of Binding Corporate Rules (BCRs) - data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a consolidated group of companies.
Punit Bhatia
There are no available Videos from "Punit Bhatia"