Data Security, Transfer and Deletion

Punit Bhatia

15 years: Data privacy & GDPR

Organization is responsible for the protection of personal data across the data lifecycle. In this video Punit gives us an overview about data security, data transfers and data deletion. He further highlights the common roles under the Privacy Law.

GDPR

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Data Security, Transfer and Deletion

10 mins 24 secs

Overview

Organisations must protect personal data and ensure that the confidentiality and integrity of personal data are maintained. When personal data is being transferred, a company must ensure that there is adequate protection. Organisations must prepare retention schedules that state what personal data is retained for how long and create strategies for personal data that is no longer necessary for a legitimate purpose.

Key learning objectives:

Understand why personal data security is important
Identify the two common roles under privacy law
Understand when a company can transfer personal data

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Summary

Why is personal data security important?

Privacy laws require that a company keeps personal data always secure by implementing the best in class and pragmatic measures based on the risk of processing. These measures are often referred to as Technical and Organisational measures or TOMs. Implementation of TOMs is important because it helps to ensure that personal data stays secure and that only authorised persons have access to it for the right reason.

What are the two common roles under privacy law?

Controller - the company that decides to collect and decide on the purposes of processing
Processor - the company hired by a controller to process personal data on their behalf

It is possible to have relations like controller-controller when both companies independently decide upon purpose and collection of personal data. There is a joint controller when both companies jointly decide upon purpose and collection of personal data and there is a sub-processor when the processor hires another company for the processing of personal data on behalf of the controller.

When can a company transfer personal data?

GDPR requires companies exchanging personal data to ensure proper security of personal data at all times.

There can be a few scenarios where this is possible:

Firstly, the transfer between companies in the same jurisdiction i.e. same laws are applicable to both companies
Secondly, transfer to companies that are not in the same jurisdiction i.e. data is being processed by a company that has different applicable privacy laws

If personal data is to be transferred to a country not in an adequacy list, the controller must assess and ensure adequate safeguards. This can be ensured by:

Usage of Standard Contractual Clauses (SCCs) - set of contractual clauses that are recommended by the European Commission for inclusion in contracts when personal data is being transferred.
Usage of Binding Corporate Rules (BCRs) - data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a consolidated group of companies.

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Punit Bhatia

Punit Bhatia is a passionate author, speaker, and advisor. He provides strategic coaching and advice to privacy experts, business owners, and upcoming privacy professionals. Punit is known for providing advice that is simple, pragmatic and business-aligned.

There are no available videos from "Punit Bhatia"