Course Content
Module 1: Fundamentals of Data Privacy
This module comprises of 4 lessons and a quiz. Complete all lessons and quiz successfully to unlock module 2.
0/5
Video Lesson
00:00
Why is it important to protect personal data? 
Application and Definitions
Overview of Data Privacy
Fundamentals of Data Privacy Quiz
Module 2: Data Processing Requirements
This module comprises of 7 lessons and a quiz. Complete all lessons and quiz successfully to unlock module 3.
0/8
Security Safeguards
Information Quality
00:00
Consent
00:00
Lawfulness
Purpose Specification
Adequacy and Relevance
Accountability
Data Processing Requirements Quiz
Module 3: The Impact Assessment
This module comprises of 3 lessons and a quiz. Complete all lessons and quiz successfully to unlock module 4.
0/4
Video Lesson
00:00
What should an impact assessment include?
00:00
What is a Data Privacy Impact Assessment?
00:00
Impact Assessment Quiz
Module 4: Cross Border Transfer Flows
This module comprises of 1 lesson and a quiz. Complete all lessons and quiz successfully to unlock module 5.
0/1
An overview of Cross Border Transfer Flows
Module 5: Data Privacy Program, Safeguards and Risk Indicators
This module comprises of 4 lessons and a quiz. Complete all lessons and quiz successfully complete the course.
0/3
Video Lesson
00:00
The Data Privacy Compliance Program
00:00
Key Risk Indicators
00:00
Data Privacy: Best Practice
About Lesson

Key Definitions 

Let’s explore some of the key definitions of data privacy legislation. 

1. Data Subject
A data subject is an individual who is the subject or the focus of personal data. In the context of data protection regulations, such as the General Data Protection Regulation (GDPR), a data subject is the person to whom personal data relates. It refers to any identified or identifiable living individual.

  • A data subject can be identified directly or indirectly, either by the personal data itself or in combination with other information. It includes individuals who can be identified by unique identifiers like name, identification number, location data, or online identifiers.

  • Data subjects have specific rights and protections under data protection laws. These rights typically include the right to access their personal data, rectify inaccuracies, restrict or object to processing, and request deletion or erasure of their data. Data subjects also have the right to be informed about how their personal data is collected, used, and shared.

  • Data subjects often provide their consent for the collection and processing of their personal data. Consent should be freely given, specific, informed, and unambiguous, and it can be withdrawn by the data subject at any time.

  • Data protection regulations distinguish between data controllers and data processors. A data controller determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of the controller. Data subjects may interact directly with data controllers or indirectly through data processors.

  • The concept of data subjects emphasizes the importance of protecting individuals’ privacy and personal data. Data protection laws aim to ensure that individuals have control over their personal information and that it is handled in a fair, lawful, and secure manner.

Examples of data subjects include:

  1. Customers: Individuals who purchase products or services from a company.

  2. Employees: Workers within an organization who provide their personal information as part of their employment.

  3. Patients: Individuals receiving medical treatment or healthcare services.

  4. Students: People enrolled in educational institutions.

  5. Website Users: Individuals visiting websites or using online services that collect their personal information.

  6. Job Applicants: Individuals seeking employment who provide their personal details during the application process.

  7. Subscribers: Individuals who subscribe to newsletters, magazines, or other publications.

  8. Social Media Users: People who use social media platforms and share personal information on their profiles.

  9. Participants: Individuals who take part in research studies, surveys, or focus groups.

  10. Clients: Individuals who receive professional services from companies, such as legal or consulting services.

  11. Members: Individuals who join organizations, clubs, or associations that require personal information for membership.

  12. Patients’ Family Members: Relatives or guardians of patients who may provide personal data related to the patient’s healthcare.

  13. Witnesses: Individuals who provide testimony or witness information in legal proceedings.

  14. Event Attendees: People who attend conferences, seminars, or events where personal information is collected for registration purposes.

  15. App Users: Individuals who use mobile applications that require the collection of personal data.

2. Data Controller 
A data controller is an entity or organization that determines the purposes and means of processing personal data. In simpler terms, the data controller is responsible for deciding why and how personal data is collected, used, and stored.
  • The data controller has legal and regulatory obligations to ensure that personal data is processed in accordance with applicable data protection laws and regulations. They are accountable for the compliance and security of the personal data they collect.
  • They have the authority to determine the purpose for which personal data is collected, the types of data collected, the methods of data processing, and the duration for which the data is retained. They have control over the overall data processing activities.
  • Data controllers have direct interaction with data subjects, either by collecting personal data directly from individuals or through third parties. They are responsible for informing data subjects about the processing of their personal data, obtaining any necessary consents, and addressing data subject rights and requests.
  • They must adhere to key data protection principles, such as collecting data lawfully and fairly, ensuring data accuracy and minimization, applying appropriate security measures, and ensuring data retention and deletion in compliance with legal requirements.
  • Data controllers may share personal data with third parties, such as data processors, who process the data on their behalf. In such cases, the data controller remains responsible for the protection and lawful processing of the data, even if processing is carried out by a third party.
  • Finally, they are often required to maintain records of their data processing activities, including documenting their compliance efforts, data protection policies, and data subject interactions.

It is important for data controllers to understand and fulfill their obligations to protect individuals’ privacy rights and ensure the proper handling of personal data.

Examples of entities that can act as data controllers:

  1. Businesses: Companies of various sizes and industries that collect and process personal data in the course of their operations. This includes retail stores, e-commerce platforms, banks, insurance companies, and telecommunications providers.
  2. Government Agencies: Public sector organizations, such as tax authorities, social welfare agencies, immigration departments, and census bureaus, that handle personal data as part of their official duties.
  3. Healthcare Providers: Hospitals, clinics, doctors’ offices, and healthcare institutions that collect and process patients’ personal data for medical treatment, research, or administrative purposes.
  4. Educational Institutions: Schools, colleges, universities, and other educational organizations that collect and process personal data of students, staff, and faculty members for academic and administrative purposes.
  5. Nonprofit Organizations: Non-governmental organizations, charities, foundations, and advocacy groups that handle personal data in support of their mission or for fundraising purposes.
  6. Human Resources Departments: Departments within organizations that collect and process personal data of employees, job applicants, and contractors for recruitment, payroll, benefits administration, and other employment-related purposes.
  7. Data Brokers: Companies that collect personal data from various sources and sell or provide it to other organizations for marketing, analysis, or other purposes.
  8. Social Media Platforms: Online platforms that collect personal data from users and process it for various purposes, such as targeted advertising, content customization, and network analysis.
  9. Internet Service Providers (ISPs): Companies that provide internet connectivity and related services, which often involve collecting and processing personal data of their customers.
  10. Research Institutions: Organizations engaged in scientific, social, or market research that collect and process personal data for studies, surveys, or experiments.
  11. Mobile Application Developers: Developers and operators of mobile applications that collect and process personal data from users for various purposes, such as providing services, analytics, or advertising.
3. Data Processor 
A data processor is an entity or organization that processes personal data on behalf of a data controller. While the data controller is responsible for determining the purposes and means of processing personal data, the data processor carries out the processing activities on their behalf.
  • A data processor operates under the direction and authorization of the data controller. The data processor processes personal data only as instructed by the controller and for the specific purposes defined by the controller.
  • They are often third-party service providers that support the data controller’s operations. They may handle personal data on behalf of the controller when providing services such as cloud storage, customer support, payment processing, IT infrastructure, or data analytics.
  • Data processors have limited authority to make decisions about the processing of personal data. They are not allowed to use the data for their own purposes or share it with other parties unless explicitly instructed by the data controller.
  • They have a responsibility to implement appropriate technical and organizational measures to ensure the security and confidentiality of the personal data they process. They must take steps to protect the data from unauthorized access, loss, or alteration.
  • Data controllers and processors typically enter into a written agreement, such as a data processing agreement, outlining the terms and conditions for the processing of personal data. This agreement defines the roles, responsibilities, and obligations of both parties with respect to data protection.
  • In certain cases, data processors may engage sub-processors to assist in the processing of personal data. Sub-processors are also bound by agreements and obligations to protect the data and comply with data protection laws.
  • While data processors carry out the processing activities, they are not relieved of their responsibilities for data protection. They are accountable for their adherence to data protection laws and regulations and may be subject to audits or inspections to ensure compliance.

It’s important for data controllers to carefully select and engage data processors that have the necessary technical and organizational measures in place to protect personal data. This ensures that the processing activities are carried out in a secure and compliant manner.

Examples of entities that can act as data processors:

  1. Cloud Service Providers: Companies that offer cloud computing services, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform. They process and store data on behalf of their customers.
  2. Payment Processors: Organizations that handle payment transactions on behalf of merchants, such as PayPal, Stripe, or Square. They process personal data related to payment details and transaction information.
  3. Customer Relationship Management (CRM) Systems: Software platforms like Salesforce, HubSpot, or Zoho CRM that store and manage customer data on behalf of businesses.
  4. Email Service Providers: Companies that offer email marketing or communication services, such as Mailchimp, SendGrid, or Campaign Monitor. They process personal data related to email addresses and communication preferences.
  5. IT Support Service Providers: Companies that provide technical support services to organizations, including troubleshooting, software maintenance, and network management. They may have access to personal data while providing these services.
  6. Data Analytics Companies: Organizations that analyze and interpret data to provide insights and reporting, such as Google Analytics, Adobe Analytics, or IBM Watson Analytics.
  7. Human Resources Systems: Software platforms or service providers that handle employee data, such as payroll processing, benefits administration, or recruitment management systems.
  8. Outsourced Call Centers: Call centers that handle customer support or telemarketing services on behalf of companies. They process personal data during customer interactions.
  9. Marketing Agencies: Agencies that run marketing campaigns, including targeted advertising, email marketing, or social media management. They process personal data related to marketing activities.
  10. Document Shredding/Disposal Services: Companies that securely dispose of physical or digital documents containing personal data, ensuring they are properly destroyed.
4. Data Breach
A data breach refers to the unauthorized access, disclosure, or acquisition of personal data by individuals or entities who are not authorized to have such access. In simpler terms, it is a security incident where personal data is exposed or compromised.

Causes: Data breaches can occur due to various reasons, including cyberattacks, hacking, phishing, malware infections, physical theft or loss of devices, insider threats, or human error such as accidental disclosure or improper handling of data.

Types of Data: Data breaches can involve various types of personal data, including names, addresses, phone numbers, email addresses, social security numbers, financial records, health information, login credentials, and more.

Impacts: Data breaches can have serious consequences for individuals and organizations. Some potential impacts include identity theft, financial fraud, reputational damage, loss of customer trust, regulatory penalties, legal actions, and financial losses due to remediation and recovery efforts.

Reporting and Notification: Depending on the applicable laws and regulations, organizations may be required to report data breaches to data protection authorities or notify affected individuals about the breach. Prompt reporting and communication are crucial to minimize the potential harm caused by the breach.

Prevention and Mitigation: To prevent and mitigate data breaches, organizations should implement robust security measures, including strong access controls, encryption, firewalls, intrusion detection systems, regular security assessments, employee training on data handling best practices, and incident response plans.

Response and Remediation: In the event of a data breach, organizations should have a well-defined incident response plan in place. This includes investigating the breach, containing and mitigating the impact, recovering lost or compromised data, and implementing measures to prevent similar incidents in the future.

Data breaches highlight the importance of data protection and the need for organizations to prioritize the security and privacy of personal data. By implementing strong security practices, organizations can help safeguard personal information and reduce the risk of data breaches. It’s also essential for individuals to remain vigilant and take precautions, such as using strong and unique passwords, being cautious of phishing attempts, and regularly monitoring financial and online accounts for any suspicious activities.

 

Previous
Next