Data Processor

A data processor is an entity that processes personal data for a data controller, following the controller's instructions. Data processors can be individuals, businesses, public authorities, or legal entities.

Here are some responsibilities of a data processor:

Data security

Data processors must ensure that the data is secure and confidential.

Compliance

Data processors must ensure their processing complies with the General Data Protection Regulation (GDPR).

Data subject rights

Data processors must ensure that the rights of data subjects are protected.

Data processor agreement

Data processors must enter into a data processor agreement with the data controller.

Data processors can include:

Calculators

Computers

Cloud service providers

Third-party companies, such as payroll or email marketing companies

Call centers

Data processors are different from data controllers, who decide how and why to collect and process data. Data processors are contractually bound to follow the instructions of the data controller.

 Data Controller

A data controller is a person or entity that determines how and why personal data is processed. They are responsible for the lawfulness of the processing, protecting the data, and respecting the data subject's rights.

Some of the responsibilities of a data controller include:

Deciding how to collect, store, use, alter, and disclose personal data

Providing information to data subjects

Ensuring there is a legitimate basis for processing activities

Giving effect to data subjects' rights under the GDPR

Ensuring that there is appropriate security for data processed

A data controller can be a legal person, such as a business, public authority, agency, or other body. In some cases, EU or Member State law may determine the controller and the purposes and means of processing personal data.

A data controller may delegate the processing to another party, called the data processor. For example, if a gym hires a printing company to produce invitations for a promotional event, the gym controls the personal information, and the printing company is the data processor.

 Right to be Forgotten

The right to be forgotten, also known as the right to erasure, is the right to have private information removed from search engines and other directories. This right was established in the European Union in 2014 and is now codified in the General Data Protection Regulation (GDPR).

The right to be forgotten allows individuals to request that search engines remove specific results for queries related to their name. Search engines must consider whether the information is inaccurate, irrelevant, or excessive and if there is a public interest in keeping it available.

The right to be forgotten applies when:

The data is no longer needed for its original purpose

The data subject has withdrawn their consent

The data subject has objected to the processing

The data was unlawfully processed

The data must be erased to comply with a legal obligation

 Data Retention Policy

A data retention policy is a set of guidelines that an organization uses to manage how it stores and disposes of data. It helps organizations comply with regulations and meet business needs while reducing the risk of storing data longer than necessary.

A data retention policy should include:

Data types: What types of data to keep, such as financial, legal, health, or personal data

Retention periods: How long to keep each type of data, based on business needs and regulations

Storage location: Where to store the data, such as on-premises, in the cloud, or in a hybrid storage environment

Access controls: Who can access the data, how they can access it, and when access is granted

Data destruction: How to destroy the data when its retention period ends

Backup storage procedures: How to recover data in the event of loss

A data retention policy is part of an organization's overall data management plan. It's based on the rules of the regulatory body that governs the organization's industry.

 Data in Use

Data in use is data that is being actively processed, accessed, or updated by users or software. It is stored in a non-persistent digital state, such as in a CPU register, CPU cache, or computer random-access memory.

Data in use is most vulnerable to security risks because it is immediately available to users and can be exposed to attack or human error. Some examples of data in use include files shared between employees, Online banking transactions, Real-time analytics, and Database queries.

To protect data in use, you can use authentication, identity management, and permissions to limit access to a subset of individuals. You can also encrypt the data while it is in use.

Data must be secured in three states: at rest, in use, and in motion. Each state presents unique security challenges.

 Data in Transit

Data in transit is data sent from one location to another, such as over a network or the Internet. It can also be referred to as data in motion or flight.

Emails, instant messages, video calls, file transfers, and website requests are examples of data in transit.

Data in transit should be encrypted to protect it from being intercepted or manipulated by attackers. Encryption algorithms ensure that only those with the decryption key can access the data.

Some ways to protect data in transit include:

Encryption: Prevents attackers from reading or modifying data

Network protection: Prevents attackers from intercepting data using TLS, IPSec, & VPNs

Authentication: Prevents attackers from impersonating the service

Access controls: Restricts access to files and ensures only authorized users can access them

 Data at Rest

Data at rest is stored in a physical location, such as a computer's hard drive or a server, and is not actively used or moved between devices or networks. It can include both structured and unstructured data.

Examples of data at rest include Spreadsheet files on a laptop, Videos on a mobile device, Employment records in a company's HR system, and Sales information in a company's database.

Data at rest is often the most sensitive data in an organization and can be very valuable to hackers. Data breaches at rest can have serious consequences, including Large financial losses, Damage to a company's reputation, Regulatory fines, and Civil liability.

To protect data at rest, organizations can use techniques such as:

Encryption: Makes the data indecipherable and useless to anyone who steals it using FDE (Full Disk Encryption), SED (Self-Encrypting Drives), and BitLocker.

Data tokenization: Replaces sensitive data with non-sensitive tokens that are meaningless on their own

Layered password protection: Sets access controls to data at different levels of sensitivity