Complete Data Privacy (GDPR) Fundamentals

1. Introduction: Hello and welcome to the data privacy, GDPR, fundamental scores. My name is Mustafa and I've gotten to be your instructor throughout the course. I have created this introduction so that I could give you an overview of what you've got to be a Dominion and what information you will gain. Moreover, who discourse has gotten to be four? Yeah, Before we get started, I wanted to highlight that there is always room for improvements. Therefore, I would highly suggest and appreciate if you could draw a rate and a comment on the course, whether you like it or otherwise. Each and every comment has gotten to be highly considered and it would definitely be taken into consideration. With that being said, does get started. There are approximately its specific points that will be covered throughout the course. To start off with the first is necessary and bourbon terminologies. The various specific terminologies that we will be using throughout the course. And it will be extremely important that you understand all of them. Therefore, it is extremely important to all of them to you in a very specific section. These terminologies definitely in use between a lot of data privacy officers, organizations simply in the data privacy and data protection field. Overall. The second is data. And why is it simply that important? As you can see throughout the century that we're living in right now, everything is about data. Therefore, it is extremely important to understand what is data and why is it that important? If you could notice data now is crucial and very, very important for a lot of aspects in our life. Therefore, within that section, we'll be explaining what is data and why is it that important is specifically for the century that we live in, in the upcoming future. Throughout the course, you will get to understand what is data privacy, data protection, and eventually why is data security? What are the differences between them? Because I'm not quite sure if you were under the impression or not, but they are not the same. Therefore, it will be absolutely extra playing throughout the course, the differences between all of them. In addition to the definition. The fourth we have is GDPR. As you can tell, this course, is all about GDPR in particular. That full, we've gotten to be talking a lot about it in future sections. We've gotten to be covering what is GDPR or the General Data Protection Regulation? Why was it invented in the first place? And what is the history behind it? Just to give you a hint, gdpr is one of the toughest, if not the toughest data privacy regulation that is being covered by the EU. Within the GDPR, there are certain key principles when it comes to data processing. Yeah. As you can see, we have used one of the terminologies that we've gotten to be using a lot, which is data processing. I don't want you to be worried about it. We're definitely going to be covering all the terminologies within this section of necessary and relevant terminologies. Yeah, what you need to understand at the moment in that data processing is simply any kind of an action that are being two words personal data. Therefore, there are definitely some key principles that are being guided by the GDPR to be taken into consideration when it comes to processing or doing any kind of an action towards someone's personal data. When it comes to data processing, the lawful basis that need to be considered. And we will go through all of them. And you will get to understand why are they important? Gdp in the first place that was invented to cover all the bytes when it comes to data privacy for individuals. Therefore, GDPR that simply highlight the rights of individuals that companies and organizations do need to take into consideration when they are processing someone's data. Therefore, we are going to be covering all of these rights of individuals throughout the course. The last point we will cover is how to assess a project, a service, a process, or a product. From privacy perspective. This point is not only important to DPOs or data privacy officers, but it's also important for individuals because most of the time you are a consumer to a specific service or a product. Or maybe you are a part of our process and our projects. Therefore, your data or gotten to be processed. And you would need to understand how an organization or a company simply assessing these products and the services, all these projects. Specifically when it comes to consuming your data or doing any kind of an action towards her. 3. Who This Course Is For: Perhaps you might be thinking right now of discourse has got to be suitable for you or not. Perhaps you need more clarification. Therefore, I have created this section in order to clarify to you who this course is going to be for. The first category is the public. It's simply the general public. But why is it that important for the general public to obtain knowledge about data privacy? Think about it for a moment. Right now, you're definitely consuming a specific products, or maybe you're buying a specific service from a company or an organization for that company in order for it to provide you with that service for products, they need to obtain specific personal information about you. Therefore, you will need to understand what are the rights that the data privacy low within your region is providing to you more older. It would also give you more information about what are the actions being taken towards your data and how could that affect your life in general? Therefore, I would highly suggest this is going to be your field of work, field of study or otherwise, is extremely important for you to obtain knowledge when it comes to data privacy. Because on daily basis, you're buying products, you're buying services, and you're giving away your personal informations to organizations and companies. The second category is data specialists. As I have mentioned earlier, data is extremely important and crucial the century we're living in right now. There are a lot of occupations when it comes to data. Show whether you are a data analyst or data scientists, or just generally working in the fields of data. This course is going to be beneficial for you because it's going to give you another aspects of data that is going to be important when it comes to the work you're doing right now on data. The last category is DPOs. Whether you are aspiring to become a DPO or a Data Privacy Officer, or you are ready. A Data Privacy Officer discourse is going to be very good for you because it can give you a good refreshments over the fundamentals and basic knowledge when it comes to data privacy. 4. Basic Terminologies: Certain terminologies that are commonly being used in the data privacy field. And throughout the course, we've gotten to be using most of them. Therefore, EPS extremely important to have this lesson to break down all important terminologies. So let's get started. The first terminology that we're going to be discussing is personal data. And there is no specific list that can directly represent personal data, at least under the GDPR. However, there is a very important definition that could perhaps help a lot of people determined seems to be personal data and whatnot. So personal data refers to any kind of information that can identify a person directly or indirectly. So, for instance, personal data that could identify a person directly, be someone's name, and indirect informations. For instance, it's any information that could give a hint about the identity of a person. There is also a specific category on the person and the data that is called vital personal data could actually be someone's political view or sexual orientation. For instance. Data processing. In my opinion, data processing is the main reason why there is GDPR or any data privacy law is because data, data processing is any kind of an action that is being taken towards someone's data. The action could be storing, collecting, selling, using for advertisement, or just simply any kind of an action that is being taken towards someone's data. And if there is data processing, then there's definitely a purpose behind it. And that becomes the main concept of GDPR. It is to make sure that the purpose of processing, it does not override the rate of data subjects. To make sure that that purpose does not harm individuals. By any means. Data subject refers to a natural person, but I live in person because data are being processed. Whether there is a company, an organization, or even the government. Think about it. You're definitely a data subject. And that is in case you are using a specific service by a provider, or you're buying some products being provided by a company. Because that company or that organization, it would definitely need specific information in order to provide you with that service AutoCAD with that product's data controller. The controller refers to a service or a product provides us is collecting a data subjects data in order to provide the service or the seller products. Let's say, for example, that you want to buy a t-shirt online. So you went to an e-commerce website. And before you can buy that t-shirt, you will need to adjust to their website first. So you provide us some certain information about you, such as your name, your email address, and phone number perhaps, and definitely your postal address. But let's say for instance, that after you resisted, you change your mind for whatever reason. That means the e-commerce website, this tilde do have a copy of your data as you willingly registered to their website. So by them holding the copy of your data, that means the data controller. Data processors, data processor interface to an organization that is processing data subjects data on behalf of a data controller. As you could tell, there's actually a relationship between data processes and data controllers. Let's say that this time you already made up your mind and you want to buy the T-shirts. You are already registered to their website and you click on a button and you made the order. However, let's say that on this website they want to use a shipping provider in order to ship that product to you. In order for the e-commerce website to do that, there will be in a need to share your personal data with the shipping company. In order for a data controller to do that, they need to have something that is called DPA or data processing agreement, or data processing agreement. Data controller will be listing some instructions that data processor will be in an easy to follow. And this is simply the relationship between data processes and data controllers. Data breach. Data breach. It refers to data subjects data being folded into an unauthorized users hand. With it that is intentional or unintentional. 5. What is data?: Data is a term that perhaps all of you believe that it represents information. Well, that is correct. Yeah. Is that really everything about data? Well, the answer is definitely no. This lesson, you'll get to know what the data really is and why it is so valuable and important. Data is basically information. Information could be segregated into a lot of categories, such as information extracted from a physical form, such as papers or books. Or it could be digital information, which is basically inflammation. It's attracted from PDFs, text files, web pages, and other digital formats. Mainly the current century digital information is what we refer to as data. There are actually two main categories of digital information or data, which are, number one, traditional data, and number two, big data. Traditional data and big data do have certain qualities. These qualities will help you understand the differences between them. Also, these qualities are being referred to as the V's of data by data scientists and data analysts. Because the world representing each quality starts with the letter V. So let's get into five of these qualities to help you understand traditional data and big data. Number one is velocity. It represents how fast data accumulate based on time. When the internet started years ago. There's accumulation of super slow because there were not that many websites and end-users. So they will not many data that are being generated on daily basis. Yeah. Nowadays, we have many social media platforms, websites, and end-users. Therefore, with every button you click, data are being generated. With every post data are being generated. So big data here, it represents a higher speed of these accumulation. While traditional data represents slopes page of data accumulation. Number two is volume. Volume represents the size of data. As we mentioned earlier. Nowadays, data are being generated rapidly on databases, which makes the size of data generated per day almost hundreds of petabytes. That for, if the size of data is huge, then it is called big data. And if the size is too small, like megabytes or gigabytes or even less than a is called traditional data. Number three is variety. If that's to the formats from which you can extract information or data. Such as photos, videos, PDFs, spreadsheets, text files, webpages, and a lot more. Mostly, traditional data can be extracted from a single format. While in case of big data, it is multiple. Number four is veracity refers to the quality and accuracy of data. This is in fact, one of the important qualities on data. For example, imagine that you have, these are on COVID-19. These data needs to be accurate in order to gain insights. Otherwise, if these insights came from an unreliable source of data, then they could actually cause lives. Eventually. Number five is the value and it surely represents how valuable the data is. For example, the word is currently going through a pandemic. Collecting data and gaining insights are too valuable in order to understand the behavior of the virus and find a cure to save lives. 6. What Is GDPR?: Now we know how important data is and how relevant it is to the current century we live in, in and also the future. Than it makes absolute sense how important it is to protect our person data. Throughout this course and throughout this lesson in particular, you'll get to know one of the toughest, if not the toughest, data privacy and protection law, which is GDPR, were older. You'll get to know a lot of aspects around it and also the history behind it, how it started up until it took for the fact. So let's get started. Gdpr is short for general data protection regulation. It is a regulation in the European Union and the European Economic Area on data privacy and protection. And it took effect back in May 2018. And it was made to enhance individual's right and control over their personal data. And to make sure companies and organizations, I'm not using personal data in a way that could harm individuals or could be against there. Well, now, let's talk about the history behind the GDPR. Before GDPR, the data privacy law adopted by the EU data protection directive allowed all EU members to create their own data private, so low that is suitable for their citizens. Like the GDPR, by the way, it requires all EU members to comply to. In addition to that, the European Commission figured out that data protection directive was not relevant anymore to the digital age. And also they have realized how important data is an wolves. Moreover, how fast these are being created by the minute. Therefore, they propose the GDPR back in Jan 2012. After that, the text of GDPR was compromised and finalized. And eventually in 2016, GDP was formally adopted by the EU Parliament and Council of European Union. After two years of transition periods for readiness that GDPR to look for effects back in May 2018. And all EU members are complying to the GDPR. And it became, when known to be one of the toughest data privacy laws for the past three years. Now, let's talk about three of the important aspects of GDPR. To start off with the first aspects, which is scope. As mentioned, GDPR is a load that is adopted by European Union. But does that mean it only applies to companies and organizations that are based in the EU? Well, the answer is no. Gdpr protects EU citizens and your residence. Therefore, if a company is selling your citizens or residents of products or providing them a service, then they have to comply to the GDPR, even if the company or the organization is outside of the EU. Not only that, but they also have to demonstrate their compliance if needed. The second aspect is, in reality, as mentioned, GDPR is low. Therefore, companies and organizations do have to demonstrate their compliance. Yeah, in case a company violated the GDPR, then the fine is very high. There are actually two tiers of GDPR, fines and calculate and define is of course, being calculated on case basis. However, this talk about those two tiers. The first tier is up to 10 million per cent of the animal revenue of the company. Template, whichever is higher. And the second is tear, is it's actually the double. So it's up to 20 million or four per cent of the animal revenue of the company. Same rule applies, whichever is higher. A couple of things to bear in mind when it comes to banality. Number one, authorities determined, defined based on a criteria such as what happened, how it happened, the number of data subjects affected, the damage they suffered, and how long it took to resolve. And of course, a lot of other aspects based on these answers. But thursdays will determine which criteria to bow with. Whether that is first-year of personality or second tier of personality. Number two is data controllers are definitely being held accountable for the data. Even if they rely on a third party to process the data, they still actually give instructions to data processors to follow on processing the data. Therefore, they are being held accountable and the fine would be applied to them. Yeah. If data controllers can demonstrate that data processors violated these instructions, in this case, data processors would be held accountable and define will be applied to them. Key definitions. We have covered some general key definitions in a previous lesson. There are other important definitions that we will go through in the upcoming lessons, such as data privacy principles, data processing, lawful basis, and eventually data privacy by default, design. 7. Data Privacy by Default and by Design: Data privacy by design and by default, is a term or concept that is well-known in the data privacy field. And it is also extremely important. So let's get into it. These are privacy. By default, somebody design refers to ensuring that you consider data protection and data privacy at the design phase of any system, service, product, or process. And throughout the life cycle as well. That would be through appropriate technical and organizational measures. And by the way, appropriate technical and organizational measures is also a very well-known term in the data privacy field. And it simply means that the organization is going to be using appropriate technical security methods to protect the data. Those technical measures, for instance, could be authentication, encryption, anonymization, or whatever method that is suitable to protect the data. There is a very important thing that you need to know here is that there is no obligation to use a specific technical measures. It's definitely gotten to be on project basis. God is also considered as one of the cyclic images that can be integrated to ensure the data protection. It's also a measure that is often being used. Data privacy impact assessment, or DPI, is a questionnaire that is launched during the design phase of the project. Two major privacy risks and how to mitigate them to ensure with GDPR compliance is one of the important organization and images that are being used by companies and organizations to figure out what seems to be the privacy risks on the data and how to mitigate them. There are a lot of questions in the questionnaire. And to give you an example, some of these questions. What is the purpose of this? Are processing personal data required to achieve the purpose? Who are the data subjects? What is the negative or positive impacts of this are processing? What is the data retention period and data extension method, whether that is automatic data retention or manual data retention. And a lot of other questions as well. 8. Key Principles Introduction: For system personnel data is acceptable if it ensures individuals rights and doesn't harm them. In fact, some personal data processing activities could have a beneficial value on the public, such as processing COVID-19 data, which can help in understanding the behavior of the virus to set safety measurements and to find a cure. Yet, there's still a probability of a negative impact on the purpose of the processing the method used. So that has to be an assessment to measure the negative impacts on individuals. Certain guidelines that for the seven important key principles to data processing under GDPR, that can ensure the protection of individuals. And to be a good measurement for organizations to ensure GDPR compliance. And those key principles are, number one, lawfulness, fairness, and transparency. Number two, that first limitation. Number three, data minimisation. Remember for accuracy. Number five, who is limitation? Number six, integrity and confidentiality. Last but not least, accountability. In the next lessons, I will explain each principle, 30, to help you understand how important these key principles are. 9. Lawfullness, Fairness and Transparency: Under the regulation, that shall be processed lawfully, fairly, and in a transparent manner in relation to the data subjects. In other words, that's the little data, must be processed only if illegal ground exist. And to the extent that processing is carried out in a fair and transparent manner towards the individuals whose personal data is collected and used. This lesson, you will get to understand the first key principle of data processing, which is lawfulness, fairness, and transparency. So let's get started. Number one is lawfulness loving? This means that the data must be only process when data controllers have a legal grounds for processing the data. That requires data processing to be allowed buying, carried out within the limits of the applicable law. That might include data protection laws and other applicable rules such as employment, health attacks, or any other objectives, depending on the case. To summarize, for the data processing to be lawful, it must be consistent with all applicable laws. In particular circumstances. There are in fact, certain lawful basis of data processing under the GDPR, which I will explain in a future lesson. So stay tuned. Addition to being lawful, processing of data must be fair. The fairness of processing is essentially linked to the idea. The other subjects must be aware of the fact that the personal data will be processed. Including how data will be collected, kept, and used to allow them to make an informed decision about whether they agree with storage processing and to enable them to exercise their data protection rights. In addition, this also requires an assessment on how the processing will affect the data subject. If the processing negatively affects individuals, and it is not justified, then the processing is unfair. However, in certain cases for assessing is automatically permitted by law and so is deemed fat regardless of the data, subject, knowledge, or preferences. For example, data will be obtained third year by the tax authorities. If it is obtained from unemployed who is under a legal duty to provide details of an employee's pay. Now, let's get into transparency. Transparency is directly linked to furnish. The principle of transparency means that our controller must be open and clear towards data subjects when processing the personal data. Transparency also requires that Inflammation is to be provided in a timely manner. Information such as how data will be collected, kept, and used. Moreover, what is the purpose of data processing? 10. Purpose Limitation and Data Minimization: In the past lesson, we went through with the first principle of the key principles of data processing under GDPR. In this lesson, we will go through another two principles, which are purpose limitation and data minimisation. So let's get started with purpose limitation. Limitation means that data controllers must only collect and process parts and then data to accomplish a specific, explicit and legitimate purpose and not processed personal data be on such purpose. Unless an addition purpose is compatible with the purpose or regionally personal data was collected for. Therefore, data controllers must identify the purpose of which data will be processed. And that purpose will become the guideline of which data subjects is involved in the processing of personal data should be processed. You should also bear in mind that in case a data controller wants to process the data further for a secondary purpose, then there are some requirements to be considered to make sure that the secondary purpose is compatible with the original purpose. These requirements are identifying any link between the purpose and the purpose of intended further processing. Identifying the nature of the personnel data. Identifying the consequences of the intended further processing data subjects. Identifying the reasonable expectations of data subjects based on the relationship with the data controller. As to their further use. Eventually, identify the existence of appropriate safeguards in both original purpose and intended further processing operations. Yeah. If the processing is considered incompatible, a separate legal ground will definitely be required, such as the consent of the data subject before it started in the processing of data. For a new purpose. I hope purpose limitation is now crystal clear. So let's get into our self principle, which is data minimisation. Data minimisation means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. Therefore, data controllers should only collect the personal data they need to achieve the purpose. In order to do that, then the house should be a practical implementation to this principle. The practical implementation to this principle requires applying two concepts, which are necessity and proportionality. And that is definitely going to be applied to the processing of personal data. I know you're probably wondering why is the meaning of necessity and proportionality. Necessity means that data controllers must assist the personal data to be collected to make sure that it is reasonable to achieve the specified purpose. Why proportionality means that data controllers must consider the amount of data collected. That means it should not be excessive in relation to the specified purpose. 11. Accuracy and Storage Limitation: Let's continue our talk about key principles of data processing under GDPR. This lesson, we will go through accuracy and storage limitation. So let's get started with accuracy. Accuracy means that data controllers must take appropriate measurement to ensure that data is accurate and up-to-date. And appropriate measurements should take place during the collection of data. By verifying the data is accurate, complete, and not misleading. During the collection process, inaccuracy of personal data may take place if controllers do not probably verify the authenticity of the information. Moreover, Data controllers must evaluate how reliable is the data in order to achieve the purpose before they go ahead and process the data. Yeah. What if the data is being collected for statistical purposes? Well, in this case, in case data is collected for statistical purposes, then data controllers must maintain the data collected. Finally, it is okay for data controllers to keep records of events happened in error. As those records are not considered misleading. In fact, that are considered illustrative. Let put this into context. Let's say, for example, that a patient was misdiagnosed and a doctor gave him the wrong medicine based on his misdiagnosis. Then in this case, it is good to maintain the records to track the medical history of the patient. That is all about accuracy. Now, let's get into storage limitation. Storage limitation means that personal data must not be kept for longer than necessary based on the purpose initially, personal data was processed for. In other words, once personal data is no longer needed, then it must be security deleted. Data retention period for the intended purpose has to be restricted to the absolute minimum enough to only achieve the purpose. And the other contributors should establish data retention period based on the purpose and a periodic review. Therefore, data controllers must first determine the purpose or purposes in other cases. In order to be able to determine an appropriate data retention period. However, you need to know that sometimes some personal details might be kept for lung due to the purpose, such as tax, health and safety data for example. 12. Integrity, Confidentiality and Accountability: In this lesson, I will go through the last two principles of the key principles of data processing under GDPR. And they are integrity and confidentiality. And the last principle is accountability. So let's get started with integrity and confidentiality. Integrity and confidentiality means that they must be processed in a secure environment to ensure personal data protection during the processing and up until data is deleted. So that means protection through the whole life cycle of the data. Therefore, data controllers must apply appropriate technical and organizational measures, such as encryption and authentication. In order to protect and preserve personal data through its life cycle. And that protection could prevent accidental loss, data destruction, and data breach. Now, let's get into our last key principle, which is accountability. Accountability means that data controllers must be responsible for data subjects, personal data. That includes the whole life cycle of personal data, starting with data processing up until data is erased. Moreover, data controllers have to demonstrate their compliance to GDPR to ensure that accountability. And that would be through the following. Number one, adopting and implementing data protection policies are appropriate technical and organizational measures, as we have explained previously. Number to go and buy data privacy by default on Biodesign approach. We have went through with data privacy by design approach in a previous lesson. Yeah, Just to recap, data privacy by default on by design means, a data controller should consider data privacy and protection during the design phase of the project. Number three, maintaining documents of precession activities. Number four, having contracts with data processes in place in order for them to process the data on behalf of a data controller. As we have explained, the relationship between data controllers and data processors before in the basic terminologies, listen, data controllers might be a need for a third party or data processors in order to process the data on their behalf. Therefore, data controllers should have a contract in place to demonstrate the relationship with data processors. Number five, the recording and reporting data breaches. Data controllers should have records of data breaches and they should notify the other subjects within the first 72 hours of data breach discovery. Number six, appointing data privacy officers or DPO, who was well aware of GDPR. In a future lesson, we will go through the scopes of data privacy officers. So you don't have to worry about that point so much at the moment. Number seven, carrying out data processing, impact assessment, or D PIA, to figure out the risks of processing data before the actual processing happened. This should give data controllers insights over what are the potential damage on privacy and protection of data subjects data. Before controllers go ahead and process the data. 13. Lawful Basis Of Data Processing under GDPR: In order to process personal data, data controllers must have valid, lawful basis. This part is totally connected with the first principle of data processing, which is lawfulness. There are six lawful basis for data processing under GDPR law, single basis is better or more important than, than the other. In fact, the question should be which lawful basis is most appropriate to use depending on the purpose of processing. Just that alternate dependent on the relationship with the data subject. Moreover, most lawful basis required that processing is necessary for a specific purpose. If you can reasonably achieve the same purpose without the processing, then you won't have a lawful basis. Lawful basis must be determined once you know what the purpose of processing and that should be before processing the data. All the data controllers should include the lawful basis in the privacy notice. Now, let's go through each level basis individually. Starting off with concerns. The meaning of consent is that an individual agreement processing his data in relation to the purpose? Yeah, concerns really means offering individuals read choices and control. But consent has some requirements to be met. These requirements are, consent should be freely given, meaning that data subject has gentlemen choice. Consent also should be specific and informative, and it should be given in a clear and plain language. In addition to that, data controllers to have to keep records, consensus document it. And this is a huge part when it comes to accountability. Number two is contract. Contract means processing is necessary for the performance of a contract to which the data subjects is party. In order to take steps at the request of the subjects per year to entering into a contract. Number three is legal obligation. Legal obligation means processing is necessary for compliance with the legal obligation to which the data controller is. Subject. Number four is vital interests. Vital interests means processing is necessary in order to protect the vital interests of the data subject. And other words, data processing is necessary to protect or save someone's life. For instance, if the data subject is unconscious, processing of personal data may be necessary in order to provide urgent medical care. Number five, A's public interests. Public interests means that the processing has a beneficial value to the public. Number six is legitimate interests. Legitimate interests means processing is necessary for the purposes of the legitimate interests pursued by data controllers or by third parties. Except where such interests are overridden by the interests tore fundamental rights and freedoms of the data subjects which require protection of personal data. 14. Privacy Rights of Individuals under GDPR: In our previous discussion about why did you depart exists, I've mentioned that GDPR is made to give individuals the right to privacy. So during this lesson, we will cover seven main privacy rights of individuals. Under GDPR. Privacy rights can be practiced by individuals through organizations, right channels, or menu through data privacy officers appointed by the organization. Now, let's get started with the first privacy array, which is the right to be informed. The right to be informed is definitely connected to the transparency principle. It means that the data subjects have the right to be informed about the collection and use of the personal data. In other words, did a control that should inform data subject that the data are being collected and processed. In addition to the purpose of processing data retention periods and who does the term might be shared with. These information, must be concise, transparent, and easy to access. Moreover, it must be in a clear and a plain language. Yeah, The are a few circumstances when data controllers do not need to inform individuals, such as if the individual already has the information. Number two is the right of access. The right of access means individual have the right to access and receive a copy of their personal data and any other supplementary information. They also can make that request either verbally or in writing. Number three is the right to rectification. The right to rectification means that the subjects have the right to rectify or correct inaccurate data or complete, incomplete data. Number four is the right to erasure. The right to be forgotten, or the right to a reject. These are two terms to the same thing. And this right means data subjects do have the right to erase the data. Yeah. The right is not an absolute and only applies in certain circumstances. Number five is the right to restrict processing. The right to restrict processing means that individuals have the right to request the restriction or suppression of their personal data is not an absolute and only applies in certain circumstances. And to give an example, individuals can practice this way mainly in automated decisions and profiling activities. Number six is the right to object. To object means individuals have the right to object to the processing of the personal data. Yeah, that has to be in certain circumstances. However, it gives a marketing precession activities individuals have an absolute right to stop the data being used or process. The last main privacy right under Judy Parr is the right of data portability. The rise of data portability. It allows individuals to obtain and reuse the personal data for their own purposes across different services. In addition to it allows them to move, copy, or transfer personal data easily from an entity to another. Yeah, it has to be done in a safe and secure environment. And this applies to only information and individual provided to a data controller. 15. What is OneTrust: In today's lesson, we're going to be talking about one of the important tools that data privacy officers use in databases, which is one trust. Trust is the number one privacy management tool. And it is used by small or large organizations in order to manage all the assessments related to privacy. And due to its comprehensive manuals, it can be customized for any regulation, whether that is GDPR, any other data privacy law. So whether you are interested in cookies management, data processing, impact assessment management, or incident and breach management. One trust got it all in one platform. And it is the number one technical tool for data privacy officers. And that is because it helps them to manage all aspects of privacy, data protection, and data management in one place. One trust can help organizations become GDPR compliance as it covers all the aspects of GDPR in different sections into the platform. For example, rule one, trust you can generate a processing register for documentation purposes, which is important for accountability. Through one trust. You can also create a data protection impact assessment to figure out the potential risks of data processing before processing the data. As based on the answers, one, trust can automatically detect and generate risks on different areas related to data privacy, data protection and data subjects rights, which can allow data privacy officers to review and remediate risks. Moreover, through on trust, you can have a content hub for consent management and a portal. The other subjects rights requests. And in case of suppliers, you can launch a supplier assessment through on trust, which can help data privacy officers pinpoint risks and remediate them. Which is a great way to give organizations visibility into the vendors they work with. And if the vendor is applying sufficient security measurement or otherwise. One trust also provides organizations automated analysis and insights to help them find gaps in their Data Privacy process that organizations could fill in the gaps, which is a great way to help organizations become GDPR compliance. 16. Who Is Data Privacy Officer (DPO): The main role of the Data Privacy Officer is to ensure that the organization has worked and for its processing personal data in compliance with GDPR. However, appointing data privacy officer is not mandatory for organizations. Is a good thing to have a Data Privacy Officer as he can help organizations become GDPR compliant. The number one requirement to become a Data Privacy Officer, Mr. Have great knowledge on data, data privacy and data protection methodologies and lows. In addition to being able to understand how organizations operate, there aren't many tasks that data privacy officers handle. Here are some of the main tasks. Number one, data privacy officers ensure that the organization he or she is working for processing data in compliance with GDPR. Number to data privacy officer gives advice and recommendations to the organization about the application of GDPR. Number three, Data Privacy Officer creates a register of processing activities within the organization, which can help in making sure that the organization is compliant with GDPR whenever needed as using these recommendations will help in demonstrating GDPR compliance. Number four, Data Privacy Officer Gibbs training can spread awareness on data privacy and data protection topics to employees within the same organization. Number five, data privacy officer does the necessary assessments such as data privacy impact assessment and data processing agreements to ensure that data processing is compliant with GDPR and no harm to data subjects privacy.