The compliance process begins when Data Inventory discovers all personal data stored across multiple IT systems. It is crucial to know where personal data is stored, but it is even more important to be aware of how an organization uses this data.
If there is no understanding of all 4 Personal Data Lifecycle components, addressing all GDPR requirements becomes very difficult. Collection of data and lawful processing are parts of original business purposes while archiving and destruction are tasks needed to perform once the lawful basis expires.
Having an understanding of Personal Data Lifecycle in a chart or organigram is a good starting point, but nothing more. If a DPO does not have operational control over personal data, manual process management will soon become a highly risky and overwhelming task.
The key to the Data Flow challenge is to use a professional tool, such as Data Privacy Manager which allows DPO to have the total control and overview of all personal data processes within an organization.
In the first phase of interaction with data subjects, which is a part of the original business purpose, it covers all six lawful bases for personal data collection.
Processing data for delivery of contracted services or marketing is the second stage.
Once the contract expires or the customer opts-out, the lawful basis for processing is no longer valid. This is when the archiving starts, which means the purpose of processing changed, and it triggers the data retention process.
The last stage is the Data Removal phase in which an organization should no longer possess or process that personal information.
Data Privacy Manager is a unique solution with a variety of modules and workflows enabling Organization and the DPO to have control over Data Flow. Once when the system is set up, processes are automated, and the DPO can easily manage personal data lifecycle.
While Organizations have been busy collecting consents and putting together compliant Records of processing activities, the data removal remained overlooked, or maybe postponed? Most of the Organizations have by now documented data retention policies and have a good idea about how long they can keep the data. Data retention starts when one of the following scenarios happen: The initial purpose for data collection and processing has expired. Usually, a product or services contract with an individual has expired, an insurance policy has expired or individual stopped using a product or a service…