Do you keep accurate and up to date records of
what personal data is being held and processed?
Have you created Data Flow Maps to show
how this data is captured and moves around
the organisation?
you must have a lawful basis for processing data,
and remember storing data counts as processing.
Have you determined and documented how you
concluded your lawful basis?
Personal data can only be stored for as long as
the business has a lawful basis. Retention times
must be set for each data category, and not at the document level which presents serious challenges to most organisations.
Your systems must be capable of meeting the rights of the data subjects to whom it relates. Data Subjects may request access to their data, or request the data be erased, updated or restricted from processing for example.
A system of record must be kept of the processing activities for your organisation. This may comprise DPIA's, Data Flow Maps, Retention Records and other relevant documents that describe how you capture, process and secure personal data.
DPIA's are at the heart of many data processing activities. They are legally required were there is a potential for high risk to the rights and freedoms of data subjects if the processing is carried out. However, many companies carry them out as a matter of course and good practice
We're a group of privacy and security consultants with experienced GDPR practitioners and Data Protection Officers. We look forward to helping you align your company goals with appropriate and adequate organisational and technical measures.