Data lifecycle and GDPR
What is the data lifecycle ?
The data lifecycle is a process by which the different phases of personal data processing in an organization are identified, allowing the risks inherent to each phase of said processing to be analyzed. Defining the life cycle of personal data is essential to comply with the GDPR and one of its most basic obligations, which is to have a Record of Processing Activities (art. 30 GDPR).
The 5 phases of the data lifecycle
There are different approaches in relation to the phases of the life cycle of personal data, but one of the most common is to differentiate 5 phases:
a) Data collection or compilation phase.
In this phase, the different channels of the organization to collect personal data must be identified (phone, website, app, chats, paper…) and establish appropriate measures to comply with (1) the duty of information and (2) to provide of an adequate legitimate basis for the processing of data.
b) Data processing phase.
At this point it will be determined what uses are intended to be made of this data, the most common are: collect, record, organize, structure, store, modify, consult, use, publish, combine, delete and destroy data.
c) Data storage phase.
It is necessary to determine where the data is hosted and what security measures are in place. Here the options are varied and each one requires a different solution: from the use on paper to the use and storage in cloud providers with servers around the world. The measures and controls will be different in each case but the requirement for compliance with the GDPR persists.
d) Phase of data transfer or data processing on behalf of third parties.
The processes of transferring data to third parties or outsourcing services that require access to data must be analyzed independently, identifying the risks inherent to each case and taking appropriate measures to minimize said risks.
e) Data destruction phase.
Finally, both the data retention period and the process by which, when the time comes, the data is destroyed, must be established. Again, the measure may vary depending on multiple factors (paper data, electronic data, backup copies, files attached to emails…).
Essential for risk analysis and management
Performing the risk analysis required by the GDPR is simply impossible without an adequate definition of the data lifecycle. The Spanish Data Protection Authority Risk Management Guide includes the definition of the Data Life Cycle as one of the essential phases for an adequate Risk Analysis.
No matter how small your organization or company is, if you think about the 5 phases and the type of personal data you process, this process will surely be useful to structure compliance with the GDPR in an appropriate way.
Author: Victor Rosello, Lawyer.
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.