{"id":18944,"date":"2024-07-15T08:45:00","date_gmt":"2024-07-15T07:45:00","guid":{"rendered":"https:\/\/www.rosello-mallol.com\/?p=18944"},"modified":"2024-07-04T09:41:33","modified_gmt":"2024-07-04T08:41:33","slug":"data-lifecycle","status":"publish","type":"post","link":"https:\/\/www.rosello-mallol.com\/en\/data-lifecycle\/","title":{"rendered":"Data lifecycle and GDPR"},"content":{"rendered":"\n
The data lifecycle <\/strong>is a process by which the different phases of personal data processing in an organization are identified, allowing the risks inherent to each phase of said processing to be analyzed. Defining the life cycle of personal data is essential to comply with the GDPR and one of its most basic obligations, which is to have a Record of Processing Activities<\/a><\/strong> (art. 30 GDPR).<\/p>\n\n\n\n There are different approaches in relation to the phases of the life cycle of personal data, but one of the most common is to differentiate 5 phases<\/strong>:<\/p>\n\n\n\n a) Data collection <\/strong>or compilation <\/strong>phase.<\/p>\n\n\n\n In this phase, the different channels of the organization to collect personal data must be identified (phone, website, app, chats, paper\u2026) and establish appropriate measures to comply with (1) the duty of information<\/strong> and (2) to provide of an adequate legitimate basis<\/strong> for the processing of data.<\/p>\n\n\n\n b) Data processing <\/strong>phase.<\/p>\n\n\n\n At this point it will be determined what uses are intended to be made of this data, the most common are: collect, record, organize, structure, store, modify, consult, use, publish, combine, delete and destroy data<\/strong>.<\/p>\n\n\n\n c) Data storage <\/strong>phase.<\/p>\n\n\n\n It is necessary to determine where the data is hosted<\/strong> and what security measures<\/strong> are in place. Here the options are varied and each one requires a different solution: from the use on paper to the use and storage in cloud providers with servers around the world. The measures and controls will be different in each case but the requirement for compliance with the GDPR persists.<\/p>\n\n\n\n d) Phase of data transfer <\/strong>or data processing on behalf of third<\/strong> parties.<\/p>\n\n\n\n The processes of transferring data to third parties or outsourcing services that require access to data must be analyzed independently, identifying the risks inherent to each case and taking appropriate measures to minimize said risks.<\/p>\n\n\n\n e) Data destruction <\/strong>phase.<\/p>\n\n\n\n Finally, both the data retention period <\/strong>and the process by which, when the time comes, the data is destroyed<\/strong>, must be established. Again, the measure may vary depending on multiple factors (paper data, electronic data, backup copies, files attached to emails\u2026).<\/p>\n\n\n\n Performing the risk analysis required by the GDPR is simply impossible <\/strong>without an adequate definition of the data lifecycle. The Spanish Data Protection Authority Risk Management Guide<\/a><\/strong> includes the definition of the Data Life Cycle as one of the essential phases for an adequate Risk Analysis.<\/p>\n\n\n\n No matter how small your organization or company is, if you think about the 5 phases and the type of personal data you process, this process will surely be useful to structure compliance with the GDPR in an appropriate way.<\/p>\n\n\n\n Author: Victor Rosello<\/strong>, Lawyer.<\/p>\n\n\n\n <\/p> The 5 phases of the data lifecycle<\/h3>\n\n\n\n
Essential for risk analysis and management<\/h3>\n\n\n\n
<\/ul><\/div>\n