This is an in-depth review of your organisation’s personal data landscape and provides the basis for understanding the lawful processing and documentation required by the GDPR
Why is personal data important?
GDPR is primarily about protecting the rights and freedoms of data subjects – specifically regarding the personal data that can be used to uniquely identify a living person.
What does the GDPR require?
Fundamental to GDPR is an understanding of the personal data you hold, for whom, and on what legal basis it is processed.
The GDPR also requires organisations to meet a number of other requirements e.g. handling special categories of data, recognising the jurisdiction in which processing is undertaken and other considerations such as childrens’ personal data. There are new and increased compliance obligations on controllers (e.g. policies, records keeping), specific obligations on processors and notification requirements.
Organisations that have mapped their personal data landscape are better positioned to address the following and other requirements under the GDPR:
- Is their personal data processing fair and lawful?
- Have the Data Protection Principles relating to the processing of personal data been satisfied?
- Is there a lawful basis for processing personal data? E.g. name, location data, online identifier
- Is there a lawful basis for processing Sensitive Personal Data? E.g. race, political opinion, religion
- Is there a lawful data transfer mechanism in place?
Why do a Data and Purpose Review?
Your organisation must be able to provide evidence that it is processing personal data lawfully – this is a major change brought about by GDPR and the onus is on the organisation to be able to do so.
Organisations need to understand what personal data and special categories of personal data they’re processing, transfers of such data outside of the EEA, transfers of data to third parties, retention periods etc. at a granular personal data perspective including name, dynamic IP address, date of birth, trade union membership, political opinion, photograph and other biometric and genetic data.
Data and Purpose Review
The Data and Purpose Review is a discovery exercise across your personal data landscape and provides the basis for the activities necessary to meet many of your GDPR compliance obligations. This is also a prerequisite for the Notifications Review and Remediation service.
The discovery portion of this service considers the personal data and special categories of data taking into account at least:
- Sources and recipients of personal data
- Retention periods
- Legal bases for processing
- Purpose of processing
- Technical and organisational security measures
- Transfers to third parties and third countries
- Automated decision making
The analysis provides documentation and evidence to support your ongoing GDPR compliance activities.