Data protection covers whole data lifecycle: collection to erasure
GDPR understands data processing as all operations on personal data
Set of operations aimed at one purpose is a process (e.g. newsletter)
Once you know what personal data are, let’s talk about what happens with them. In older data protection laws, there was a notion of filing system to describe any structured set of personal data, such as software database, Excel spreadsheet or an archive.
But places where loads of personal data are stored are not the only area for possible breaches. Data must be protected through their whole lifecycle, from the moment when they are collected, until complete erasure. Many breaches occurred during transmission, by sending to wrong recipients, losing a data carrier or making data public without authorization. Also the ending phase of processing is vulnerable, as many organizations never erase data or still prefer rubbish bins over shredders – including their digital equivalents.
That is why the notion of data processing covers all operations on personal data. GDPR gives many examples of processing operations, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction.
Analyzing all processing operations separately could be an impossible task – that is why many experts define processes that cover all operations aimed at one purpose, such as recruitment, sales, customer service, newsletter, holding events, fleet management, relations with suppliers etc.
Table of contents:
Self-implement GDPR in 16 steps: