[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR]
Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, and where is it kept.
Many of the requirements of the General Data Protection Regulation (GDPR) point to an extension of this idea: something more like an Information Lifecycle Register. This would add
- Why – are we processing this personal information?
- How – do we process it to minimise risks?
- When – do we need it, and when can we delete it?
- Who – do we need to disclose it to?
From this lifecycle information the legal basis for processing – for example that it is necessary for a contract, for a legal duty, for a legitimate interest, or processed by consent – should be obvious. Under the Regulation, notification requirements and data subject rights flow from that legal basis. The answers to How, When and Who should identify opportunities to minimise data (for example by using pseudonyms) and processing. Documenting this lifecycle information before a new processing activity begins should help the organisation demonstrate that it is practising data protection by design.
In fact, many organisations will already have much of this information about their key assets, arising out of risk assessment and records management processes. For example the National Archives suggest including risks to and opportunities from, as well as retention periods, in their guidance on Information Asset Registers. So understanding information lifecycles, which is likely to be a critical step in preparing for the GDPR, may be easier than you think.
Documented and explained life cycles will go a long way to achieving the accountability requirements of the GDPR. But understanding the flows of information through an organisation, rather than just its existence, is much more than just a compliance benefit. It should let the organisation make better use of that information too.