STEP 2 – PREPARATION
Data inventory: inventory personal data processing operations
To be able to act in accordance with the GDPR, you must firstly inventory the personal data processing operations within your organisation. You should know which data is used, by whom and for what purposes. Then you can assess what needs to be changed in order to be compliant. You should document everything in our document.
Answer the following questions:
– Which personal data is processed within the organisation?
– Do you process “special categories” or other sensitive data?
Having answered the questions above, you will have a better idea of the data processing operations within your organisation, the greatest risks associated with those operations, and what will change for you. You can then decide what action to take and which subjects are a priority for your organisation.
Introduce a data minimisation policy (decide on your retention periods)
The GDPR emphasises the obligation not to process more personal data than necessary. This is also referred to as data minimisation. In this context it is important to determine how long you will retain the personal data and ensure that data is removed promptly.