With this idea, we refer to a fundamental activity in any entity whose purpose is to continually improve the effectiveness and efficiency in data protection, focusing in this post on those of a personal nature.
Being essential for the admission of any measure of dynamic responsibility, analyze the activity of the treatment, divide in its phases, determine the treatment operations carried out in each of them, know the particularities of each phase and optimize it.
Tasks to do
For the optimization of personal data processing, a series of activities must be carried out, which in some way will be carried out in parallel:
∙ TREATMENT ANALYSIS: The person responsible must review treatment which aims to be carried out extensively, not just considering the treatment as a black box.
Therefore, it will be necessary identify within it, those particular operations that are carried out and relationship between them. These operations may form part of a treatment, and be of interest for data protection, since they are defined in a non-exhaustive manner, in the article 4.2 of the General Data Protection Regulation.
Treatment activities are organized into phases that implement operations. However, there is the possibility that in a processing, there may be phases that do not process personal data so that, in principle, these phases would be transparent from a security point of view.
The implementation of operations in each phase in which the treatment is structured can be carried out with organizational measures and/or technical elements, inserted through developed components for that treatment or through adaptations of ad-hoc developments of other treatments.
Therefore, it will be unavoidable to critically review each phase and its objective to implement one of the fundamental principles of data protection and security, the “data minimization principle”.
∙ USE CASES: We must keep in mind that, just as we can find simple and linear treatments, in which the default adjustment options are very limited, we must also we can find complex treatments that can provide different functionalities to adapt to users of different profiles with specific needs.
Therefore, the configuration of the service can be subject to different circumstances: normal or Premium services, adaptation to a minor, adult or senior public...
In this sense, by virtue of the type of service that the user requires or that the person responsible intends to offer, it will be necessary to collect and process both personal information and information that is not personal.
Likewise, it should be said that, in no case can it be deny access to a service simply because the user has opted for a restrictive setting in relation to the amount of data processed or the extent of the processing.
∙ RELATIONSHIPS BETWEEN TREATMENTS: In relation to this aspect, in an entity there may be various treatments with access to the same data sets and make use of common data collection, processing or communication services.
This can either be produced by components that implement shared operations between treatments that in many cases are inherited; or by the implementation of apps on mobile systems.
Therefore, the person responsible must examine each treatment within the framework of the corresponding organization to recognize the adjustment needs on the common services applicable to the different treatments: determine the minimum data necessary for each treatment, regardless of those available, perform a logical and/or physical separation of personal data used in each treatment or manage access rights according to each treatment, among others.
∙ TREATMENT ADAPTATION: Like the previous activities, it is equally important to mention the study of the stages of treatment, for each of the use cases defined by the person responsible, and determine the need for phase, in order to be able to deduce whether it would be avoidable from the point of view of the processing of personal data, the applicable minimization, the conservation period during which it is necessary to retain personal data, as well as other aspects of equal magnitude.
How does studying a Master in Data Protection benefit?
To carry out this purpose, the new approach proposed by the General Data Protection Regulation, proposes to study the entire life cycle of a data:
This approach further ensures that Personal data will begin to be studied and protected from its initial phase, beginning to study not only the data, but also its different treatments, which is done through a risk analysis.
The study of data life cycle It is not easy, studying a Master in Data Protection, will give you the necessary knowledge to understand each of the phases and thus guarantee that the proposed security measures cover the data from capture/creation to its destruction or blocking.