The following looks at applying data protection principles during the operational phase, i.e., the processing itself.
Transparency and fairness are probably the most relevant principles in this phase(see the “Lawfulness, fairness and transparency” subsection in the “Main Principles” section in the general part of these Guidelines). They require among others the following technical and organizational measures:
- The efficient processing of data subject right invocations.
- The handling of personal data breaches.
At the end of a processing activity, (the temporal aspect of) data minimization (see the “Data minimization” subsection in the “Main Principles” section in the general part of these Guidelines): requires for the personal data that is no longer necessary for the purposes to be erased. Various measures are available to ascertain that the data is irreversibly erased and that all technical storage devices are considered before their dismantling. These measures also support the principle of purpose limitation(see the “Purpose limitation” subsection in the “Main Principles” section in the general part of these Guidelines): since failure to erase the data would open the possibility that they are used for other purposes. The effectiveness of the measures used for dismantling should be verified and documented as was described in section 220.127.116.11 above.
Art. 5(1)(b) GDPR foresees the possibility of further processingfor compatible purposes. The principle of purpose limitation requires a careful assessment (according to Art. 6(4) GDPR) to see whether these purposes are indeed compatible. Such further processing also the implementation of additional measures such as further data minimization, pseudonymization or anonymization (i.e. storage limitation) in order to guarantee the safeguards required in Art. 89(1) GDPR.
While the effectiveness of measures has initially been verified during the determination of the means, the 2nd sentence of Art. 24(1) GDPR requires that this is regularly reviewed and that measures are updated where necessary. Such reviews and updates are measures in their own right.
Examples of where such reviews are listed in the following:
- Access rights for staff that guarantee confidentiality and purpose limitation may have to be updated to reflect staffing changes and the end of temporary assignments and substitutions.
- Software that was found to guarantee confidentiality may no longer do so unless critical security updates are installed.
- Confidentiality that was found to be sufficient may not be so anymore if the threat landscape evolves and new types of attacks become possible. Typically this requires the implementation of additional or more sophisticated measures.
- Data may have to be presumed to be anonymous or to prevent direct identification (as part of pseudonymization), but new methods of re-identification put these presumptions in question. To still support storage limitation, a further reduction of the identification potential of the concerned data or a re-design of the processing is required.
A similar situation represents itself during the routine replacementof (human and technical) resources. When for example, a person was found to have sufficient training and skills to execute a set of instructions, the same kind of assessment is necessary for successors of this person. Similarly, new technical resources need to exhibit the same properties that guaranteed effectiveness of the original component.
Instructions typically evolve over the life time of a processing activity. Instructions for human resources and work flows may for example be re-designed or rendered more efficient based on experience. Instructions for technical resources typically change with every version of the software and often get installed automatically (e.g., by an update service). With every new version of instruction, the following has to be verified:
- That the new version still entails the measures that are necessary to guarantee effective implementation of the principles; and
- that there is no “function creep” that extends the processing beyond what is necessary for the purposes.
Where the change of resources or instructions is more substantial, a complete new iteration of the iterative process of determining the means (see section 18.104.22.168) may be required.