[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR]
Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, and where is it kept.
One of the key steps in preparing for the General Data Protection Regulation is to know why you are processing each set of personal data, and which of the six legal justifications applies: consent, contract, legal obligation, vital interest, public interest or legitimate interest. The Regulation significantly tightens the rules on when consent can be used, so data controllers may well have to look more closely at the other five.
The Commission's original draft Regulation included explicit support for the work of computer security and incident response teams, recognising that such activities were a legitimate interest that involved processing of personal data.
A few hours after the result of Thursday's referendum on membership of the European Union, I gave a presentation on the significance of the EU's General Data Protection Regulation, due to come into force in May 2018. That might seem a waste of time, but my suggestion was that the referendum result might in fact make the GDPR more important to us.
Now that the General Data Protection Regulation has been completed, the European Commission is reviewing the ePrivacy Directive. This law was introduced in 2002 as part of the telecommunications framework, and it was recognised at the time that it was likely to be largely replaced by a future general privacy law.
I'll be talking on Tuesday about how the General Data Protection Regulation will create some more reasons for organisations to practise good information security.