Last updated: 
1 day 10 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: moving to Information Lifecycle Registers?

Tuesday, April 25, 2017 - 14:30

[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR]

Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, and where is it kept.

Many of the requirements of the General Data Protection Regulation (GDPR) point to an extension of this idea: something more like an Information Lifecycle Register. This would add

  • Why - are we processing this personal information?
  • How - do we process it to minimise risks?
  • When - do we need it, and when can we delete it?
  • Who - do we need to disclose it to?

From this lifecycle information the legal basis for processing - for example that it is necessary for a contract, for a legal duty, for a legitimate interest, or processed by consent - should be obvious. Under the Regulation, notification requirements and data subject rights flow from that legal basis. The answers to How, When and Who should identify opportunities to minimise data (for example by using pseudonyms) and processing. Documenting this lifecycle information before a new processing activity begins should help the organisation demonstrate that it is practising data protection by design.

In fact, many organisations will already have much of this information about their key assets, arising out of risk assessment and records management processes. For example the National Archives suggest including risks to and opportunities from, as well as retention periods, in their guidance on Information Asset Registers. So understanding information lifecycles, which is likely to be a critical step in preparing for the GDPR, may be easier than you think.

Documented and explained life cycles will go a long way to achieving the accountability requirements of the GDPR. But understanding the flows of information through an organisation, rather than just its existence, is much more than just a compliance benefit. It should let the organisation make better use of that information too.


and the good news is that we are working on a company wide Informaiton Asset Register which will be completed ahead of the EU GDPR