Eduardo Lopez

Most of the existing processes in organizations rely to a large extent on the processing of personal data belonging to different stakeholder groups. The nature of the risks to which the processing of personal data is exposed presupposes the need not only to introduce initially the legal, technical and organizational requirements established by the regulatory frame of reference but also, and in particular to manage the maintenance of compliance effective over time.

The exercise of good control and management of personal data is essential to ensure, and be able to demonstrate, compliance with the RGPD. Risk management is an effective way of protecting “the fundamental rights and freedoms of natural persons, and in particular their right to privacy with regard to the processing of personal data”.

The regulatory framework requires that all treatment activities go through Need and Minimization. Organizations shall have the capacity to justify the need for collection, conservation, consultation and transfer of information and shall collect the minimum data required, retain for the minimum time required and be accessed and shared with a minimum number of persons or organizations.

The security of personal information should be based on respect for good practices and maintenance of data processing systems in order to be protected against attacks. Information security should include the use of information systems that include mechanisms to record the actions of each user in the system during a defined period of time; ensure the integrity of the data and include a mechanism for any deletion, archiving or anonymisation of such data when the retention period expires.