what gets measured,
PRIVACY VAULT helps to realize Peter Drucker’s famous quote as it applies to security and privacy management. In addition to measurement, PRIVACY VAULT also adds "enforcement" to the mix.
Unlike prior privacy regulations, measuring actual compliance with modern regulations is a necessary survival strategy.
To measure the circumstances of processing, a process called a Data Protection Impact Assessment (DPIA) is generally performed.
Among other essentials, the DPIA defines:
the legal basis behind the processing
the term for the use and retention of the data
the data set and its sensitivity classifications
how the proposed processing will work
the processing risks in terms of likelihood and significance of harm to individuals
the organisations that will be given access to the data
how and when individuals (the data subjects) will be kept informed
A DPIA is often submitted for review and approval by stakeholders and sometimes even to the supervisory authority. It grants legitimacy to the purpose for data processing.
The overall focus of a DPIA is called a purpose.
As described in Article 5 (2) of the GDPR, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the initial purpose.”
Therefore, it is clear that whenever data is collected and processed, it must be with a specifically defined purpose in mind.
Under GDPR and virtually all other privacy regulations, if you haven’t identified a legitimate and lawful purpose, you have no right to process personal data.