Principles relating to processing of personal data

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

• Data systems and other means used to process the data sets
• Key categories of data in the data set (and whether it contains personal data)
• Data retention period (discussed in more detail in a separate task)
• Information on archiving / disposal of data (discussed in more detail in a separate task)

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

• Description of the risk
• Evaluated impact and likelihood of the risk
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

• Connected responsibilities
• Data processing purposes (covered in a separate task)
• Data sets included in the data store (covered in a separate task)
• Data disclosures (covered in a separate task)
• When necessary, data stores connections to action processes

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

• the necessity of the data for its original processing purpose
• implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
• the legal effect of the contract or other legal action in civil matters
• statutory limitation periods
• criminal limitation periods

Describe your own process for evaluating retention periods.

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

• how much information each user needs access to
• how widely the user should be able to edit data (read, write, delete, print, execute)
• whether other applications have access to the data
• whether the data can be segregated within the property so that sensitive data is less exposed

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

• Description of the incident
• Risks associated with the incident
• New tasks introduced as a result of the incident
• Other measures taken due to the incident

Registrants have the same rights to their personal data, no matter in what form we store them. We need to be able to communicate processing and provide data subjects with access to personal data, whether on paper, in local files or in data systems.

We separately document personal data that is stored outside of data systems.