The Personal Data life cycle: Where to start the analysis? – Vladyslav Tamashev, Privacy lawyer at Legal IT Group

Have you ever thought about data on your computer? It doesn’t matter whether you are a content creator, programmer, or just a regular user thousands of different files were created, downloaded, and altered on your device. But what happens when some of that data becomes useless to you?

Usually, this data will be manually deleted to get some free space on your storage device or it will be wiped during the OS reinstallation. Everything that happened with that data starting from its creation or collection until its destruction is called the data life cycle.

The data life cycle is a sequence of stages that happened to a particular unit of data. The simplified life cycle model has 5 basic stages: Collection, Processing, Retention, Disclosure, Destruction. In practice, when we talk about personal data life cycle, this sequence can be dramatically different, dependant on the type of information, its usage, origin, company policies, personal data protection regulations and legislation.

Nowadays one of the most challenging quests for an IT company is to create an efficient and secure data processing inside the company, that will be compliant with local legislation and international regulations. Data life cycle optimization and adaptation is a complex task that starts with personal data life cycle analyses.

The first step in personal data life cycle analysis is to define principles of data collection and processing in the company.

These are some simple questions, that will help you:

  • What’s the purpose of users` data collection in your company? (marketing, statistics, software optimization, etc.)
  • What information is collected? (name, payment information, location, music preferences, etc.)
  • How it was collected? (directly from the user, surveillance, third parties, etc.)
  • Which categories of data are necessary and which are not? (For example email, name, and payment information – are necessary for the company; profile photo, favorite music band, phone number – are not)
  • Who will have access to that data? (top-management, outsource teams, all processes are automated, etc.)
  • Will that data have shared with the third parties? (no, contractors, processors, etc.)

In the second step, the data should be differentiated into categories and analyzed for risks associated with it. Risk analysis will help to highlight the most critical and valuable data categories. There are lots of risk determination approaches, but most of them use negative events probability and possible negative consequences in different variations.

risk = probability of a negative event X negative consequences.

For example, such factors as potential vulnerabilities, possible negative events, the intensity of negative effects and the response to negative effects may be used for more precise risk determination. Such personal data as identification and payment information are at much higher risk of dedicated hackers’ attacks than, for example, less valuable website usage statistics or users’ interface color scheme preferences.

After general analysis, each stage of the life cycle should be analyzed separately.

Collection – is the first stage of the data life cycle. Users must be informed about their data collection in a form of consent or notice. In terms of collection mechanics, data can be obtained directly (the registration form) or indirectly (surveillance, third parties).

Processing – this stage is unique for each company. It can be done manually by company employees, automatically, or with the mixed approach, which depends on the data category and the purpose of data collection. The main principles are to process as minimum information as possible to perform companies’ tasks and restrict unauthorized access.

Retention – means storage of information. The data itself should be stored no longer than necessary or defined by the data policy. For the data life cycle analysis, this stage is the key point.  Depending on the data type it can be reused, destroyed, or disclosed.

Distraction – simple data deletion is perfect for most scenarios, but when we talk about full data distraction, it means that data should be wiped out of servers, backup files, inner documentation, employees’ PCs, and any other storage devices connected to the company. That’s why data tracking should be applied inside the company.

Reuse – the most common stage of the data life cycle. Each time you log into an account or get a personalized email your data is reused by the company and altered according to your actions.

Disclosure – data sharing is important to provide good services and promote your business. Such things as advertisements, statistics, marketing, and other services are based mostly on third-party data disclosure. During the analysis, you should ensure that data transfer is compliant with legislation, the company privacy policy, and allowed by the user.

The personal data life cycle analysis is a complex process, that touches almost every aspect of the company, its data flow, business model, internal and external structure. But it`s the first step in developing a data processing system that will be resistant to external or internal threats and put users’ privacy and data security in the first place.

Vladyslav Tamashev
Privacy lawyer at
Legal IT Group