Scheme for the Integrity of Personal Data
The General Data Protection Regulation (GDPR) requires personal data to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay. Consequently, there is an obligation of the data controller to implement internal controls that can ensure the accuracy of personal data, and where it matters for the purpose it is collected, the personal data is kept up-to-date.
The data accuracy obligation is fulfilled when:
- the nature, scope, context and purposes of the processing are documented,
- the necessity and proportionality of the processing operations in relation to the purposes have been assessed and the facts investigated,
- risks to the rights and freedoms of natural persons have been assessed,
- potential harm have been diminished through the countermeasures envisaged to address the risks taking into account the rights and legitimate interests of data subjects and other persons concerned,
- controls have been determined and implemented to ensure the accuracy of personal data,
- compliance with the GDPR can be demonstrated.
Topics covered by this scheme include:
- Validity of processing operations
- Record of processing operations
- Risk assessment
- Source data preparation
- Source data authorisation
- Source data retention
- Detection of unauthorised source data
- Data input controls and error handling
- Data input authorisation
- Accuracy, completeness and authorisation checks
- Data processing integrity
- Output balancing, reconciling and referencing
- Output handling and distribution controls
- Processing objections to processing activities
- Retention periods
- Backup and restoration
- Data security
- Design specification and validation
- Acquire and maintain software
- Acquire and maintain technology
- Develop and maintain procedures
- Install and accredit systems
- Change management.