It is important to make an inventory of all the personal data you have. You should further scan the situation in your organization and document why you need the personal data you process. The next thing to do is to determine the purposes of the processing and guarantee the security of the processing.
What you need to document:
How was the personal data obtained?
Why is such data kept?
Is personal data still required?
Is personal data safe?
With whom is personal data shared?
After scanning the situation, you should map how personal data flows in your organization to ensure greater control over business activities.
Example:
Apteka sells at a physical location in the city center and through a web store. She also has her own website. Before placing an online order, customers are offered membership in the loyalty program, which provides a discount on purchases, as well as regular notifications about the pharmacy’s products. For its business activities, the pharmacy uses an accounting system, and has a video surveillance system to secure property, employees and customers.
Hence, at a minimum, the pharmacy collects customer contact information that is used to send product notifications.
When consumers make online orders, they need to leave the following information: first and last name and address for delivery of the products.
In addition, on the website of the pharmacy are installed the so-called third-party cookies that collect personal information for marketing purposes.
Within the framework of the accounting program, the pharmacy processes personal data of employees for the purposes of regular payment of salaries, and through the video surveillance system, personal data of visitors and employees is collected.
