Evaluating a New Personal Data Processing: 10 Key Questions to Ask

Collecting and processing personal data within applications is fundamental to many business strategies. However, any new data processing entails responsibilities to users, clients, and regulatory bodies. Before implementing any changes to collection, it is essential to understand how these could impact regulatory compliance and the protection of users' rights.

If you are evaluating a new personal data processing method in an application, these questions can help you identify risks, opportunities, and ensure responsible implementation—or at least highlight areas requiring further investigation.

10 Key Questions

1. What personal data will be collected and from whom? This is a fundamental yet critical question. Defining what information will be gathered and from whom is essential. This involves more than just identifying specific data points (e.g., name, date of birth); it includes understanding the processes, systems, and methods of collection. Additionally, it is crucial to determine whether any sensitive personal data will be involved.
2. What is the purpose of the processing? There must be a clear justification for data collection. Personal data should not be collected merely because it is "nice to have" but rather because it serves a specific purpose directly tied to the business’s or organization’s ability to provide a product or service. Does the processing serve a legitimate purpose and align with user expectations?
3. How will the data be collected, and where will it be stored? Will data be collected directly from users via forms, obtained from third parties, or integrated from other systems? Will users receive a privacy notice before providing their data? Once collected, where and how will the data be stored? Does the storage location (systems, files, programs) have proper protections? Who will have access to it? Addressing these questions helps identify potential risks.
4. What legal basis supports the processing? Depending on applicable regulations (e.g., GDPR in Europe or the Federal Law on Data Protection in Mexico), it is crucial to determine the legal grounds for data collection and processing. This should be established before collection or new usage begins—if there is no valid legal basis, the data should not be collected or processed.
5. How will users be informed? In most jurisdictions with data privacy laws, consent is the primary basis for processing personal data. When collection purposes or usage change, privacy notices should be reviewed and, if necessary, updated to ensure transparency. A clear, accessible, and comprehensive privacy notice is essential.
6. How will the data be stored and protected? Data security is a key privacy principle. Ensuring confidentiality requires not only secure storage locations but also protective measures such as encryption, access controls, and secure storage methods to minimize the risk of data breaches.
7. Will data be shared with third parties? Sharing personal data with third parties carries significant implications. If data will be transferred or shared, have measures been implemented to protect it? Do third parties comply with adequate privacy standards? Have vendors undergone a robust third-party risk management process? Answering these questions helps identify potential risks and ensures proper safeguards are in place.
8. How will users' rights be ensured? Individuals have the right to access, rectify, or delete their data. Are there clear processes in place to handle such requests? Are users informed about these processes? Are they aligned with legal and regulatory requirements?
9. Has a Data Protection Impact Assessment (DPIA) been conducted? If data processing poses a high risk to users' rights, a comprehensive DPIA may be necessary—or even legally required. A DPIA helps organizations identify and mitigate data processing risks. The following resources provide guidance and templates for conducting DPIAs:
10. UK Information Commissioner's Office (ICO) DPIA Guidance: ico.org.uk
11. CNIL DPIA Templates and Methodology: bbmri-eric.eu
12. Guía para la elaboración de evaluaciones de impacto a la privacidad (Mexico): home.inai.org.mx
13. CPRA DPIA Guidance: old.captaincompliance.com
14. GDPR.eu DPIA Template: gdpr.eu
15. Are there response plans for security incidents? What procedures are in place to detect, report, and mitigate personal data breaches? These procedures are crucial for addressing incidents and ensuring the privacy team is informed. Additionally, privacy should be part of the notification chain to ensure compliance with breach notification obligations.

What to Do with the Answers

Answering these questions may lead to more questions, which is expected. These questions provide a starting point for privacy managers to assess risks, determine necessary actions, and initiate discussions to ensure user data security and privacy. In an era where privacy is increasingly valuable, anticipating risks and adopting best practices that not only ensures compliance but also fosters greater user trust.