Processing

Handling personal data appropriately throughout its life-cycle.

C1Security, Access Rights, and Risk Management: Establish, identify, and communicate security criteria, access rights controls (based on life-cycle state) and risk criteria for personal data.
C2Personal Data Acquisition and Purpose: Develop and implement approaches to obtaining data subjects' consent, giving fair notice, acquiring personal data, and processing personal data fairly.
C3Compatibility, Adequacy, and Accuracy: Ensure that personal data is used and disclosed only for the purposes for which it was acquired. Monitor the quality of personal data held, and remedy any quality issues. (The quality standard for personal data is essentially set by the data subject — that is, the data owner. The custodian sets standards and guidelines to help meet the data subject's standards.)
C4Information Life-Cycles: Provide input to information life-cycle planning to identify, acquire, process, preserve, and/or destroy personal data to meet business, regulatory, and legal requirements, including those identified in privacy impact assessments.
C5Retention and Destruction: Develop and implement controls to verify that personal data is not retained beyond the time specified in retention policies. Destroy data media (all forms — paper, digital, etc.) at the end of the data's life-cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.