Establish approaches to obtain data subject consent, provide fair notice, and manage the acquisition and lawful, fair, and transparent processing of personal data for explicit and legitimate purposes.
Ensure that personal data is only used and disclosed in line with the purposes for which it was acquired, and that the data held is adequate, relevant, and limited to what is necessary to meet those purposes. Monitor the quality of personal data held and remedy any data quality issues.
Provide input to information life cycle planning to identify, acquire, process, store, and/or destroy personal data in line with business, regulatory, and legal requirements and risks. Conduct privacy impact assessments at the planning stage of new or large change projects, and consider the potential damage or harm to both the data subject and the organization in whose custody the information has been placed.
Develop and implement controls to verify that personal data is not retained beyond the time specified in data retention policies. Destroy data media (all forms — paper, digital, DNA encoded etc.) at the end of the data's life cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.