On November 15, 2024, the Data State Inspectorate (DVI) issued guidance on the life cycle of data processing from acquisition to deletion.

The DVI explained that it is crucial to ensure compliance with personal data protection principles, especially when acquiring and processing personal data. The DVI introduced the Certified Information Systems Security Professionals (CISSP) approach, which divides the data processing life cycle into five distinct phases. The data life cycle model serves as a framework for assessing the legality of data processing and identifying necessary security measures throughout each phase.

First phase

The first phase of the data life cycle is data acquisition, where personal data is collected directly from clients, through external databases, or created internally by the company. Consent from clients is essential for the processing of their data, particularly for purposes like sending newsletters. Furthermore, the DVI noted that the procedures for collecting email addresses must be strictly followed, ensuring that data is securely handled and stored until it can be entered into a database.

Second phase

The second phase involves data distribution, where collected data is transferred into a centralized database. The DVI emphasized that this process must be monitored closely to prevent distortions and maintain the integrity of the data.

Third phase

The third phase is the data utilization stage, where access to information should be restricted to authorized personnel who prepare and disseminate updates to clients. The DVI highlighted that it is essential to ensure that individuals who consent to communication are informed about how to opt out, and regular monitoring of the database is conducted to ensure that customers receive the intended updates and to identify any unauthorized access.

Fourth phase

The fourth phase is maintenance, where the accuracy and legality of the data are assessed continuously. This includes monitoring for undeliverable email responses, tracking refusals for further communication, and addressing any customer inquiries about their data. The DVI stressed that companies must also be vigilant about the legal basis for data processing, identifying when data becomes outdated or irrelevant. Thus, by maintaining an effective monitoring system, companies can respond promptly to changes in the legal framework or customer preferences.

Fifth phase

The fifth phase is data deletion, where when data can no longer be classified as personal, it must be securely deleted or anonymized. This process requires establishing criteria for data retention and ensuring that deletions are irreversible, preventing any potential recovery of the information. The DVI mentioned that for non-digital data, simply discarding it is inadequate; it must be properly destroyed to safeguard against unauthorized access.

The DVI concluded that conducting thorough analyses throughout the data lifecycle helps identify weaknesses in data handling practices and improves overall data security.

You can read the press release, only available in Latvian, here.