On what basis you obtained the data for processing
Some examples of legal basis are:
- Were you given explicit consent
- Do you need the data in order to fulfill a contractual obligation
- Do you have the data in order to ensure your legal compliance
Precisely what you will use it for
If an individual provides rights to process their data for a specific purpose. That's what it should be used for. If you are using some other legal basis for processing their data, ensure that if it is used for any other purpose, it too has a legal basis for doing so.
Who will have access to it
An individual has a right to privacy, and as such, only inidividuals who need access to the data for the purpose of processing it should do so. Allowing others access to the data who have no legititmate need could lead to data breaches and non-compliance.
How you will secure it
Without adequate controls and protection mechanisms, the data you hold may be breached. You will have to notify the supervisory authority within 72 hours, and the data subject should be notified without undue delay. Any breach could result in claims for damages, as well as any penalty imposed by the supervisory authority.
How long you will retain it for
Data should only be kept as long as you need it in, based on your legal basis for processing it.