Data flow

GDPR is all about personal data. You must understand and document:

• What data you collect

• Where it’s collected

• What happens to the data

• Who has access

How a data subject’s personal information travels through your organisation, is called data flow. With the regulations, organisations are required to provide a detailed history of every step a piece of information makes within the organisation.

Note: Any personal data held on EU citizens also must to be stored and held within the EU or there must be an adequate level of data protection regulation that has been ratified by the E.U. This includes both on-premises and cloud-based data, and hosted services.

When using cloud-based services, for example, Apteco CloudStage, ideally you should select the most appropriate data centre within the EU when setting up systems, or if based outside the EU ensure the service provider has a certificate of GDPR compliance.

You must inform data subjects if you intend to move their data outside of the EU and provide details of how you have complied with the GDPR regulations regarding the move.