A data controller cannot hope to be complaint with the DPA if it does not understand its own processing operations, a point that has the greatest resonance in large organizations where personal data is gathered from a variety of sources and is subjected to a variety of processing operations and for a variety of different purposes. Thus, the initial stages of a compliance strategy are always dominated by the following key questions:
What personal data are being processed?
Whose personal data are being processed?
Why are personal data being processed?
How are personal data being processed?
The first question causes the data controller to identify the categories of information being processed, which will ...