Protection of records

The dataset owners (or the owners of the related information asset, such as a data store or data system) are responsible for the classifications of the datasets and the correspondence of the classification to the definitions of the classes.

The owner updates the data classification over the life cycle of the asset according to variations in its value, sensitivity, and criticality.

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

• the necessity of the data for its original processing purpose
• implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
• the legal effect of the contract or other legal action in civil matters
• statutory limitation periods
• criminal limitation periods

Describe your own process for evaluating retention periods.

An owner is assigned to each data set. The owner is responsible for the life cycle of the information asset and is responsible for performing the management tasks related to that asset.

The owner's duties include e.g.:

• ensuring the documentation of asset
• ensuring appropriate protection of asset
• regularly reviewing access rights
• ensuring proper handling of information, also on disposal

The owner can delegate some of the tasks, but the responsibility remains with the owner.

Data Loss Prevention (DLP) policies can be used to protect sensitive data from accidental or intentional disclosure. Policies can alert, for example, when they detect sensitive data (such as personal identification numbers or credit card numbers) in email or another data system to which they would not belong.

The organization defines DLP policies related to endpoints in a risk-based manner, taking into account the data classification of the processed data.