To summarize what is important in the process, however, you need to understand the following questions for each platform:
- What data is collected?
- Is any of the data collected considered PII or Personal Data?
- If so, what is the legal basis for collecting and processing that data? Are the proper technical and process protections in place to ensure security?
- How is the data used? And what is the effect on the user? Is this allowed under the regulations in place?
- How long is the data stored and is this compliant?
- Are all of the platforms collecting data (and the specific data collected, how it’s used, etc.) properly reflected in the Privacy Notice on the site?
Using the inventory from the first step, granular data outputs from the second step, and some conversations with the business owners for each platform, you should be able to properly answer and create documentation for the above questions.