Deep in the midst of a global health pandemic a number of well-known brands in Europe, Asia, and the Americas have found themselves exposed to unwelcome publicity for alleged (or actual) poor privacy and data protection practices. Yet, for all the sensationalism behind the headlines and the resulting multi-million-Euro fines, these events continue to highlight that senior decision makers still have a poor grasp of the full reach of their privacy and data protection obligations and the risks associated with them as they apply to operational data management.

Data Protection Officers have long recognised the necessity for robust management across the entire data lifecycle, from cradle to grave. As we approach, in May, the third anniversary of the full application of the EU General Data Protection Regulation (GDPR), the formalisation of record keeping for processing activities under Article 30 and also Article 5(1)e obligations around data retention means that data lifecycle management should by now be an accepted and embedded best practice supported by data retention schedules, data classification standards and data destruction controls. Yet with data sets becoming more complex and increasingly challenging to manage - and secure – those with responsibility for running IT platforms and operations, often find themselves unwittingly influenced by managerial pressure to focus on the front-end ‘go-live’ aspects of IT projects at the expense of operational in-life considerations, including data compliance.