Skip to content

Data flow

GDPR is all about personal data. You must understand and document:

  • What data you collect
  • Where it is collected
  • What happens to the data
  • Who has access

Data flow

How a data subject's personal information travels through your organisation is called data flow. Under GDPR, organisations are required to provide a detailed history of every step a piece of information makes within the organisation.

Note

Any personal data held on EU citizens must be stored and held within the EU, or there must be an adequate level of data protection regulation ratified by the EU. This applies to both on-premises and cloud-based data, and hosted services.

When using cloud-based services such as Apteco CloudStage, select the most appropriate data centre within the EU when setting up systems, or if based outside the EU, ensure the service provider has a certificate of GDPR compliance.

You must inform data subjects if you intend to move their data outside the EU and provide details of how you have complied with GDPR regulations regarding the move.