What is the difference between personal information and personal data? None! In both cases, it is any data relating to an identified or identifiable natural person.

There are three main categories:

• Directly identifying data: first and last name, photo, personal e-mail, etc.
• Indirectly identifying data: SIN number, fingerprint, etc.
• The cross-checking of anonymous information: the eldest son of the notary living at 11 Avenue Raspail in Montreal, etc.
• This data must be protected, and procedures must be in place to demonstrate compliance.

What is it for?
The Record of Processing Activities inventories and provides an accurate picture of the data that is used in the company. It is also known as Inventory of Personal Data. This record or inventory is one of the primary documents to demonstrate compliance with data protection regulations. It allows you to ensure that the rights and freedoms of the persons concerned are respected by asking the right questions: is this data useful for this specific processing activity? What are the retention periods to be set up? Who is responsible for collecting and using it? Under which legal basis are these data collected?

People whose data is used in data processing activities have the right to keep control of their information. Therefore, people can ask organizations which data they hold about them and, in some cases, its deletion. Consequently, organizations need to put in place internal procedures to know where the information is stored and how to respond to the individuals concerned.

All companies that use personal data must have measures in place to prevent data breaches. A data breach is a security incident that compromises the integrity, confidentiality, or availability of personal data. In some cases, the competent data protection authority or the data subjects themselves should be promptly notified (sometimes within 72 hours) to warn them of eventual attacks.