Processing Sensitive Data

When processing sensitive data is desired, the confidentiality, integrity and availability of that data must be maintained at all times. Before collecting the data, there has to be a specified purpose for processing it within an agreed amount of time. Undefined purposes are not acceptable. Processing the data is limited only to the specified purpose and excludes processes that don’t fit, which in turn retains data minimisation. Also that data must not be stored outside the agreed time limit. During the processing stage, transparency and lawfulness must be applied so that the owners of the data are kept aware of that process. In addition, technological measures must be made to protect the data from theft, corruption and loss.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/what-data-can-we-process-and-under-which-conditions_en