The GDPR is underpinned by a number of data protection principles that drive compliance. These principles outline the obligations that organisations must adhere to when they collect, process and store an individual’s personal data.
While the data protection principles are similar to those found in the previous Data Protection Directive (DPD), they are more detailed to ensure greater levels of compliance and to take into account advancements in technology.
The seven principles provide organisations with a guide on how they can best manage their personal data and achieve compliance with the GDPR.
Failure to comply with the principles may leave your organisation open to substantial fines. The GDPR states that infringements of the basic principles for processing personal data are subject to the highest tier of fines. This could mean a fine of up to 4% of your annual turnover or 20 million euros, whichever is greater.
The seven data protection principles that you must comply with when processing personal data are as follows:
1. Lawfulness, fairness and transparency
The first principle is possibly the most important and emphasises total transparency for all EU data subjects. When data is collected, organisations must be clear about why it’s being collected and how it’s going to be used. If a data subject requests further information regarding the processing of their data, then organisations are duty bound to provide this in a timely manner. The collection, processing and disclosure of data must all be done in accordance with the law.
2. Purpose limitation
Organisations must have a specific and legitimate reason for collecting and processing personal information. The data can only be used for the designated purpose and must not be processed for any other use, unless the data subject has provided their explicit consent. There is a bit more flexibility with processing that’s conducted for archiving purposes in the public interest or for scientific, historical or statistical purposes.
3. Data minimisation
Under the GDPR, data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” This means that organisations should only store the minimum amount of data required for their purpose. Organisations can’t just collect personal data on the off-chance that it might be useful in the future. If they are holding more data than is necessary, it’s likely to be unlawful.
Personal data must be accurate, fit for purpose and up to date. This means that organisations should regularly review information held about individuals and delete or amend inaccurate information accordingly. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days. This streamlining of information will help improve compliance and ensure business databases are accurate and up to date.
5. Storage limitation
Once you no longer need personal data for the purpose for which it was collected, it should be deleted or destroyed unless there are other grounds for retaining it. The GDPR does not state how long you should keep personal data. It’s up to your organisation to determine this, based on the purposes for processing. To ensure compliance, organisations should have a review process in place to deal with the cleansing of databases. Although the general rule is that you can’t hold on to personal data for future usage, there are exceptions for archiving, research or statistical purposes.
6. Integrity and Confidentiality
This principle deals exclusively with security. Your organisation must ensure that all the appropriate measures are in place to secure the personal data you hold. This could be protection from internal threats such as unauthorised use, accidental loss or damage, as well as external threats such as phishing, malware or theft. Poor information security could jeopardise your systems and services as well as causing distress to individuals. There’s no ‘one size fits all’ approach, but the GDPR states that organisations should have the appropriate levels of security in place to address the risks presented by their processing.
The final principle, and a new principle under the GDPR, states that organisations must take responsibility for the data they hold and demonstrate compliance with the other principles. This means that organisations must be able to evidence the steps they have taken to demonstrate compliance. This could include:
- Evaluating current practices
- Appointing a Data Protection officer
- Creating a personal data inventory
- Obtaining appropriate consent
- Carrying out Data Protection Impact Assessments
Adhering to these guiding principles during design, implementation and operations will help to ensure that organisations are in compliance with the GDPR.