The GDPR sets out seven key principles that govern the processing of personal data. Compliance with these principles is essential for good data protection practices and protects your business from substantial fines for non-compliance.
These principles are the foundation of GDPR and most of the new data protection legislation adopted by other countries since May 2018. If you look at new data protection laws and compare them to the GDPR principles you will see the same set of guiding principles running through them.
Without the principles of GDPR, there would be nothing to build the law on. It would be like building a wall without a solid foundation, all it would take is a stiff breeze and it would fall over.
Why are the principles of GDPR important?
If you look at the principles as Rules. They set out the do and don’t of the data protection laws. They tell data controllers and data processors what they can and cannot do with data subjects’ information.
For processing personal data organisations must know what they are allowed to do or it would be anarchy. A data subject rights would fall away, like the wall without a foundation, the rights would be meaningless.
Everything about the data protection laws relies on the principles and the principles being complied with. They are a vital element of the data protection law, without them the law would be useless.
All previous data protection laws had six principles, the GDPR brought in seven principles, with the seventh principle giving the law teeth as far as regulation and enforcement is concerned.
This principle stopped the data protection compliance from being a book of dusty policies on a shelf and a couple of ‘buzz’ words thrown across the office now and again.
It put a legal obligation on data controllers to demonstrate compliance and be accountable, imagine that!
The 7 principles of GDPR compliance
Let’s take a look at the seven principles of data protection and the use of personal data to see how they affect a business, protect a business and protect the data subjects’ rights.
You will start to understand how important they are to the data protection laws and to data processing in general.
1. Processing lawfully, fairly, and transparently
What is meant by lawfulness in relation to the GDPR?
In order to satisfy the lawfulness aspect of this principle, you must identify grounds for the processing of any personal data. There is 6 lawful basis for processing personal data and at least one of these must be met when processing personal data.
- Consent: you have been given consent by the individual to process their personal data.
- Contract: there is a contract in place with the individual and processing their personal data is necessary to fulfil this contract, or you have been instructed by the individual to process their data prior to entering into the contract.
- Legal obligation: you must process the information in order to comply with the law.
- Vital interests: you must process the personal data in order to protect an individual’s life who is in immediate danger.
- Public task: processing the personal data of an individual is necessary for performing a task in the public interest or for official functions of your organisation.
- Legitimate interests: the processing of personal data is required in the legitimate interests of your or a third party unless there is a reason to protect the individual’s rights, which overrides these interests.
Fairness in relation to the GDPR means that you should only be processing and handling personal data in ways that the individual would expect. There should be no negative effects on the individual through your processing of their personal data.
Another aspect of fairness is the way in which the information has been obtained from the individual. You must ensure that the individual is aware of why and how their personal data is being collected.
What is meant by transparency in GDPR?
To comply with the lawfulness, fairness and transparency principle you must:
- identify a lawful reason for processing
- identify a condition for processing special category data
- only use the personal data for the purpose it was collected
- consider how the processing of personal data will impact the people whose data it is and be able to justify it if there is any negative impact on them
- process personal data in expected ways or be able to explain why you are processing it for other reasons
2. Purpose Limitation
According to the GDPR “Personal data shall be:
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”Article 5.1(b) GDPR
What this means is that you must be clear about why you collect personal data, how you use it and if you use the personal data for another reason than originally specified, that it”s use is fair, lawful and transparent.
To ensure you are complying with the purpose limitation principle you will need to:
- identify the purpose of processing
- document the purpose
- ensure that any personal data you plan to use for a new purpose is either compatible with the original purpose or make sure you get consent for the new purpose.
3. Data Minimisation
According to this principle, “personal data shall be”:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”Article 5.1(c)
This means that you must collect the least amount of personal data to fulfil the purpose it is intended for. Holding more data than is required is unlawful and a breach of the data minimisation principle.
To make sure you are complying with the data minimisation principle you will need to:
- collect personal data only when it is needed for a specific purpose
- have only enough personal data to fulfil the purpose
- review the data from time to time and delete any unnecessary data
The accuracy principle states that “personal data shall be”:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”Article 5.1.(d) GDPR
The accuracy principle requires that you ensure the accuracy of any personal data you collect (within reason) and that this data remains valid and fit for purpose.
In order to comply with the accuracy principle you will need to:
- ensure the accuracy of any personal data collected
- update the data as required
- keep records of any mistakes
- comply with the right to rectification
5. Storage Limitation
According to the storage limitation principle “personal data shall be”:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);”Article 5.1.(e) GDPR
This means that you cannot hold data for longer than is required and you must be able to justify the reason for storing the data.
Personal data may be held for longer periods of time if you are keeping it for one of these reasons:
- public interest archiving
- scientific or historical research
- statistical purposes.
In order to comply with the storage limitation principle, you will need to ensure that you:
- know what personal data you hold
- know why you hold this data
- be able to justify the length of time you retain personal data
- erase or make anonymous any personal data that is no longer required
- have a process in place for requests to have personal data erased
6. Integrity and Confidentiality (security)
The Integrity and Confidentiality Principle is also known as the Security Principle.
According to this principle, “personal data shall be”:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”Article 5.1.(f) GDPR
To ensure you are complying with the Integrity and Confidentiality Principle you need to:
- determine the level of security that is required. This will depend on the type and amount of personal information being processed
- you have a security policy and ensure that you follow it
- have basic technical controls in place to reduce cyber attacks
- use encryption when appropriate
- understand the confidentiality, integrity and availability of the personal data you collect and process
- ensure there is an appropriate backup process in place in the event that personal data is lost
- conduct regular reviews of the security measures in place to ensure their efficacy and make adjustments to your procedures as required
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”Article 5.2 GDPR
There are two key points in the accountability principle and these are that you must be responsible and comply with the GDPR and you are required to demonstrate how you comply.
To demonstrate your compliance you will need to:
- keep evidence of how you comply with the GDPR
- have a data protection policy in place if applicable
- use data protection by design approach- implementing the best data protection methods throughout your processing operations
- implement the appropriate security measures
- record and report any personal data breaches if they occur
- appoint a data protection officer if required
Without knowing and standing by the principles of the data protection laws, an organisation cannot comply with the requirements of the data protection laws, nor can they comply with the rights of the data subjects they either serve or employ.
An organisation like this has no place in modern society and should face the full force of the Supervisory Authority and enforcement of the GDPR.
If you need help understanding more about the principles of the data protection laws or want to know how well your organisation is doing, Propelfwd can conduct an audit of your current data protection compliance.
Our audit tool will examine 109 touchpoints and requirements of the data protection laws against what you have in place within your organisation to give you an accurate picture of any gaps you need to fill.
The team at Propelfwd who are experts in the data protection laws and requirements will help you to fill the identified gaps and move your organisation forward with confidence.