The principles of the General Data Protection Regulation underpin the entire document and are essential when it comes to ensuring your business or organisation is compliant with data protection laws. When the new legislation was brought in these principles were made more detailed in order to ensure higher levels of compliance and understanding, and they should be at the heart of every data protection policy.
The GDPR is the primary piece of legislation that shapes digital privacy policies in the European Union. It is a set of rules which were implemented in order to give citizens more control over their personal data and how organisations use it and was brought in to reflect the increasingly digitised world that we live in today.
Even though the UK has now left the EU, the GDPR regulation requirements were incorporated into the Data Protection Act 2018, and therefore UK businesses still need to comply with every principle outlined in this article.
The data protection regulations brought in by GDPR meant that many organisations had to change their privacy policies and review the way that they collected and stored their customer’s personal data. Failure to comply with GDPR can have very serious consequences, and even now many organisations and individuals still don’t understand all the requirements of the regulations.
In relation to GDPR, personal data is described as any information that could be used to potentially identify a person. This includes obvious data like name, address and birthday, but also applies to descriptive data such as physical, genetic, cultural and social aspects of someone’s identity.
There are eleven chapters and ninety-nine articles in the official GDPR document that go into detail about the different requirements of the legislation and what businesses must do in order to comply. However, the backbone of the regulations is based on seven key principles which are outlined in Article 5 of the text and described in detail below.
The first principle of GDPR states that personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to individuals’. It is perhaps the most important of all the GDPR principles as it clearly states what must be considered when processing any kind of personal data.
‘Lawfulness’ means that there should be an appropriate legal basis for companies needing to collect personal data in the first place, and also that any illegal activity must be avoided whilst you are processing this data. There are six different lawful reasons for processing personal data that are outlined in GDPR:
‘Fairness’ means that personal data should be processed in a way that is expected of you. This can usually be determined by the nature of your business and how necessary it is for you to collect the personal data of individuals. It also means that you cannot process or misuse the personal data you have gathered to harm any of the data subjects or lead to negative consequences.
If any data is collected, stored or processed in a way that deceives or misleads the subject, you are breaching the ‘fairness’ principle of GDPR.
‘Transparency’ is a key part of GDPR and requires that you are always clear and honest about what you plan to do with the personal data you collect. This principle is what guides the creation of company privacy policies, which let data subjects exercise their rights under GDPR and take control of their data if they wish. It also means that every business must provide an individual with more information about their data handling policy if it is requested.
Exercising transparency with data collection and processing means that your company must notify every data subject about the information you wish to gather, how you collected that information and what you are going to do with it. Many companies find that the more transparent they are with their data collection, the better relationships they build with their customers.
The second principle of data protection is that personal data should be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.’
This principle links to the previous point about transparency and requires companies to be clear from the beginning about what they plan to do with the personal data they collect and the intention behind gathering it in the first place. Once you have stated what you plan to use personal data for, you cannot do anything else with it unless the data subject has given consent later down the line.
This GDPR principle states that the collected personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ This essentially means that companies should only ever store the minimum amount of data that is required to fulfil a purpose or provide a service.
Companies are required to calculate the minimum amount of personal data that is needed for their procedures or services before creating a data policy and asking customers for their information. For example, if an individual is registering for a series of email resources then you only need to collect their email address.
The accuracy GDPR principle states that all personal data collected must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.’ It means that as the controller of personal data, it is your responsibility to ensure that your customer data is up to date and accurate.
This principle was put in place so that businesses cannot hold onto old or irrelevant customer data. It also means that customers have the ‘right to rectification’ and can request that any personal data that is no longer relevant is erased from a company database.
This principle of the data protection act also affects the internal processes or organisations, as it requires that periodic checks take place to ensure that customer data is up to date. The frequency of these checks will differ between companies but are necessary no matter what industry you belong to or what kind of data you are collecting.
Whilst it may seem like a hassle, frequently updating your databases and clearing out old data is a very useful task, as it means that space isn’t being wasted and gives you a clearer picture of what kind of data your company regularly processes and collects.
The fifth GDPR principle ensures that data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.’
It is similar to the accuracy principle in that it minimises the amount of personal data that a company can store by preventing data from being kept for longer than it is needed. Once data has been used in the ways that you initially outlined, it must be deleted unless there are any new reasons for continuing to store it.
Every piece of personal data that has been collected will need a justification for continued storage. GDPR doesn’t give any guidance on how long you should store personal data, so it can be useful to set up retention and deletion schedules for different kinds of data to help you comply with this principle. It may also be helpful to determine a review process for old data that helps you decide whether it may still be needed in the future or whether it should be deleted.
This principle of GDPR states that personal data should be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ This is also often referred to as the ‘security principle’.
‘Integrity and Confidentiality’ involves implementing security measures that mean the personal data you store is safe. These measures should prevent internal risks such as damage or loss of data as well as unauthorised use, along with external cybersecurity risks like phishing or software breaches.
The security of digital data is one of the most important parts of GDPR, as cybercrime is on the rise and customers are now more concerned with the security measures that companies take to protect their personal data. The nature of the data you collect will determine how much security is needed, but all businesses are expected to have several internal and external measures in place.
Finally, the last of the data protection principles means that it is the responsibility of the company or data controller to ensure compliance with all of the GDPR principles. Accountability involves recording all the steps that are taken as part of compliance, which could include keeping records of data policies, appointing a GDPR officer or documenting customer consent.
By complying with the accountability principle, you take responsibility for following the necessary procedures and face serious consequences if you are found to be in breach of any aspect of GDPR.
GDPR stands for General Data Protection Regulation, which is a piece of European Union legislation affecting how personal data is stored and used. It replaced a previous piece of legislation known as the Data Protection Directive.
The GDPR legislation applies to all organisations that operate inside of the European Union, along with any organisations outside of the EU which provide services or goods to companies or customers inside it. Whilst the UK is no longer a part of the European Union, the basis of GDPR has been incorporated into UK data protection laws so that there is very little difference between the two.
The new GDPR framework came into effect in May 2018, replacing the previous directive which had been in place since 1995. It took four years of negotiations and preparations for the legislation to be approved and implemented, providing all affected organisations with plenty of time to comply.
To summarise, the seven key principles of GDPR are:
For more information on the General Data Protection Regulation and how best to ensure your company is compliant, we offer ‘The Essentials of Data Protection’ as an online training course that covers everything you need to know.