The GDPR identifies 7 fundamental principles that all data processing activities must abide by.
These principles form the foundation of the GDPR and it is crucial that all your processing activities abide by these principles.
One way to check that these principles are being upheld is through a Data Protection Impact Assessment (DPIA). This is a form of internal risk assessment into how personal data is managed within your organisation and your processing activities.
- Lawfulness, Fairness and Transparency – Organisations must ensure that their data processing is lawful, fair and transparent
Lawful – Ensure that Data Processing meets the criteria outlined in the GDPR e.g. the lawful basis for processing is one of the following: Consent; Contract; Legal Obligation; Vital Interest; Public Task; Legitimate Interest.
Fair -Data Processing matches the description given to the Data Subject. Used only for the purposes and time period indicated.
Transparent – Clearly informing the Data Subject about the nature of the Data Processing e.g. what you are going to do with it and who has access to it etc.
- Purpose Limitation - Any data processed about a Data Subject (whether directly or indirectly) must be done so for a legitimate, legal reason. An organisation cannot state that it is processing data for one reason and then use it for another without first informing the Data Subject.
- Data Minimisation – An organisation only collects the minimum amount of data required for the intended purpose.
- Accuracy – It is the organisations responsibility to ensure that the personal data which they process is accurate and is kept up to date
- Storage Limitation – Personal data may only be held by an organisation for as long as the intended legitimate purpose requires it to be held. Afterwards this data should be deleted.
- Integrity and Confidentiality – At all stages of personal data processing, you, as an organisation, must ensure that the data is held securely, using suitable, up to date security measures. For most modern data processing, this means that your company must use suitable, up to date cyber security measures.
- Accountability – The Data Controller is legally accountable for upholding the previous 6 GDPR principles and must be able to demonstrate compliance.