At the heart of the GDPR legislation lies the 7 fundamental principles. These guiding tenets underpin all aspects of the GDPR. But what are they and how do they affect your business’ GDPR compliance status?
In this blog we’re going to look at each of the 7 principles in turn and provide practical examples of how they are applied in a day-to-day setting.
1) Lawfulness, Fairness, and Transparency
Organisations must ensure that their data processing is lawful, fair and transparent
- Lawful – Ensure that Data Processing meets the criteria outlined in the GDPR e.g. the lawful basis for processing is one of the following: Consent; Contract; Legal Obligation; Vital Interest; Public Task; Legitimate Interest.
- Fair – Data Processing matches the description given to the Data Subject. Used only for the purposes and time period indicated.
- Transparent – Clearly informing the Data Subject about the nature of the Data Processing e.g. what you are going to do with it and who has access to it etc.
In reality: The GDPR’s ‘Right to be informed’ and it’s requirement to present an accurate privacy notice are this principle in action.
2) Purpose Limitation
Any data processed about a Data Subject (whether directly or indirectly) must be done so for a legitimate, legal reason. An organisation cannot state that it is processing data for one reason and then use it for another without first informing the Data Subject.
In reality: This principle is one of the most common cited in data privacy complaints. Business’ cannot use data subject’s personal data for multiple purposes without the data subject being informed at the point of data collection. E.g If you have told your customers that you will only use their email address to send them updates on their order, you cannot then use that data to send them marketing emails without first informing them.
3) Data Minimisation
An organisation only collects the minimum amount of data required for the intended purpose.
In reality: Similar to the previous principle, data minimisation is another frequently cited principle that is alleged to have been violated in data privacy complaints. This principle requires you and your business to evaluate what types of data you are processing and whether all these types are strictly necessary. For example, if your business is an online retailer, there is likely no justifiable reason you would collect special category data (such as ethnicity or medical data).
It is the organisations responsibility to ensure that the personal data which they process is accurate and is kept up to date
In reality: You must offer your data subject’s the ability to rectify information they have provided to your business. This is reflected in the GDPR ‘Right to rectification’.
5) Storage Limitation
Personal data may only be held by an organisation for as long as the intended legitimate purpose requires it to be held. Afterwards this data should be deleted.
In reality: The storage limitation principle requires your business to set retention periods for the personal data you are storing. There may be instances where this period is explicitly defined and legal required – such as businesses holding onto former employee information for 6 years. However, in other instances it will be up to your organisation to decide what your retention period is. Where you cannot specific an exact time frame, you should provide the criteria for when this decision will be made (e.g 1 year after last contact from Client). This information should be included in your privacy notice.
6) Integrity and Confidentiality
At all stages of personal data processing, you, as an organisation, must ensure that the data is held securely, using suitable, up to date security measures. For most modern data processing, this means that your company must use suitable, up to date cyber security measures.
In reality: This principle requires your business to use the appropriate security measures to protect any and all personal data being processed. These include IT security and physical security measures. This is reflected in GDPR documentation through a Technical and Organisational Measures (TOMs) document.
The Data Controller is legally accountable for upholding the previous 6 GDPR principles and must be able to demonstrate compliance.
In reality: The accountability principle ensures that your organisation is able to demonstrate your compliance through the activities and documentation, some of which we have mentioned in this article. This also means appointing a privacy manager or Data Protection Officer (DPO).
The 7 fundamental principles are the foundation of the GDPR. Tacita recommends that any employees who handle personal data are trained on these principles. For more information, check out the UK Information Commissioner’s Office (ICO) website here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/