There are seven key GDPR principles:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security).
- Accountability.
Lawfulness, fairness and transparency
The first principle of GDPR requires that the data controller provide the data subject with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language.
Transparency is achieved by keeping the individual informed and this should be done before data is collected and where any subsequent changes are made. It is important to remember that data is not always collected directly from individuals but may be derived from elsewhere, observed by tracking or inferred using algorithms.
GDPR has a mandatory list of the information which must be given to individuals where data is obtained directly from them but also where it is obtained indirectly.
How you let individuals know about what you are doing will depend both on the method of communication and on the target audience.
Purpose limitation
Processing personal data is only allowed if and to the extent that it is compliant with the original purpose for which data was collected.
Processing “for another purpose” requires further legal permission or consent. The only exception to this requirement is where the “other purpose” is “compatible” with the original purpose.
Indications for this will be any link with the original purpose, the context in which the personal data has been collected, the nature of the personal data, the possible consequences of the intended further processing for data subjects or the existence of appropriate safeguards.
Data minimisation
Data controllers should ensure that only personal data which is necessary for each specific purpose is processed (in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility). Under GDPR, data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed“. This links back to the purpose limitation. Controllers need to make sure that they collect enough data to achieve their purpose but not more than needed. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. If the data is not needed, don’t collect it!
Accuracy
Personal data must be accurate and kept up to date. Inaccurate or outdated data should be deleted or amended, and data controllers are required to take “every reasonable step” to comply with this principle.
Storage limitation
Once you no longer need personal data for the purpose for which it was collected, you should delete it unless you have other grounds for retaining it. This means there should be a regular review process in place with methodical cleansing of databases
Integrity and confidentiality
Under GDPR, personal data must be protected against unauthorised access using appropriate organisational and technical measures. This goes to the heart of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and working effectively. There are strict breach reporting provisions in the GDPR. High profile data breaches can cause significant embarrassment and expense for businesses.
Accountability
Data controllers must be able to demonstrate compliance with the other principles.
It is not enough just to comply; you must be seen to be complying. The range of processes that organisations must put in place to demonstrate compliance will vary depending on the complexity of the processing but may include:
- assessing current practice and developing a data privacy governance structure which may include appointing a Data Protection Officer;
- creating a personal data inventory;
- implementing appropriate privacy notices;
- obtaining appropriate consents;
- using appropriate organisation and technical measures to ensure compliance with the data protection principles;
- using Privacy Impact Assessments; and
- creating a breach reporting mechanism.