The EU General Data Protection Regulation (GDPR) outlines six data protection principles that organisations need to follow when collecting, processing and storing individuals’ personal data. The data controller is responsible for meeting the principles and must be able to demonstrate the organisation’s compliance practices.
We’ve listed the six principles here with advice on how you can follow them.
Lawfulness, fairness and transparency
The first principle is relatively self-evident: organisations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
Organisations must only process personal data if it’s necessary for a specific processing purpose. This has two major benefits. First, in the event of a data breach, any unauthorised parties who access the information will only be able to see a limited amount of data. Second, data minimisation makes it easier to keep information accurate and up to date.
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
Similarly, organisations need to delete personal data when it’s no longer necessary for the purpose that it was originally collected.
How do you know when information is no longer necessary? Marketing company Epsilon Abacus says that organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?”
The answer to this will vary between industries and the reasons that data was collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing. Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.
These six principles provide an overview of the areas covered in the GDPR, but they are far from comprehensive. The rest of the Regulation goes into much more detail on the specific practices that organisations should undertake to make sure they remain compliant.
Those who want to learn more about the GDPR should consider enrolling on our Certified GDPR Foundation Training Course.
This one-day course is the perfect introduction to the GDPR and the requirements you need to meet. It’s delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.