A version of this blog was originally published 31 January 2018.
The GDPR (General Data Protection Regulation) outlines six principles that organisations must follow when collecting, processing and storing individuals’ personal data. Data controllers are responsible for complying with those principles, and they must have documented proof of how the organisation is meeting them.
We’ve listed the six data protection principles here with advice on how you can follow them.
1. Lawfulness, fairness and transparency
The first principle is relatively straightforward: organisations need to make sure their data processing activities don’t break the law and that they aren’t hiding anything from data subjects.
In order to process data in line with the GDPR’s requirements, organisations need to ensure that they have a valid reason to collect data and that data subjects know what this is.
2. Purpose limitation
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
3. Data minimisation
Organisations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Second, data minimisation makes it easier to keep data accurate and up to date.
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
5. Storage limitation
Similarly, organisations need to delete personal data when it’s no longer necessary.
How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?”
The answer to this will vary between industries and the reasons that data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
6. Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The GDPR is intentionally vague about what measures organisations should take, because technological and organisational best practices are constantly changing. Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.
Blog post update 08.05.2019
There is a lot of confusion around the fundamental principles of the GDPR. One of the main queries relates to Article 5(2) – accountability. Although this is sometimes talked of as a 7th principle, or a pseudo-principle, in reality it is neither – it is a legal requirement applicable to all six principles.
Tomas Pinto, data protection and privacy consultant at IT Governance Europe, reflects on accountability and the part it plays in the General Data Protection Regulation.
The first paragraph of Article 5 of the GDPR lists the “principles relating to the processing of personal data”. These six principles govern the collection, processing and storage of personal data. Paragraph 2 sets out that controllers shall be responsible for, and able to demonstrate, compliance with the six previous principles. This second paragraph is about ‘accountability’, which does not govern the processing of personal data per se, but rather imposes on controllers an obligation to demonstrate that they are complying with the six principles set out in paragraph 1. Due to this interplay between the two paragraphs, the accountability paragraph is often heralded as a seventh principle or pseudo-principle that is overarching the six principles relating to the actual processing of personal data.
Controllers and processors must comply with the six principles when collecting, processing and storing individual’s personal data, and controllers must have documented proof of how the organisation is meeting them. These expressions sum up both paragraphs 1 and 2 of Article 5. As long as controllers observe and are able to demonstrate the first six principles, they will be complying with Article 5 of the GDPR.
Implementing the GDPR’s requirements
Any organisation looking for help meeting the GDPR’s data protection principles should take a look at our GDPR Starter bundle.
This package contains three essential resources that can help you implement the Regulation’s requirements, assess your compliance posture and document your practices.