The 7 principles of GDPR
Back in 2018, after years of preparation, the long-planned data protection reforms came into effect across Europe. Referred to as the General Data Protection Regulation (GDPR), the reforms aimed to modernise the laws that protected individual personal information. Before then, the laws that were in place were almost decades old, some of them being as early as the 1990s. But the governments of Europe saw the need to try and modernise the laws since everything was changing, and people were now sharing data heavily and routinely, thanks to the advancement of technology. They also wanted to guarantee greater protection and rights of their citizens. Moreover, the reforms sought to alter, or control, the manner in which organisations handled the personal information of everyone that interacted with them. Any violations were to be met with heavy fines and even reputation damage. Now, in this article, we want to tell you more about GDPR, specifically the 7 principles that guide their implementation. But first:
What exactly is GDPR?
GDPR can be described as the strongest and most reliable set of data protection rules in the world, which were put in place so as to enhance how people do access their personal information, and also limit what organisations can do with people’s personal data. Basically, the regulation does exist as a framework of laws that cuts across the entire continent and contains a total of 99 individual articles. The EU member states were allowed to make a few changes on their own to the regulations so as to suit their country’s needs.
Now, personal data is right in the middle of the GDPR. Essentially, by personal data, we mean info that facilitates the identification of a living person, either directly or indirectly. We are referring to the individual’s name, location, or online username, or any other apparent piece of information that may be categorised as personal info. Also, under GDPR, sensitive personal data, such as racial, political opinions, ethnicity, religion, trade union membership, sexual orientation, health information, or biometric data, is also safeguarded. As you can see, all this is information that allows one to be identified, and it’s what the European Union wanted to safeguard from unauthorised access.
What are the 7 principles of GDPR?
At the core of GDPR are 7 crucial principles, which guide how personal data is to be handled. These principles act like an overarching framework designed to broadly lay out the purpose of GDPR. They are not new though, as a majority of them existed under the previous laws. Now, the principles are as follows:
- Lawfulness, fairness, and transparency principle
To understand this principle, you need to understand what each element means. But in simple terms, what this principle means is that data processing needs to be based on law, within the confines of what you agreed with the individual, and a clear notice ought to be provided before the processing happens. Now, to understand more, here is what each element stands for:
Lawfulness – in the GDPR concept, there are two things that are associated with lawfulness; one is selecting a proper lawful basis whenever you want to process data, and two is to avoid illegal activities when processing data. The latter is pretty much self-explanatory. As for the lawful basis, we mean that you ought to identify specific grounds for the processing to take place, based on the purpose or relationship with the individual. When you process data under no lawful basis, then that processing is deemed to have been done illegally and will have breached this principle. There are six different lawful bases to process data. They are as follows:
- Consent – the individual, who is the data subject, has given permission, or consent, to process the data.
- Contract – when the processing is done for the performance of a contract to which the data subject is a party to, or as part of the procedures when he or she is entering into one, then that’s also a lawful basis.
- Legal obligation – compliance with a legal obligation is the basis for the processing of personal data, especially where the controller of the data is the subject.
- Public task – processing is also allowed when the task being carried out is in the interest of the wider public.
- Protection of vital interests – protecting the vital interests of the data subject or any other natural person is also a lawful basis for processing data.
- Legitimate interest – legitimate interests pursued by a third party or the data controller are also a lawful basis for processing personal information. The only exception is where such interests are overridden by the fundamental freedom or rights of the data subject.
Fairness – other than being lawful, the processing of personal data should always be fair. What we mean by fairness is that when processing data, it should only be in a way that’s reasonably expected from you, and that you should never do it in ways that will adversely affect the data subject. To determine whether data processing is fair, first you need to determine how the data was obtained in the first place. If anyone was misled or deceived when the data was being obtained, then it won’t be fair. To ensure fairness in the process, you must put the interests of anyone affected into consideration – either individually or as a group. Even when the process is fair to most people, but unfair to the data subject, it will still be a breach of this principle. Of course, personal data can be used in a manner that negatively affects an individual, but it doesn’t necessarily have to be unfair. As long as such a detriment is justified, it’s all good.
Transparency – transparency and fairness are fundamentally linked together. Transparency is all about being clear, honest, and open with people on who you are, and how you plan to use people’s personal data, right from the start. Transparency is critical, especially, when the individuals are considering whether or not to trust you with their personal data. Knowing exactly what you plan with their data will help them make much more informed decisions. Even when there is no direct relationship, and that you are collecting their information from another source, transparency is also key. In such a situation, the individuals don’t know that you are collecting their data, which means that they won’t have the ability to assert their rights over their data.
- Purpose limitation principle
In simple terms, purpose limitation means that you need to give a clear explanation, right from the beginning, on why you are collecting and processing critical data, and the intentions behind it. Specifying your purposes from the beginning allows you to be accountable for your processing and also helps everybody understand how you use their data, and will, therefore, be able to make the right decisions on whether to share their personal data with you or not.
Having said that, this principle requires you to only use data for the purpose or reason you collected it in the first place. And any additional data processing that takes place after that has to be compatible with the original purpose, and if not, ensure that you always obtain consent from the individual before doing anything else. Now, if you are trying to determine the compatibility level between your new purpose and the old one, you need to ask yourself the following questions:
- What is the difference between the new purpose from the original purpose?
- Would additional processing negatively impact the individuals?
- Is the new purpose disconnected from the original purpose?
- Is the new purpose expected, or was it unexpected?
All these play a big role when it comes to building trust among the public.
- Data minimisation principle
Simply put, the data minimisation principle limits the controller of the data to collect, store, process, and even use only the data that’s absolutely necessary to fulfil a specific purpose. Article 5(1)(c) states that; “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).” What this means is that you will need to identify the minimal amount of data one needs to fulfil the purpose at hand, and that’s what you will be needed to deal with. So, how do you determine what is adequate, limited, and still relevant? Well, the GDPR, especially the UK one doesn’t really define these parameters. Mostly, it depends on the specified purpose for not only collecting, but using personal data – and keep in mind that this differs from individual to individual. So, to understand whether you are holding the right amount of data or not, you will need to, understand why you need the data in the first place.
And if it is criminal offence or special category data, it’s crucial for you to collect and retain the minimum amount of information. For efficiency, you can categorise individual data based on relevant characteristics or factors that an individual brings to your attention – such as being part of an objection, rectification of incomplete data, or deleting unnecessary data.
Make sure that you check your data periodically to ensure that it’s still relevant and adequate for your purposes, and also to clean up anything that you no longer need.
- Accuracy principle
For starters, the accuracy principle dictates that one should be fully responsible to come up with measures that would ensure that every detail that you collect is correct and accurate. With regards to this principle, the GDPR law on Article 5(1)(d), states the following; “Personal data shall be: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
The intention behind this law, or principle, was to encourage everyone dealing with personal data, to ensure that they only retain relevant data, and to also one that is updated on a regular basis. Conducting regular updates helps to keep the data accurate by eliminating all the unnecessary or inaccurate data that you would have otherwise missed when collecting it. But how exactly can you determine whether data is accurate or inaccurate? The thing is, the GDPR law doesn’t define the term ‘accurate’, however, the Data Protection Act of 2018 does state that ‘inaccurate’ means, misleading or incorrect as to any matter of fact. So, by that definition alone, you could easily tell whether the data is accurate.
Also, to be able to tell whether data is accurate or not, you need to set out clearly what you want the data record to show. This way, you will be able to record only the correct data and one that is relevant to your case. Moreover, data subjects always have a right to rectification, and this right is directly linked to this principle, in that the individual can request the existing data be erased, rectified or altered, and this does contribute to accuracy, or inaccuracy, of the data.
- Storage limitation principle
In simple terms, this principle prevents you from keeping personal data for longer periods than you actually need it. This is to say that even when you collect or use the data lawfully, there will still be a time limit when it comes to storage. And since the GDPR law doesn’t provide the exact time limit, it will be up to you to decide how long you need the data for your specific purpose. Now, let’s ask ourselves, why is this principle important? Well, for starters, by erasing the anonymised personal data that’s no longer needed, you help in reducing the risk of becoming irrelevant, inaccurate, excessive, or outdated. Also, not only does it allow you to comply with the accuracy and data minimisation principles, it also minimises the risk of using this kind of data in error, which will certainly be detrimental to everyone concerned
As you may know, personal data that is held for too long will, at some point, become unnecessary. As a matter of fact, it may cost you unnecessary costs associated with security and storage. Also, if you are holding data for long, of course, you will keep adding new data on top. The problem comes about when trying to access the data stored – you will need to go through a lot of data before finding what you are looking for. So, clean up the old and irrelevant data before adding the new one.
- Integrity and confidentiality principle
This principle is often referred to as the security principle as it basically entails the implementation of proper organisational and technical measures that prevent any form of intentional or unintentional risk, malicious attacks, unauthorised third-party access, and exploitation of data. Basically, as you can see, this principle is all about the security of personal data, where an organisation takes all the necessary measures to not only protect the personal data from data breaches but also any other risks that might result in data loss or even unlawful processing.
- Accountability
The last principle focuses on accountability, which means that organisations – the controller of the data – are responsible for compliance with all the aforementioned principles of GDPR, and in doing so, you have to demonstrate compliance. What we mean by this is that you need to document the entire compliance journey, and be sure to provide evidence of the steps that you have taken so far, including:
- Documentation of processing activities
- Implementation of data protection policies
- Implementation of organisational and technical measures
- Data protection impact assessments
- DPO appointment
- Obtaining appropriate consent
Final word
It’s quite easy for us to overlook these principles, and probably focus on other aspects of GDPR, but the truth is, these 7 GDPR principles are the main building blocks and are the ones that set the tone for the rest of the data protection regulation. So, make sure that you implement these principles in every aspect of your compliance journey. And remember that any violations to any of these GDPR principles will attract heavy fines of up to 20 million pounds or 4 percent of your total turnover. So, strive to be on the right side of the law; if you need any further information, our in-house GDPR consultants are more than happy to help you!
Pingback: GDPR Enforcement: Navigating the Complex Landscape of Data Protection Regulations - GDPR Advisor
Pingback: Navigating GDPR Consent: Key Considerations for Businesses and Individuals - GDPR Advisor