In the four years since GDPR was introduced, we’ve faced Brexit, a global pandemic, and in the past year, an increase in data breaches and penalties. Times have been challenging, complicated, and not without their pressures – but complying with GDPR isn’t optional.
Refresh your GDPR knowledge with our rundown of key data protection principles.
The GDPR ensures that the rights of data subjects are protected; and that organisations must implement systems and process data with this in mind. To achieve proper compliance, the GDPR outlines data protection principles upon which the regulation is built. As part of gathering and processing personal data, organisations must ensure that each principle is met.
There are six official data protection principles (GDPR Chapter 2, articles 2-11). Businesses that collect, process and store personal data for data subjects within the UK and the EU must follow them. Failure to apply these principles risks financially damaging repercussions for data controllers or processors concerned.
Let’s look at the principles in more detail:
1. Lawfulness, fairness and transparency
These three areas cross over, and you must satisfy all three.
You must identify a specific lawful basis for collecting, processing and using personal data. This processing must also be fair, this means organisations need to gather and use data legally and responsibly.
For example, fairness requires that you should only use data in a way that is reasonably expected and does not have a damaging effect on the data subjects concerned. It’s not just about whether you can use data, but also if you should.
In addition, you must be transparent in your processing. You need to inform individuals what data you hold on them, how their data is being used, and why. You should also inform them of the lawful grounds for processing, how long you are going to keep it and who you intend to share it with. This information should be provided in ‘Layman’s terms’ and be clearly understood by the data subject. Ensure that communication is open and honest, taking care to avoid ‘invisible processing’. Transparency relates to the right to be informed.
2. Purpose limitations
Individual personal data must only be collected and processed for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. This means that data should only be gathered and used in relation to the purpose for which it was obtained. Where consent is required, then the data should only be gathered for the purposes specifically defined in the consent notification.
Part of your compliance obligation requires you to document the purpose of collecting data and specify it in your Privacy Notice or Consent Notice. Therefore, data shouldn’t be processed for other reasons without first establishing the lawful grounds and then notifying the data subject of this additional processing activity prior to carrying this new activity out.
3. Data minimisation
This clause moves from a notion of adequacy in the 1998 Data Protection Act, to that of data minimisation under GDPR. Individual data does need to be adequate and relevant for the stated purpose. In addition, data minimisation ensures that you don’t collect any information that isn’t required for the specified purpose.
Data should not be excessive; so if you don’t need the data immediately, just collect the minimum that you do need.
For example, if you wish to gather information in order to send a data subject an electronic newsletter then you need their email address and potentially their name, in order to personalise the communication. You do not need their data of birth, phone number or address details and so you shouldn’t gather them.
Under the data protection principles, you must take reasonable and proactive steps to update or remove data that is inaccurate. This includes verifying with the data subject at the point of data capture (where possible), that their data is accurate and complete.
Individuals have the right to request that you erase or rectify inaccurate data that relates to them, and you must do so within a month.
Data controllers should therefore build rectification processes into your data management frameworks. As stated by the ICO, the accuracy principle means that you must:
- take reasonable steps to ensure the accuracy of any personal data;
- ensure that the source and status of personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to periodically update the information.
Your process should ensure that data is accurate to best of your knowledge, and facilitate updates or deletion if required.
5. Storage limitations
The GDPR states that you must not keep data for longer than is necessary. Once you have completed the data use, you must delete or anonymise the data.
The timescales for deletion aren’t set, as this will depend on the task in hand and the nature of your business. The information needs to be easily accessible to the individual within the period of use, in case of subject access requests. However, after that period, the information should be erased.
When deciding whether to erase data, you should consider the lifecycle of the data.
For example, you may hold and process personal data for financial reasons under the ‘Contractual Requirement’ lawful grounds. However, at the end of the contract period you may be required to retain the financial information for a period of time to meet a Legal Requirement rather than to delete it.
The financial transaction processing and the storage of data for legal purposes are two different processes that affect the same data, and so the Data Subject should be made aware of all processes that affect their data up until final deletion.
The GDPR does highlight that anonymised data is outside of the scope for the regulation. As such you may keep it for as long as you wish if required by your business.
Please note: If you do decide to anonymise data, then you will need to check that it is truly anonymised. If the ‘anonymous data’ can still be combined with information from other sources to identify an individual then it is still classed as personal data, and as such covered under GDPR.
6. Information Security
Personal data must be kept safe and secure at all times. This data protection principle is detailed in the ICO security section of the guidance.
Essentially, you must take all sufficient steps to protect the personal data that you collect, use and store. This includes protecting it against unauthorised and unethical access, or accidental loss, damage or destruction.
It is your responsibility to ensure that appropriate technical or organisational measures are in place. This also includes the integrity of any data handlers and the credibility of technical systems.
This requirement is seen as the unofficial seventh data protection principle. Accountability, simply means that your organisation needs to be able to prove that you are applying the 6 principles. Under GDPR, the burden of proof is on the organisation.
The data protection principles are at the heart of the GDPR. They inform the rest of the clauses and rights, and embody the spirit of the legislation. The emphasis is placed firmly on the rights of the data subjects, with responsibility on companies to incorporate data protection into their business.
Compliance with the data protection principles is essential, but it’s also best practice to approach them with the right mindset. The GDPR isn’t just about ticking boxes, but about embedding these fundamental points into your data protection process.