The GDPR is underpinned by data protection principles that drive compliance. These principles outline the obligations that organizations must adhere to when they collect, process and store an individual’s personal data. The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Why are the principles important?
The principles lie at the heart of the GDPR. They are set out right at the start of the legislation and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime – and as such there are very limited exceptions.
Compliance with the spirit of these key principles is, therefore, a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the GDPR.
Failure to comply with the principles may leave you open to substantial fines. The GDPR states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
Lawfulness, fairness and transparency
Article 5(1)(a) of the GDPR says:
“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
The first principle is possibly the most important and emphasizes total transparency for all EU citizens. When data is collected, organizations must be clear about why it’s being collected and how it’s going to be used. For the processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing.
If no lawful basis applies, then your processing will be unlawful and in breach of this principle. Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offense, it will obviously be unlawful.
If you have processed personal data unlawfully, the GDPR gives individuals the right to erase that data or restrict your processing of it.
Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair, you will be in breach of this principle even if you can demonstrate that you have a lawful basis for the processing. In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified, adverse effects on them.
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the very beginning about who you are, and how and why you use their personal data. Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a business relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a business relationship or perhaps even try to renegotiate the terms of that relationship.
Article 5(1)(b) says:
“1. Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.”
This requirement aims to ensure that you are clear and open about your reasons for obtaining personal data and that what you do with the data is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset helps you to be accountable for your processing. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over data where appropriate. It is fundamental to building public trust in how you use personal data.
There are clear links with the lawfulness, fairness and transparency principle. In practice, if your intended processing is fair, you are unlikely to breach the purpose limitation principle on the basis of incompatibility.
Article 5(1)(c) says:
“1. Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”
Meaning you should identify the minimum amount of personal data you need to fulfill your purpose. You should hold that much information, but no more. This is the first of three principles about data standards, along with accuracy and storage limitations.
Also, you should bear in mind that according to the GDPR, individuals have the right to complete any incomplete data which is inadequate for your purpose, under the right to rectification. They also have the right to get you to delete any data that is not necessary for your purpose, under the right to erasure (the right to be forgotten).
How do we decide what is “adequate, relevant and limited?” This will depend on your specified purpose for collecting and using their personal data. It may also differ from one individual to another. So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
Article 5(1)(d) says:
“1. Personal data shall be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
This is the second of three principles about data standards, along with data minimization and storage limitation. There are clear links to the right to rectification, which gives individuals the right to have inaccurate personal data corrected. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
In practice, this means that you must:
- take reasonable steps to ensure the accuracy of any personal data;
- ensure that the source and status of personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to periodically update the information.
This streamlining of information will help improve compliance and ensure business databases are accurate and up to date.
Article 5(1)(e) says:
“1. Personal data shall be:
( e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);”
Even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you actually need it. This principle is closely related to data minimization and accuracy principles. The GDPR does not set specific time limits for different types of data. This is up to you and will depend on how long you need the data for your specified purposes.
Ensuring that you erase or anonymize personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimization and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.
Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention. From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.
You should remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need. Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
Integrity and Confiedntiality
“1. Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
You can refer to this as the GDPR’s ‘security principle’. It concerns the broad concept of information security.
This means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organizational security measures.
You need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. Article 32(1) states:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – lives may even be endangered in some extreme cases. Although these instances are quite rare, you should recognize that individuals are still entitled to be protected from less serious kinds of harm, for example, embarrassment or inconvenience.
Information security is important, not only because it is itself a legal requirement, but also because it supports good data governance and helps you demonstrate your compliance with other aspects of the GDPR.
The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that:
- the data can be accessed, altered, disclosed or deleted only by those you have authorized to do so (and that those people only act within the scope of the authority you give them);
- the data you hold is accurate and complete in relation to why you are processing it; and
- the data remains accessible and usable (i.e., if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned(.
The above requirements are the well-known CIA triad – confidentiality, integrity and availability – and under the GDPR, they are part of your obligations.
What level of security is required? The GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to and costs of implementation, as well as the nature, scope, context and purpose of your processing.
This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organization.
Therefore, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to determine how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as:
- the nature and extent of your organization’s premises and computer systems;
- the number of staff you have and the extent of their access to personal data; and
- any personal data held or used by a data processor acting on your behalf.
Article 5(2) of the GDPR says:
- “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles].”
There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance.
Taking responsibility for what you do with personal data and demonstrating the steps you have taken to protect people’s rights not only results in better legal compliance, it also offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect people’s privacy. This can help you develop and sustain people’s trust.
Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to fines and reputational damage.
Accountability is not a box-ticking exercise. Being responsible for compliance with the GDPR means that you need to be proactive and organized about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
Compliance with the GDPR key principles is a fundamental building block for good data protection practice. To achieve this, you may choose to put in place a privacy management framework. This can help you create a culture of commitment to data protection by embedding systematic and demonstrable compliance across your organization. Learn how ITEGRITI can help your organization get started on its path to GDPR compliance by clicking here.