Updated for 2022
Ever since its enactment, GDPR has become the beacon light for the many privacy regulations across the world. California’s and Virginia’s privacy laws (CCPA and VCDPA respectfully), POPIA in South Africa, LGPD in Brazil, and PIPL in China are all reflecting the same founding principles of GDPR. These seven foundational principles outline the compliance requirements for organizations that collect, process, and store an individual’s data.
Why are the principles important?
The principles are the heart of the GDPR and impact all other provisions. They are technology agnostic, and they embody the spirit of an effective and efficient data protection regime – and as such there are very limited exceptions. Compliance with these key principles is a fundamental building block for good data protection hygiene.
Failure to comply with the principles may leave your organization open to data protection risks and substantial fines. The GDPR states that infringements of the basic principles for processing personal data are subject to the highest administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
The following paragraphs provide an overview of the seven principles of GDPR. In addition, we will touch upon an eighth, emerging and equally important principle, data sovereignty.
Lawfulness, Fairness, and Transparency
Article 5(1)(a) of the GDPR dictates that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
This is the most important principle and emphasizes data process transparency. When data is collected, organizations must be clear about why it’s being collected and how it’s going to be used. For a lawful process of personal data, an organization needs to identify specific grounds, called ‘lawful basis‘.
If no lawful basis applies, then your processing will be unlawful and in breach of this principle. Lawfulness also means that you don’t do anything with personal data, which is unlawful under common law obligations, whether criminal or civil. For example, if processing involves committing a criminal offense, it will obviously be unlawful.
The processing of personal data must always be fair as well as lawful. Fairness means that you should only handle personal data in reasonably expected ways and not use it in ways that have unjustified, adverse effects on individuals. If any aspect of your processing is unfair, you will be in breach of this principle even if you can demonstrate that you have a lawful basis for the processing.
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open, and honest with people from the very beginning about who you are, and how and why you use their data. If individuals know from the very beginning what you will use their information for, they will be able to make an informed decision about whether to enter a business relationship with your company.
Article 5(1)(b) says the personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
This requirement aims to ensure that you are clear and open about the reasons for obtaining personal data and that what you do with the data is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset helps you to be accountable, transparent, fair, and lawful for your processing. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over data where appropriate. It is fundamental to building public trust in how you use personal data.
The Data Principles: Minimization, Accuracy, and Storage Limitation
The GDPR includes three principles that are dubbed as the ‘data principles’, as they set standards for data handling. Articles 5(1)(c), (d), and (e) specify that personal data shall be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”
“accurate and, where necessary, kept up to date (accuracy)”
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)”
Data minimization is about holding the minimum amount of personal data you need to fulfill your purpose, but no more. How do we decide what is “adequate, relevant, and limited?” This will depend on your specified purpose for collecting and using your personal data. It may also differ from one individual to another. So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
Accuracy is closely related to the right to rectification, which gives individuals the right to have inaccurate personal data corrected. They also have the right to get you to delete any data that is not necessary for your purpose, under the right to erasure (the right to be forgotten). In practice, this means that you must take reasonable steps to ensure the accuracy of any personal data, consider whether it is necessary to periodically update the information, and address any challenges to the accuracy of information.
Even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you need it. This is the storage limitation principle. The GDPR does not set specific time limits for different types of data. This is up to you and will depend on how long you need the data for your specified purposes.
Ensuring that you erase or anonymize personal data when you no longer need it will reduce the risk that it becomes irrelevant or inaccurate. Apart from helping you to comply with the data minimization and accuracy principles, this also reduces the risk that you will use such data in error or that this data is compromised during a data breach. From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.
Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
The Security Principle: Integrity and Confidentiality
Article 5(1) requires that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
This means that you must have appropriate security to prevent the accidental or deliberate compromise of personal data you hold. You should remember that while information security is mostly considered as the protection of your networks and information systems from attacks, it also covers things like physical and organizational security measures.
The security principle is closely related to Article 32 of the GDPR, which provides more specifics on the security of your processing. The article mandates that “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – lives may even be endangered in some extreme cases. You should recognize that individuals are also entitled to be protected from less serious kinds of harm, for example, embarrassment or inconvenience.
Information security is important, not only because it is itself a legal requirement, but also because it supports good data governance and helps you demonstrate compliance with other aspects of the GDPR. The security principle goes beyond the way you store or transmit information. This means the security measures you put in place should ensure that you meet the CIA triad:
- the data can be accessed, altered, disclosed, or deleted only by those you have authorized to do so (confidentiality principle)
- the data you hold is accurate and complete in relation to why you are processing it (integrity principle)
- the data remains accessible and usable at all times (availability principle)
What level of security is required? The GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risk environment. This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. What is ‘appropriate’ for you depends solely on your own circumstances, the processing you are doing, and the risks it presents to your organization.
Therefore, before deciding what measures are appropriate, you need to assess your information risk. You should have clear visibility on the personal data you hold and the way you use it to classify its sensitivity as well as the damage that may be caused if the data was compromised. You should also take account of factors such as:
- the nature and extent of your organization’s premises and computing systems
- the number of staff you have and the extent of their access to personal data
- any personal data held or used by a data processor (i.e., a cloud service provider) acting on your behalf
The accountability principle [Article 5(2)] dictates that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles].”
There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance.
Taking responsibility for what you do with personal data and demonstrating the steps you have taken to protect people’s rights offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect people’s privacy. This can help you develop and sustain people’s trust.
Furthermore, if something does go wrong, being able to show that you actively considered the risks and implemented appropriate measures and safeguards can help you provide mitigation against any potential enforcement action and avoid costly fines.
Accountability is not a box-ticking exercise. Being responsible for compliance with the GDPR means that you need to be proactive and organized about your approach to data protection while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
Data sovereignty means that data is subject to the laws and regulations of the geographic location where that data is collected and processed. Data sovereignty is a country-specific requirement that data must remain within the borders of the jurisdiction where it originated. At its core, data sovereignty is about protecting sensitive, private data and ensuring it remains under the control of its owner.
Data sovereignty or data localization became increasingly important with the proliferation of cloud computing. The use of SaaS apps and other cloud platforms often entails international data transfers, which can result in major compliance challenges for users and providers. Such data transfers have come under increased scrutiny following the Schrems II ruling that invalidated the EU-US Privacy Shield act for transfers of EU citizens’ data to US-based companies. Even the European Parliament is sanctioned by the European Data Protection Supervisor (EDPS) for breaking the data sovereignty rule.
To be GDPR compliant, organizations must implement and maintain “reasonable security” procedures and protections to protect EU citizens’ and residents’ private data from authorized access — in addition to taking several other data collection and protection measures. On 18 June 2021, the EDPB (European Data Protection Board) issued a set of recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. These apply to organizations that transfer EU residents’ data to countries without adequate decisions.
Compliance with the GDPR key principles is a fundamental building block for good data protection practice. To achieve this, you may choose to put in place a privacy management framework. This can help you create a culture of commitment to data protection by embedding systematic and demonstrable compliance across your organization. Learn how ITEGRITI can help your organization get started on its path to GDPR compliance by clicking here.