GDPR outlines six principles that organizations need to abide by. These principles aren't new - they were already outlined in the 1995 directive, but GDPR has revised them slightly. We delve into each principle below:
1. Lawfulness, fairness and transparency
Our last blog, on Legal Bases, falls within this principle. Controllers essentially need to ensure that the processing activity doesn't break the law and even if it is legal, it should be above board.
Controllers need to also provide detailed information on who, why and how they are processing the data of individuals. This might be through an information notice given to each individual or through a privacy statement on their website. The circumstances
of the activity determine if a notice is required or if a general statement will suffice.
2. Purpose Limitation
Tying in to Principle 1, organizations must have a specific reason for collecting and processing data, which they must share with the data subjects. Furthermore, once that purpose has been achieved or is no longer a goal of the organization, they should
cease processing that data. This essentially forbids a controller from using personal data for any purpose other than the original purpose. So, if you provide your contact information to an e-commerce company, for example, for the sole purpose of providing
contact information when ordering goods online, they can't use that information to send you marketing emails unless you have consented to that specific purpose.
There is an exception to this principle: archival purposes in the interest of the public or scientific/historical research or statistical purposes, an example being a census of population.
3. Data Minimization
The data collected and processed by data controllers must be adequate, relevant and limited to that which is necessary i.e. the minimum amount of data required to fulfil the purpose. For example, Slovakia mandates the collection of gender type for individuals,
however, it would be considered excessive to collect gender type for individuals who are not resident in Slovakia.
Organizations should make sure that the data they hold is accurate and up-to-date, and if it not correct, they need to take all possible steps to make sure it's rectified. If the errors can't be corrected, then the data should be erased. The onus is on the
organization to proactively ensure the data they hold is accurate, so prepare for an onslaught of "Confirm Your Details" checks from various providers.
This principle ties in well with the data subject's right to rectification – we will go into detail on data subjects’ rights in a separate blog.
5. Storage Limitation
This principle insists that organizations can only hold on to data for as long as they have a relevant legal basis to do so. Organizations should periodically review their databases and scrub them of any out-of-date or unlawfully held information.
This is where record retention rules come into play. Let’s say a bank has ended its relationship with a client. AML laws dictate that the bank must then hold the KYC information on that client for five years (this varies depending on several factors). The
bank has a "legal obligation" to hold the data for that length of time. Once five years have passed, they must delete that information without delay.
6. Integrity and Confidentiality
The final principle relates to data security and demands that an organization takes adequate measures to protect against data breaches and unlawful processing. It also demands that an organization has suitable monitoring procedures in place to detect any
gaps in their processes.
There is a seventh principle - Accountability - but that warrants a whole other blog post. It essentially requires an organization to be able to demonstrate their compliance with GDPR through a number of obligations like policies, hiring a Data Protection
Officer, Data Protection Impact Assessments and more.
In our next blog, we will focus on data subject rights, specifically the "Right to Be Forgotten".