GDPR Data Protection Principles

GDPR Data Protection Principles

The General Data Protection Regulation (GDPR) provisions six data protection principles which outline its requirements. These principles set out rules for the businesses and companies that collect, process and keep the EU citizens’ personal information.

This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law.  However, while industry experts have put together our guide, it does not constitute legal advice.  If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).

Understanding the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was established in all EU member states on 25 May 2018. The GDPR enables greater rights for residents with regards to how their data is processed and held by organizations.

Under the GDPR, organizations holding and processing the personal data of an EU resident, must to do so in a lawful, transparent manner, and only for a specific purpose.  Furthermore, personal data cannot be stored or processed for longer than necessary.

Read our introduction to GDPR to learn more about the regulation.

Outline of the Six GDPR Data Protection Principles

The GDPR states that there are six data protection principles which organizations needing to be compliant with GDPR need to meet when processing personal data on an EU resident. The 6 GDPR data protection principles are:

GDPR Data Protection Principles Process the data legally, fairly and transparently relating to the related subject.
GDPR Data Protection Principles Only collect personal data for a specified purpose. State what the purpose is, and only collect data as long as it is required to complete the objective.
GDPR Data Protection Principles Make sure that the minimal data required to achieve the processing purpose is collected and retained.
GDPR Data Protection Principles Take all reasonable steps to update or remove inaccurate or incomplete data. EU residents have the right to request the erasure or rectification of such data within 30 days.
GDPR Data Protection Principles Delete personal data when it is no longer needed. There is no defined timescale, and will be dependent each business’ circumstances and reasons for collecting the data.
GDPR Data Protection Principles Personal data must be kept safe and protected against unauthorised or unlawful processing.  It must also be protected against accidental loss, destruction or damage.

Understanding the 6 GDPR Data Protection Principles

For those trying to achieve compliance, the GDPR data protection principles serve as an essential resource. In particular, small businesses, and those organizations with limited resources, often required for data protection experts, will find GDPR data protection principles a useful reference point.

Presented below is guidance on how each of the 6 GDPR data protection principles should fit with your GDPR compliance endeavors.

1. Lawfulness, fairness & transparency

Businesses and organizations must ensure that their data collection procedures do not break the law. That data is being collected in a transparent manner, i.e. the data subject from which they are collecting the data from is fully aware of the collection of the data, and its purpose.

To remain lawful, organizations should obtain a comprehensive understanding of the GDPR rules for the collection of data. Organizations should clearly state in their privacy policy the reason the data is being collected, and the type of data being collected, to ensure transparency with data subjects.

2. Purpose limitation

Organizations should only collect personal data for a specific purpose.  Furthermore, the organizations must clearly state what purpose of gathering that data is.  Finally, organizations can only collect and store data for the duration required to complete the intended purpose.

The GDPR makes provisions for data any personal data processed for public interest or for scientific, historical or statistical purposes. For instance, the GDPR gives more freedom to personal data processed for archiving purposes.

3. Data minimization

Organizations must process only personal data required to achieve its processing purposes. Data minimization has crucial benefits:

  1. In case of a data breach, only a limited amount of data can be accessed by an unauthorized individual
  2. Data minimization makes it simpler to keep the data up to date and to maintain the accuracy of the data

4. Accuracy

integral to data protection is the accuracy of personal data. For inaccurate or incomplete data,  organizations must take all reasonable steps to rectify or erase that data.

Inaccurate or incomplete data must be erased or rectified within 30 days if requested by individuals.

5. Storage limitation

when personal data is no longer required, it must be deleted.

The reasons why data is collected and the duration which data is retained will vary between organizations and industries.  In most cases, these will depend on the circumstances for each organization and the reasons they obtained this information. Any organization uncertain of how long they need to, or should, retain personal data should obtain professional legal advice.

6. Integrity and confidentiality

Under the GDPR, personal data can only be processed in a way, using appropriate technical or organizational measures, which maintains an appropriate level of security.  This principle also covers protection against unauthorized or unlawful processing.  It further covers the protection against accidental loss, damage or destruction.

Since technological and organizational best practices regularly change, the GDPR does not explicitly state which measures organizations should take to maintain the integrity and confidentiality of the data.

Consequently, organizations should consider suitable options to ensure integrity and confidentiality most suited to their organizational fit.  However, where possible organizations should, at the very least, encrypt or pseudonymize personal data.

Accountability under the GDPR

Accountability under the GDPR focuses on two aspects:

  • The responsibility of an organization to comply with the GDPR
  • The ability of an organization to demonstrate compliance

Some of the measures which may help organizations meeting the accountability requirement include:

  • Implement data protection policies and security mechanisms
  • Establish data protection contracts with third-party processors
  • Document processing activities
  • Record and report personal data breaches
  • Conduct data protection impact assessments (DPIA)
  • Appoint a data protection officer (DPO)

Read more about accountability under the GDPR.

You might also like