GDPR Data Protection Principles
The General Data Protection Regulation (GDPR) provisions six data protection principles which outline its requirements. These principles set out rules for the businesses and companies that collect, process and keep the EU citizens’ personal information.
This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
Understanding the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was established in all EU member states on 25 May 2018. The GDPR enables greater rights for residents with regards to how their data is processed and held by organizations.
Under the GDPR, organizations holding and processing the personal data of an EU resident, must to do so in a lawful, transparent manner, and only for a specific purpose. Furthermore, personal data cannot be stored or processed for longer than necessary.
Read our introduction to GDPR to learn more about the regulation.
Outline of the Six GDPR Data Protection Principles
The GDPR states that there are six data protection principles which organizations needing to be compliant with GDPR need to meet when processing personal data on an EU resident. The 6 GDPR data protection principles are:
|Process the data legally, fairly and transparently relating to the related subject.|
|Only collect personal data for a specified purpose. State what the purpose is, and only collect data as long as it is required to complete the objective.|
|Make sure that the minimal data required to achieve the processing purpose is collected and retained.|
|Take all reasonable steps to update or remove inaccurate or incomplete data. EU residents have the right to request the erasure or rectification of such data within 30 days.|
|Delete personal data when it is no longer needed. There is no defined timescale, and will be dependent each business’ circumstances and reasons for collecting the data.|
|Personal data must be kept safe and protected against unauthorised or unlawful processing. It must also be protected against accidental loss, destruction or damage.|
Read about what to do with data protection provisions under the GDPR principles.
Understanding the 6 GDPR Data Protection Principles
For those trying to achieve compliance, the GDPR data protection principles serve as an essential resource. In particular, small businesses, and those organizations with limited resources, often required for data protection experts, will find GDPR data protection principles a useful reference point.
Presented below is guidance on how each of the 6 GDPR data protection principles should fit with your GDPR compliance endeavors.
1. Lawfulness, fairness & transparency
Businesses and organizations must ensure that their data collection procedures do not break the law. That data is being collected in a transparent manner, i.e. the data subject from which they are collecting the data from is fully aware of the collection of the data, and its purpose.
2. Purpose limitation
Organizations should only collect personal data for a specific purpose. Furthermore, the organizations must clearly state what purpose of gathering that data is. Finally, organizations can only collect and store data for the duration required to complete the intended purpose.
The GDPR makes provisions for data any personal data processed for public interest or for scientific, historical or statistical purposes. For instance, the GDPR gives more freedom to personal data processed for archiving purposes.
3. Data minimization
Organizations must process only personal data required to achieve its processing purposes. Data minimization has crucial benefits:
- In case of a data breach, only a limited amount of data can be accessed by an unauthorized individual
- Data minimization makes it simpler to keep the data up to date and to maintain the accuracy of the data
integral to data protection is the accuracy of personal data. For inaccurate or incomplete data, organizations must take all reasonable steps to rectify or erase that data.
Inaccurate or incomplete data must be erased or rectified within 30 days if requested by individuals.
5. Storage limitation
when personal data is no longer required, it must be deleted.
The reasons why data is collected and the duration which data is retained will vary between organizations and industries. In most cases, these will depend on the circumstances for each organization and the reasons they obtained this information. Any organization uncertain of how long they need to, or should, retain personal data should obtain professional legal advice.
6. Integrity and confidentiality
Under the GDPR, personal data can only be processed in a way, using appropriate technical or organizational measures, which maintains an appropriate level of security. This principle also covers protection against unauthorized or unlawful processing. It further covers the protection against accidental loss, damage or destruction.
Since technological and organizational best practices regularly change, the GDPR does not explicitly state which measures organizations should take to maintain the integrity and confidentiality of the data.
Consequently, organizations should consider suitable options to ensure integrity and confidentiality most suited to their organizational fit. However, where possible organizations should, at the very least, encrypt or pseudonymize personal data.
Accountability under the GDPR
Accountability under the GDPR focuses on two aspects:
- The responsibility of an organization to comply with the GDPR
- The ability of an organization to demonstrate compliance
Some of the measures which may help organizations meeting the accountability requirement include:
- Implement data protection policies and security mechanisms
- Establish data protection contracts with third-party processors
- Document processing activities
- Record and report personal data breaches
- Conduct data protection impact assessments (DPIA)
- Appoint a data protection officer (DPO)
Read more about accountability under the GDPR.