What are the GDPR principles? How can you comply with them? And what happens if you do not comply with them? These are important questions in the context of processing personal data and compliance with the EU General Data Protection Regulation (GDPR). So, let us explore these.
GDPR defines seven principles. Sometimes we call them the data protection principles. Before we discuss the seven key principles in detail, the main question is, why do you need to comply with these? Well, these are the principles with which you must comply in order to ensure GDPR compliance. And if you do not comply, there is a fine of the highest category which is 4% of your global turnover, or 20 million Euros. That's why compliance with these principles is non-negotiable. But what are these principles? And why do we call them data protection principles as well? We call them data protection principles because in convention 108, which has been signed by multiple countries, even outside the EU, these are also referred to. Let us understand each of these seven.
This principle requires that personal data should be processed in a lawful, fair, and transparent manner in relation to the data subject This is a bundle of three different words with each having a specific meaning. We look at each word one by one.
Lawfulness means you are compliant with the law, and you respect the spirit of the law. This also means any personal data processing that your company carries out, your company identifies a lawful purpose. If you want to know about the six legitimate business purposes based on which you can process personal data in your company, watch our video on this topic. In short, these six purposes are:
- There is a contractual agreement.
- Processing is necessary to fulfill a legal obligation.
- Processing is necessary protection of the vital interests of a natural person.
- Processing is a public task done in the public interest.
- Processing is a legitimate interest of your company, and it does not override the rights and interests of the data subject.
- The data subject has given you consent for processing.
If the personal data processing is mapped to any one of these six legitimate business purposes, you are lawful in your processing. While mapping to lawful purposes is important, lawfulness also means that you comply with all requirements that GDPR covers. For example, data controllers inform the data subjects when processing is based on consent. If you want to know whether your company is complying with data protection rules and requirements as set in the EU GDPR, our 12-step compliance checklist can help you.
Fairness means you take actions that are in proportion to the processing. This is especially important where the processing of personal or sensitive data is based on legitimate interest. As you do that, you must ensure that processing must not violate the rights and freedoms of data subjects.
This means you as a company is transparent towards individuals. You inform them what data you collect what you do with it, and who do you share it with? And how do you respect the rights? How do you do that? You do that by publishing a privacy statement or a privacy notice on your website. Of course, you publish a cookie notice as well. But it is not just about the privacy statements or notice. It is also about all your practices and the way show personal data collection and processing in a transparent manner.
So this was the first principle which is very important as it expects that personal data is processed in a manner that is in line with the law, the processing is reasonable and fair while ensuring transparency.
This principle requires that personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means you have not only mapped your business processing activities to one of the specified explicit and legitimate purposes, but you also ensure that personal data is only processed for the purpose for which it was originally collected. Of course, processing for legal compliance is allowed.
A simple example would be you collect personal data for maybe an event that you're organizing. Now after that, you want to send them a newsletter. Well, that's a separate purpose. It was not one of the initial purposes or the originally specified purpose. Did you tell them that you're going to send them a newsletter or not? If not, you have to ask for proper consent. So, in short purpose limitation means personal data is processed solely for the purpose for which it was originally collected. And if you need to do any further processing on the personal data of EU citizens, then the purpose or legal compliance, you're going to ask for permission from the individual whose personal data is being processed.
This principle requires that personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This means you collect the data that is strictly necessary for the purpose for which you are collecting. For example, you want to offer a newsletter subscription. Normally, you would need an email, do you need a name, maybe you want to personalize, but you certainly do not need a date of birth or any other information like a postcode. Maybe you want to personalize it, hence, you want to ask which industry they are in so that you can send a customized newsletter but anything more would be disproportionate and is against the principle of data minimization simple collect data that is strictly necessary, do not collect any other data.
This principle requires that personal data should be accurate and, where necessary, kept up to date. This means you keep the personal data of individuals accurate at all times and that you maintain personal data up to date. How do you do that? You ask the data subject from time to time. Just like banks usually ask, can you confirm that your contact details are accurate? Basically, you give the data subjects an opportunity to change the data that may be inaccurate data or incomplete data.
This principle requires that personal data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Storage limitation means that data has an expiry date or retention period. What do we mean by data having an expiration date? You collect personal data, you process it. Isn't it simple? Well, the question is what happens after the processing purpose has been completed?
Let us take an example. You collected personal data for a newsletter on your website. I subscribed. So, you would keep my data. Then, a few months later, I unsubscribe. Now, do you keep my personal data? Why? Should you not delete the personal data you had about me?
Yes, this is the challenge this is a nightmare for companies. Because systems have traditionally been built to keep data forever. Now, this is not allowed. You need to keep data for a limited time. Here it's important to mention that the EU GDPR does not specify how long you should keep data it only says that you keep data only until as long as necessary. Now, the necessity is defined by other laws meaning. For example. accounting data will be kept as per accounting laws, employment data will be kept by employment law...
This principle requires that personal data should be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures. Integrity and confidentiality are also referred to as the data security principle. It means the personal data that you have is made confidential to prevent unauthorized or unlawful processing, kept secure through the application of appropriate security, and you protect the integrity of the data so that it cannot be altered by unauthorized or unintended people. Now security is a detailed topic. GDPR does not define it. GDPR simply says that your company implements appropriate technical measures in the function of the risk and other principles like cost and effort and feasibility. This also means you put in place measures to detect, monitor, and address data breach and cyber attack-related situations. Implementing organizational measures to protect personal and sensitive personal data is also part of the integrity and confidentially principle.
This principle requires that organizations should be responsible for and be able to demonstrate compliance with the GDPR and its principles. This means you as a company is acting in a responsible and accountable manner. And you can demonstrate compliance with GDPR and its principles on an ongoing basis. How do you do that? You do it by evidencing or documenting your decisions, keeping a trail of all the actions you take. You act in a responsible manner and you comply with the law. So essentially, this principle says you are compliant with the law and you need to demonstrate it through necessary documentation.
For example, if you have made a decision, let's say about Data Protection Officer (DPO), and you decided not to appoint a DPO. Imagine, five years later your company would have grown. And there happens an incident and the authorities ask why didn't appoint a DPO? Two scenarios are possible. One, have you documented that decision? If you have, you can show five years ago, this decision was made, this was the situation, these were the people who decided, and that's how it was made. And then the authority would say it's time to review it. But if you're not able to demonstrate compliance because you don't have any evidence (or you don't have the documentation), then it's negligence (or non-compliance) because you can't prove it. Then, the risk of fine increases. So always, always, always document all privacy decisions that your company makes. This is accountability in short.
Each and every GDPR principle is equally important. Irrespective of whether your company is a data controller or data processor, compliance with these principles is a legal obligation to ensure personal data is processed lawfully. If you need help with GDPR compliance, you can contact us and a data privacy specialist can help you to comply with the data protection law (s) that apply to your company.