Why are the 7 principles of GDPR important?
The 7 GDPR principles are fundamental principles of processing as prescribed under GDPR and form the backbone of any compliance program.
These principles have been derived over time from the International and European data protection laws. ‘Convention 108’ was the first internationally binding instrument to come up with data protection principles. The principles outline the obligations that must be adhered to whenever the personal data is collected, processed, and stored about an individual.
In the European context, the Data Protection Directive incorporated fundamental data protection principles. Although the principles are like those found under the Directive, GDPR has ensured a greater level of compliance as the principles are more detailed and take into account advancements in technology.
These principles are the building blocks of the regulation and should be implemented in every aspect of compliance. Failure to comply will set the highest administrative fine up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.
What are the 7 principles of Processing?
We aim to go through each of the 7 principles to familiarise the readers with the basics of the GDPR. The principles are as follow: -
1. Lawfulness, fairness, and transparency
Lawfulness, the principle aims to ensure that there is a reason for the processing of personal data. It relates to adopting the proper lawful basis or legal reasons for the processing of personal data. There are majorly 6 scenarios in which you can process personal data: -
The user must have provided consent to carry out the processing.
The processing must be necessary for the performance of a contract related to the data subject.
It is necessary for complying or fulfilling a legal obligation.
To protect the vital interests of any natural person
To carry out the processing for the performance of a task in the public interest.
Processing is necessary for the legitimate interest of the controller and the controller can ensure that it does not override the data subjects’ rights and interests.
Fairness, if the data subjects know how their data will be processed and think it is an appropriate use. Fairness overall ensures that users data won’t be mishandled or misused once collected.
Transparency, being clear and open data subjects when processing personal data. The controller should always communicate with the individuals about how their data will be used.
2. Purpose Limitation
Purpose limitation means that the entity collecting and using data must be sure about the particular purpose for which the personal data of the individuals will be used. The purpose must be well defined and properly communicated. For example, the data collected by a doctor for health check cannot be then shared with the insurance company as it will be considered incompatible with the original purpose.
3. Data Minimisation
It means that the controller should restrict the collection of personal data to the extent which is directly relevant and necessary to achieve a specific purpose. It should always be ensured that the data collected is necessary and proportionate to accomplish a specified purpose. For example, collecting a large amount of data that is excessive for what the controller aims to accomplish will be considered disproportionate.
Data controllers have the responsibility to verify the authenticity of the data the company holds. The rationale behind this principle is to encourage the controller to set up checks and balances to update and maintain the personal data that you process on regular basis. Conducting periodical accuracy checks or audits of the data inventory is the best way to abide by the principle.
5. Storage Limitation
It simply means that the personal data must not be kept for longer than necessary and should be securely deleted unless there is a rationale for retaining it. For example, the personal data collected for a recruitment process should be deleted once the recruitment is over.
6. Integrity and confidentiality
It is interlinked with information security. The principle essentially means data controllers should proactively plan to protect personal data from any unauthorised or unlawful processing activity. The controller should be diligent to prevent data from any accidental loss, damage or destruction. The principle aims to promote organisation-wide measures related to information security.
Accountability simply refers to being responsible for data privacy compliance and maintaining records as proof of compliance with the data protection principles. To ensure accountability, the controller must document every step of the compliance journey and provide evidence of steps taken. For example, maintaining a document of processing activity or appointment of DPO.
The General Data Protection Regulation (GDPR) embraces the 7 data protection principles to provide an organisation with a guide on how to best manage their personal data and secure compliance with the law.
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.