7 Key Principles of GDPR: Data Processing
Why are the 7 principles of GDPR important?
The 7 GDPR principles are fundamental principles of processing as prescribed under GDPR and form the backbone of any compliance program. These principles have been derived over time from the International and European data protection laws. ‘Convention 108’ was the first internationally binding instrument to come up with data protection principles. The principles essentially outline the obligations that must be adhered to whenever the personal data is collected, processed, and stored about an individual. In the European context, the Data Protection Directive incorporated fundamental data protection principles. Although the principles are like those found under the Directive, GDPR has ensured a greater level of compliance as the principles are more detailed and even take into account the advancements in technology.
These principles are the building blocks of the regulation and should be implemented in every aspect of compliance. Failure to comply will set the highest administrative fine up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.
What are the 7 principles of Processing?
We aim to go through each of the 7 principles to familiarise the readers with the basic tenets of GDPR and gain a better understanding of their compliance. The principles are as follow:-
1. Lawfulness, fairness, and transparency
The lawfulness principle aims to ensure that there is an objective or reason for the processing of personal data. It relates to adopting the proper lawful basis for processing personal data. There are majorly 6 objectives for processing personal data: - 1. The user must have provided consent to carry out the processing.
2. The processing must be necessary for the performance of the contract related to the data subject.
3. It is necessary for complying or fulfilling a legal obligation of the controller.
4. To protect the vital interests of any natural person
5. To carry out the processing for the performance of a task in the public interest.
6. Processing is necessary for the legitimate interest of the controller and the controller can ensure that it does not override the data subjects’ rights and interests.
The concept ensures that data subjects must know how their data will be processed to allow them the liberty to make an informed decision about whether they agree to such processing or not. Fairness overall ensures that users data won’t mishandle or be misused once collected.
The principle is directly linked with the idea of being clear and open towards the data subject when processing personal data. The controller should make an honest communication with the individuals about how their data will be used.
2. Purpose Limitation
Purpose limitation simply means that the controller must be sure about the particular purpose for which the personal data of the individuals will be used. The identification and fixation of the purpose act as a boundary wall for the collection and usage of the data. The purpose must be clearly established and properly communicated. For example, data collected by a doctor for health-related assessment and treatment cannot be further shared with the insurance company as it will be considered incompatible with the original purpose.
3. Data Minimisation
It means that the controller should restrict the collection of personal data to the extent which is directly relevant and necessary to achieve a specific purpose. It should always be ensured that the data collected is necessary and proportionate to accomplish a specified purpose. For example, collecting a large amount of data that is excessive in relation to what the controller aims to accomplish will be considered disproportionate.
Data controllers have the responsibility to verify the authenticity of the data the company holds. The rationale behind this principle is to encourage the controller to set up checks and balances to update and maintain the personal data that you process on regular basis. Conducting periodical accuracy checks or audits of the data inventory is the best way to abide by the principle.
5. Storage Limitation
It simply means that the personal data must not be kept for longer than necessary and should be securely deleted unless there is a rationale for retaining it. For example, the personal data collected in relation to the recruitment process should be deleted once the recruitment is over.
6. Integrity and confidentiality
It is interlinked with information security. The principle essentially means data controllers should proactively plan to protect personal data from any unauthorised or unlawful processing activity. The controller should be diligent to prevent data from any accidental loss, damage or destruction. The principle aims to promote organisation-wide measures related to information security.
Accountability simply refers to being responsible for data privacy compliance and maintaining records as proof of compliance with the data protection principles. To ensure accountability it becomes imperative that the controller documents every step of the compliance journey and provides evidence of steps taken. For example, maintaining documents of processing activity or appointment of DPO.
The General Data Protection Regulation (GDPR) is one of the finest and globally prominent data protection laws after Convention 108. The regulation specifically embraces and reinforces the 7 data protection principle to provide an organisation with a guide on how to best manage their personal data and secure compliance with the law.
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.