The new General Data Protection Regulation (GDPR) states that processing of all personal data should be aligned with the principles defined in the regulation. As part of the effort to implement the regulation, it is important to understand key GDPR principles that are stated in Articles 5-11 of the GDPR text. As these principles form the basis of the GDPR requirements, let us understand what they are.
Lawfulness of processing
The companies that process personal data are expected to do so in a lawful manner. Now, what does this mean? Lawful means that all processing should be based on a legitimate purpose. GDPR lists six legitimate purposes, and processing of personal data must be linked to one of these.
1) Purpose limitation. Processing of personal data must be limited to the legitimate purpose for which that personal data was originally collected from the data subject. This effectively forbids the processing of personal data outside of the legitimate purpose for which the personal data was collected.
2) Data minimisation. When collecting data, only the personal data absolutely required for that purpose may be requested. This means that no data other than what is necessary can be requested, or stored. This is of significance when your company is analysing data. It will be important to limit the analysis of data to a set of anonymised data, or to a set of data for which consent has been obtained or there is a clear legitimate processing purpose.
3) Accuracy. Personal data of data subjects must always be accurate and kept up to date. This is simple and straightforward, meaning that controllers are asked to ensure that data is kept accurate, and data subjects can update their data when required.
4) Integrity and confidentiality. Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing. Also, controllers must ensure that data cannot be modified by unauthorised persons.
5) Storage limitation. Personal data should be retained only while necessary. That is, personal data should be deleted once the legitimate purpose for which it was collected has been fulfilled. This is not simple, and needs to be determined in line with applicable laws that may sometimes require personal data to be retained for a longer period than the originally envisaged processing purpose.
6) Fair and transparent. GDPR asks that all personal data processing should be fair; that is, companies do not perform processing that is not legitimate. Also, companies should be transparent regarding the processing of personal data, and inform the data subject in an open and transparent manner. This means that personal data should be processed if, and only if, there is a legitimate purpose for the processing of that personal data. EU GDPR requires companies to practice transparency so that data subjects will be sufficiently informed regarding the processing of their personal data.
Besides these principles, it is also important to understand how GDPR defines the data subjects’ rights, and the legal basis for processing – see these articles for detailed explanations:
- Is consent needed? Six legal basis to process data according to GDPR
- 8 data subject rights according to GDPR
The expectation that companies are fair, transparent and processing personal data lawfully eventually leads to accountability, which is a framework of self-discipline among companies. And, the responsibility to demonstrate compliance with this principle shall always rest with the controller. This means that the companies should be responsible in their actions relating to the processing of personal data, take ownership of what they do, and demonstrate evidence of all decisions made in the context of personal data processing. See the article Implementing three main accountability principles under EU GDPR.
To conclude, EU GDPR requirements are based on principles. These principles are centred around the concepts of accountability, and of the processing being lawful, fair and transparent. Also, there needs to be a focus on the purpose and storage limitations when considering minimisation of data. And, the integrity and confidentiality of personal data must be maintained always, while keeping the personal data accurate and up to date at all times.
Click here to read the full GDPR text to learn more about the key GDPR principles.