Principle 1 – Lawfulness, Fairness and Transparency
To process personal data Lawfully organisations must comply with one of the 6 conditions set out in Article 6 GDPR. Of the six most commercial organisations would have to use Consent, Contract, or Legitimate Interests as their lawful basis for processing personal data.
The concept of Fairness is more complex. On the one hand it is about the data subject knowing who is processing their data and why. On the other hand it is about the relative bargaining positions between the company and the individual. Often the company can overwhelm the individual, which the EU doesn’t see as fair.
Transparency is how the data controller demonstrates how lawful and fair it is being by giving all the information in the Data Privacy Notice and / or at the time the personal data is collected.
Principle 2 – Purpose Limitation
The GDPR states that organisations must be transparent as to the reasons, or purposes, that they will use the personal data for. What organisations cannot do is to collect the data for one purpose and then decide that they’ll use it for something else. For example if you collect data just to manage a customer’s account, you cannot then send them marketing messages, you must ask to do this separately.
Principle 3 – Data Minimisation
The personal data that is collected and used by the Data Controller must be the bare minimum required to carry out the processing activity. Should there be a data breach, holding the least amount of data necessary limits the damage or distress to the data subjects.
Principle 4 – Accuracy
If a data controller is working with inaccurate personal data then their processing activities will be a waste of time. It is the responsibility of the Data Controller to ensure it collects the correct data in the first place. However if the data subject’s details change, e.g. they move house, then they should inform the Controller.
Principle 5 – Retention Limitation
Data Controllers should only store personal data for the period that it is required to perform the service it was collected for. However there are other laws that state how long personal data must be stored for that trump the GDPR such as financial records which must be kept for 6 years.
Principle 6 – Integrity and Confidentiality
The Data Controller must act in the interests of the data subject and protect their rights and freedoms. Organisational and technical measures should ensure the confidentiality of personal data. This is especially important when using third parties to process the personal data in that the Data Controller must assure itself that the Data Processor has the correct measures in place and that these are reflected in Service Level Agreements and Contracts.
Principle 7 – Accountability
Data Controllers and Data Processors must not only comply with the GDPR, but they must be able to demonstrate compliance such as keeping detailed records of processing, evidence of staff awareness and training as well as policies and procedures specifically addressing data protection.
As can be seen from this list there are some weighty principles that you must bear in mind when considering the GDPR. It is also why organisations such as the ICO keep saying that compliance is not a ‘tick-box exercise’, but rather it requires a fundamental shift in people’s perceptions and attitudes towards personal data and processing activities.
If you would like more information in these Principles, or on the GDPR in general, then please don’t hesitate to contact The Data Guardians at firstname.lastname@example.org or on 020 7368 3104.