© GDPR EU 2023. All rights reserved.
What are the 7 main principles of GDPR?
These seven principles cover exactly how to process personal data. To achieve GDPR compliance, it's essential that data controllers follow the entirety of these
The General Data Protection Regulation (GDPR) is a complex piece of legislation regarding the way an organisation processes personal data. In order to ensure that every data protection officer understands exactly what the data protection laws reflect and their legal obligations regarding GDPR compliance, the legislation contains seven principles.
These seven principles cover exactly how to process personal data. To achieve GDPR compliance, it’s essential that data controllers follow the entirety of the principles in order to properly process personal data relating to individuals.
The principles lie at the core of the GDPR and data privacy laws. They provide guidance for everyone who is required to be GDPR compliant. They also provide clarity for the expectations of EU residents as to how their data should be processed. However, the principles do not provide explicit instructions or strict rules for GDPR’s implementation, rather they exist to guide EU member states.
The UK GDPR, which has been implemented since Brexit, follows broadly the same principles. For more on the implementation of UK GDPR, see the Guide to UK GDPR from the Information Commissioner’s Office (ICO). It sets out in clear and plain language information for data controllers, an organisation’s data protection officer and anyone else who has day-to-day responsibility for GDPR compliance.
Both EU residents and UK residents can get a good grasp of the data protection measures that should be undertaken regarding their sensitive personal data through their respective GDPR legislation. This is just as important as international organisations understanding of what they need to do to comply with their supervisory authorities.
GDPR defines what happens if there is a personal data breach, whether by the data controller, data processor or any other data protection officers. It covers consumer data, how organisations must process data (including sensitive data, biometric data, pseudonymised data, religious beliefs, and any other sensitive information.
GDPR non-compliance can mean, at worst, criminal convictions. Ignoring data protection and data subject rights is a high-risk strategy for any business, regardless of its size or influence. GDPR fines can be significant, which is another reason why appropriate safeguards must be in place.
EU citizens are protected under this replacement for the old data protection act and the onus is on organisations to ensure that data protection impact assessments are carried out and that they are fully complying with data protection authorities.
Lawfulness refers to the identification of specific grounds for the requirement of processing personal data. To meet the requirements of specific grounds, the GDPR details six different reasons for the processing of personal data. At least one must apply to comply with the data protection rules laid out by the GDPR.
There is always a requirement to ensure that personal data is not used in a way that would be considered illegal, aside from the stipulations of the General Data Protection Regulation (GDPR). If through processing the data, a criminal offence is committed then that would also be unlawful. This includes things like copyright infringement or a breach of duty of confidence. All of this is important for a company’s offline and online reputation as well as for compliance.
This GDPR principle ensures that data subjects understand the reasons for providing their personal information and have reasonable expectations about what the organisation aims to do with it. The GDPR sees this as a way of ensuring accountability and preventing the temptation to use the data for purposes other than those disclosed to the individual.
This also allows an individual to decide whether they are happy to provide their details and gives some security over its future use. GDPR cannot prevent all future use for other purposes in certain circumstances, but this principle contains it.
An example scenario is when there is a link between the new use and the original reason the data was collected. If a person has contacted a business to request information about holidays to California, it’s then compatible to tell them about a special offer on flights to Los Angeles. If, however, the organisation then wanted to use the data to sell other goods and services, they’d have to request new permission.
Principle 3 – Data minimisation
A data controller should consider the minimum data needed to meet the purpose of the organisation. This amount should then be the maximum held by data processors under the data protection directive. Data, whether this is through automated decision-making or on a case-by-case basis, must be adequate, relevant and limited. There are no specific definitions issued by the supervisory authority regarding these as it’s dependent on the reason for collecting the data in the first place.
This third principle is in place to ensure compliance in treating EU citizens as individuals and to monitor compliance. If some of the detail collected is only needed for a small set of individuals, then it is inappropriate to gather it from all data subjects. Additionally, there cannot be a culture of collecting data on the basis that it may be useful at a future date. If, however, there is an identified requirement for the data in the future, then the GDPR allows for it to be collected in advance.
There is also the requirement to consider this from the alternate perspective of holding inadequate data. This refers to situations in which the data is insufficient for the purpose it was collected for. In this case, the data should not be processed as it cannot meet the criteria for which it was deemed necessary.
This is about the quality of the data that is collected. Along with giving a data subject the right to have inaccurate data corrected, GDPR also means having processes in place to ensure the accuracy of the data, to begin with. While there is a requirement to update the information on a regular basis, this should be as appropriate for the reason it was initially collected. For example, if a customer places a one-off order, there is no need to contact them on a regular basis to ensure that the address details are still correct.
GDPR allows for the holding of data which includes the opinions of data subjects as long as they are clearly annotated as such and cannot be misconstrued as fact. Clarity is required on what the personal data record should show as this is likely to influence whether it is considered to be accurate or not. For example, holding a client’s old address when they have moved house is still accurate if it is clearly annotated as historical data by the appropriate information systems.
Data can only be kept for the duration defined within the original requirements. Even if it was collected in an easily accessible form according to the requirements of GDPR, it can’t be kept for longer than it’s legitimately needed. To do so is considered non-compliance.
The regulation does not specify any reasonable time frame for keeping the data. The onus is on the business to justify the timescale that they have put in place. It should be assumed that the older the data is, the more likely that it is inaccurate or out of date. There are three situations in which data can be kept for an indefinite period:
More commonly known as the principle of security, this aspect of the GDPR is concerned with the secure processing of data to avoid data breaches. This requirement extends beyond cybersecurity and also includes both physical and organisational security. For example, if customer data is used in paper form, there should be appropriate security measures in place to ensure it’s not accessible to anyone outside of the business.
The data protection regulation (GDPR) requires that data can only be accessed and managed by those who have appropriate authorisation. Additionally, if it is accidentally lost, altered, or destroyed, then there must be a way to recover it. These should be standard contractual clauses within the original agreement with the data subject and should affect all data flows and data portability.
Just as with data storage, GDPR does not define the security measures which should be put in place. Instead, it requires that a level of security is put in place, which is ‘appropriate’ to the risks associated with the data processing.
The final GDPR principle is accountability. This requires those processing personal data to take responsibility for their interactions with personal data and their adherence to the other principles. To meet this requirement, there needs to be both measures and records in place so that compliance can be demonstrated across special categories.
While this not only demonstrates that the organisation takes a lawful approach to their data processing, it also shows clients and suppliers that there is respect for an individual’s rights and freedoms and that data protection is taken seriously.
It also means that if there is an issue such as a data breach or unauthorised disclosure, then it can be demonstrated that there were both measures and safeguards in place to reduce the risk of such an event. This may then mean that there is mitigation against any legal enforcement action.
The risk with any requirement, such as the General Data Protection Regulation, is that it becomes a policy that is written and then sits in the bookcase, forgotten about until something happens.
It is evident that this regulation is about complying. GDPR is also about the need for regular review and updates to ensure that best practice is always in place and is subject to oversight by public authorities.
