More than three years after the General Data Protection Regulation was introduced, this article revisits the principles that are fundamental to the GDPR and should be embedded in the privacy policies and practices of every organisation.
The principles that lie at the core of the GDPR originate largely from the Data Protection Directive (95/46/EC) and, with some refinement, provide a modern framework for the fair treatment of all data subjects.
As set out within Article 5 of the GDPR, these principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
There is also the over-arching principle of Accountability – which applies to each of the six principles and requires organisations to be able to demonstrate compliance by using documented policies, processes and training staff on these.
Guidance from Ireland’s Data Protection Commission sums up their significance as follows:
“These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation. They should be understood as the fundamental overarching principles which aim to ensure compliance with the spirit of data protection law and the protection of the rights of individuals (‘data subjects’)”
Below, we discuss each principle and its application in more detail.
1. Lawfulness, Fairness and Transparency:
This principle requires that an organisation should only process personal data on the basis of one of a number of legal grounds, in a way that is fair and transparent to data subjects. Individuals must be told clearly why their personal data is being processed, as well as the lawful grounds for doing so. You must also always provide your data subjects with access to their data.
Article 6 of the GDPR discusses the different legal grounds on which processing can be lawful:
Consent: Data subjects must expressly give consent to the processing of their data for a pre-defined purpose. Consent must be clear, unambiguous and provide an active indication of a data subject’s wishes.
Contract: This is applicable when the processing of personal data is necessary for the performance of a contractual obligation. For instance, when ordering goods through an online retailer, the data subject will have to provide personal data to complete the contract (eg to pay for the goods being purchased). The retailer will then process this personal data (payment details) on the lawful basis of contractual obligation.
Legal obligation: This applies when the data controller is under a legal obligation to process personal data. The legal obligation must flow from a specific legal provision. For instance, a legal statute requires an employer to maintain a record of salaries paid to employees and to share it with revenue for taxation purposes. Another example would be a court order requiring the processing of personal data for a specific purpose.
Protecting the vital interests of a data subject: This ground is very limited in scope and only applies to urgent and immediate matters. An example would be processing personal data when rendering emergency medical care to a data subject.
Public interest: This is often applicable when a controller discharges a public function like the administration of justice or the collection of taxes. It will cover the processing undertaken by state agencies and government departments which is necessary in order for them to fulfil their statutory function as outlined in their founding legislation.
Legitimate interests: Here, processing may be lawful to achieve the data controller’s legitimate interests. However, the data controller’s legitimate interests must not override the fundamental rights and freedoms of the data subjects. In order to demonstrate this, the data controller must undertake (and document) a Legitimate Interest Assessment.
2. Purpose Limitation
This principle requires an organisation to pre-define and specify the purpose of processing personal data, so the boundaries for data processing are clarified before the personal data is collected.
Any processing that goes beyond the defined purposes must be compatible with the original purpose. If, for example, a fitness app collects personal data to suggest a relevant workout routine to the data subject and subsequently shares some of that data (such as the individual’s weight) with a health insurance company, this is incompatible with the initial purpose.
3. Data Minimisation
A data controller must only collect data that is relevant and necessary to accomplish the pre-defined purpose. Controllers should therefore conduct a two-pronged analysis before collecting and processing personal data – firstly to ascertain what data is necessary and secondly to gauge proportionality.
Data controllers must ensure that all personal data is accurate, complete and not misleading. When data is collected for statistical purposes, this must be maintained in the form initially collected.
5. Storage Limitation
This principle places an obligation on data controller to store personal data only for the necessary period. Once the personal data is no longer needed, it must be deleted securely. Data must also be stored in a classified and indefinable form.
While the GDPR states that personal data must be stored for the minimum period necessary, it does not specify the exact period. Data controllers must use their own discretion to determine appropriate retention periods, taking into consideration how the data is collected and used and any relevant statutory periods.
6. Integrity and Confidentiality
Personal data must be processed in a manner that ensures security against unauthorised or unlawful access, accidental loss, destruction or damage. Data Controllers must implement a robust personal data security framework and follow best security practices including pseudonymisation and encryption.
In simple terms, organisations must take responsibility for what they do with personal data and implement appropriate mechanisms to demonstrate how they comply with the GDPR principles.
There are several ways to ensure compliance with this principle. Here are some steps your organisation should take:
Risk assessment: Conduct regular risk assessments to ensure your privacy policies are up to date with changing business models, law and technology.
Constant monitoring and improvement: Audit and review privacy policies, and practices and keep refining them to meet the acceptable standards across your industry.
Transparency: This is a cornerstone of the Accountability principle. Make sure that data subjects understand the privacy policies and procedures you have put in place.
Leadership: Establish a good privacy culture within your organisation. You may wish to establish a top-to-bottom approach, where leaders set an example for all employees to follow. Where required under the GDPR, a data protection officer must be appointed to maintain both external and internal oversight. Additionally, identifying data privacy champions encourages employees to follow and appreciate practical enforcement and implementation of privacy practices.
By upholding these seven key principles, organisations will not only be able to prove compliance with the GDPR, but also demonstrate – to customers and employees – respect for privacy and data protection rights. That, in turn, will help earn trust and loyalty.
Pembroke Privacy offers gap assessments to help organisations work out their compliance levels. We also offer outsourced DPO services and Data Protection support services and we can help implement and manage training programmes. We also offer e-learning programmes to help raise data protection awareness. Please contact us for information on how we can help.