The General Data Protection Regulation (GDPR) sets out key principles in Article 5 that data controllers need to follow when handling personal data. These principles form the root of the Regulation. They act as the basis for organizations to comply with the GDPR. This article will explain each principle in detail. Before that, you may read the guide to GDPR.
GDPR Principles of Data Processing
Following are the seven fundamental principles that lay the foundation for the entire GDPR compliance:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Lawfulness, fairness, and transparency
For data protection and complying with the GDPR, organizations must process personal data lawfully, fairly, and in a transparent manner.
Organizations must process personal data on the following lawful basis of processing per Article 6:
- Consent - data subjects have given consent to process their personal data.
- Contractual Obligation - the processing is necessary for the performance of a contract the data subject is part of or to perform a task requested by the data subject before entering into a contract.
- Legal Obligation - the processing is necessary for complying with a legal obligation under the laws of EU member states.
- Vital Interests - the processing is necessary to protect the vital interests of the data subject or any other natural person.
- A Public Task - the processing is necessary to carry out a public task, or you are a public authority.
- Legitimate Interests - the processing is necessary to carry out for your legitimate interests or of any third party. An exception is when the legitimate interest is outweighed by the interest or fundamental rights and freedom of the data subject, especially if it is a child.
If your processing activity satisfies one of these six bases, it will be lawful.
Processing should be carried out fairly and reasonably. Every processing activity must be unambiguous to the data subjects without misleading or hiding anything from them.
You must be honest with data subjects about your data processing methods, such as where you get the data from, why you process it, and how you process it. They should be able to exercise their rights if necessary, and these must also be made clear to them before processing.
You must collect data only for specified, explicit, and legitimate purposes. Processing other than for the intended use is only possible in case:
- The new purpose is compatible with the old, such as archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes.
- You have fresh consent from data subjects for the new purpose.
- Processing is necessary for a legal obligation or to carry out a public task.
You must be very clear from the beginning why you collect data and how you want to use it. Document these details and make them available for access to data subjects.
Data collected must be “adequate, relevant and not excessive in relation to the purpose for which it is processed.” You cannot collect, store, or process data more than it is necessary for the intended purpose.
You must regularly review the data collected and delete anything that is not needed anymore.
Personal data collected should be accurate and kept up to date, wherever necessary. In case of inaccurate or outdated data, you must take every step to ensure that they are either erased or rectified without delay.
Inform data subjects of their right to request deletion or rectification of data in such cases while collecting the personal data. You must also help them to exercise their rights whenever necessary.
You must not store data collected longer than required. When the data is no longer necessary for the intended use, you must erase it without delay. Setting up a retention period for the data according to the purpose of processing will help in carrying out this principle efficiently.
An exception to this is if you want to retain the data for archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes. However, you must safeguard the data with appropriate measures.
Integrity and confidentiality (security)
Your processing activity must ensure the safety of personal data. For that, you must take appropriate technical and organizational measures to protect data against unlawful processing and accidental loss or damage.
Technical measures include techniques like encryption and pseudonymization. Organizational measures include internal auditing, risk assessments, and documentation.
It is a new addition to the data protection law and finds explicit mention in the GDPR principles, compared to the Data Protection Act of 1998. This principle requires you to be responsible for complying with the GDPR and you should also be able to demonstrate your compliance.
You can demonstrate the compliance in several ways, including, but not limited to:
- Implementing data protection policies;
- Adopting ‘data protection by design and default’ concept;
- Documenting your processing activities;
- Executing appropriate security measures;
- Carrying out Data Protection Impact Assessments, wherever relevant;
- Designating a Data Protection Officer, if needed;
- Recording and, where necessary, reporting personal data breaches;
- Adhering to applicable codes of conduct or certification schemes;
- Consent logging.
You must periodically review and update these measures.
Accountability helps in building and maintaining people’s trust and also to avoid any GDPR violation.
There is much more to the GDPR than these principles. However, they are significant for GDPR compliance. Violating or failing to follow them will lead to GDPR fines of up to 20 million euros or 4% of your annual global turnover - whichever is higher. For example, in 2019, French data protection watchdog CNIL found that Google failed to prove a lawful basis of processing as their consent request was not valid. They fined the tech giant 50 million euros!
Adhering to the GDPR principles will not only ensure compliance for your organization, but it is useful for developing trust and reputation.
|Disclaimer: The main purpose of the article is to share general information with the readers. Hence, for any legal advice, please contact a lawyer or a professional.|