The Main Principles

The General Data Protection Regulation was drafted with seven broad principles in mind. It is useful to consider them and to reflect upon how they may apply to companies.

These principles are set out in Article 5 of the legislation and are as follows:

Lawfulness, fairness and transparency

Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).

This principle stresses the need for transparency for all European Union data subjects. At the time that the relevant data is gathered, the reasons as to why the data is being collected and how it is to be used must be communicated. Any company gathering data needs to provide details concerning the data processing when the subject requests it; e.g. should a data subject ask who the data protection officer (often referred to as the 'DPO') is at that company or what personal data the organization holds relating to them, that information has to be available.

Purpose limitation

Personal data shall be: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (purpose limitation).

To ensure GDPR compliance, companies may not ask for personal information that does not have a specific purpose in what they are doing. Members of the public, in addition to the legal authorities, have the right to question why a particular service appears to request irrelevant information for the service it is providing. Indeed, the request for the irrelevant information may in itself be an act of non-compliance.

Data minimisation

Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).

Any data that is collected must be sufficient only for the precise needs of the business or service concern. Organisations may not request nor gather information that is not necessary, or is irrelevant for their service. The goal of this principle is to prevent individuals from exposing personal information that is not in fact used in processing.

Accuracy

Personal data shall be: 1 (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).

This principle obliges data handlers to guarantee that information remains correct, legitimate and fit for purpose. In order to comply, the organization concerned should have a thorough process and clear policies in place to address how they will maintain the data they process and store.

Storage limitation

Personal data shall be: 1 (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (storage limitation).

Information is required to be deleted (in most circumstances) at the request of the data subject, or when it is not accurate or can no longer be deemed necessary to retain it. Data relating to individuals should not be kept by a company if said individuals are no longer clients or customers of it. People may request that their information be removed from company files and records, and organisations should do so when requested.

Integrity and confidentiality

Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

The integrity and privacy of data must be protected by ensuring that it is secure. Any organization which collects and processes data is now entirely responsible for implementing adequate security measures that are proportionate to the risks and rights of data subjects. It is not simply a question of avoiding deliberate malice or misuse of personal data; negligence is not an excuse under GDPR, so organizations must spend an adequate amount of time and resources to ensure that data is protected from security breaches, be they due to internal system or human error, or deliberate cyber attack by malicious hackers.

Accountability

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (accountability).

Previous data protection laws failed to specifically include severe punishments for the misuse, negligent exposure, or illegal selling of personal data. The GDPR, however, makes organisations much more accountable for their actions. If found guilty, businesses can face huge fines; which multinationals such as Google, the Marriott Hotel Groupe and Easyjet can attest to.

All businesses should take the necessary time and effort to evaluate their potential risk and be as honest as possible when gauging their present status. The above explanation should be viewed as an introduction to each requirement and it should be noted that important questions as to how a non-European based company can ensure compliance remain (e.g. the role of the Data Protection Officer, or perhaps the need for a European Representative office), but a basic comprehension of the task ahead is of course a very important starting point.

GDPR Audit

If your organisation is considering an audit then choosing a company who specialises in GDPR Audits makes sense.

We bring our expertise, combine it with good practice we have observed and add it to the evolving EU and ICO guidelines. As a result providing you a bespoke audit covering every aspect of your personal data processing.

The final report is tuned to your specific requirements as well as prioritised according to the risks that are unique to your business.

Get a quote