There are some expectations and necessities regarding the protection and securing of private data, and the GDPR principles of data protection are very clear on these. However, many organizations are struggling with implementing a workable strategy to ensure GDPR compliance.
The GDPR principles, however, have developed some fundamental GDPR principles and these should apply to all organisations and businesses who collect, store and use private data, regardless of the size of the organisation.
Principle 1: Processing personal data fairly and lawfully
The emphasis is on personal data being managed in such a way that provides a clear and transparent explanation for those individuals whose data is being collected and managed. Best practice by organisations is to inform individuals before obtaining their data and openly and willingly to clarify the reason why and how data is to be collected and used.
All organisations need to have in place strict policies and procedures to deal with data information requests by individuals and to be able to provide such information in an easy to understand format. Such data may have been collected from third-party organisations rather than directly from the data subject, and the GDPR principles have an obligatory list of the types of information that should be made available upon request regardless of where the data originated.
Principle 2: Processing personal data for specified purposes
It is imperative that organisations have a policy on the collecting of personal data and that personal data is not collected except where it has been provided with explicit consent, and for the purposes, it was collected for, that purpose being specific and known by the data subject.
Principle 3: The amount of personal data you may hold
Many organisations collect and hold enormous amounts of data for various purposes, be it monitoring behaviour, marketing purposes, research and often data may be sensitive.
Regardless of the size of the organisation or the type of data stored, the principle advises that organisations need to evaluate the relevance of the data that stored and that any data held has to be limited to only that required by the organisation for specific purposes.
Principle 4: Keeping Personal Data Accurate And Up-to-date
Organisations must have a comprehensive policy and procedure for regular reviews to enable GDPR principles compliance with this principle. All personnel will be required to keep and maintain an accurate database of all customer and employee data information.
Principle 5: Retaining personal data
According to this principle, data may only be retained for the period that it is necessary for the particular purpose it was collected. To be compliant with this principle, organisations will have to ensure strict control over the retention, storage, and movement of personal data and it would be necessary to draw up a comprehensive list of rules for determining when, and for how long, data may be retained.
For example, in the case of a contract, fulfilled or ceased, between the organization and a client, the original may be retained for a period of, say, 7 years or in terms of a potential legal claim, a length of time that corresponds with any relevant statute of limitation on the bringing of a claim. Also, organisations will have to understand, in the case of a data breach, how a data subject could be identified, hence the requirement for careful deletion or anonymising of data once retention is no longer required.
Principle 6: The rights of individuals
In line with the desire for transparency, the GDPR principles have expanded the rights of individuals to include the right to obtain from organisations exactly what data is stored about them, how this data is used, to what purposes and where. Organisations now must provide, upon request, a copy of the data in electronic format, free of charge for portability.
Furthermore, the right to be forgotten or the right to erasure is putting more power in the hands of the individual to control how his or her data is being manipulated or stored. Organisations are obliged to ensure GDPR principles compliance and focus on policies and procedures to make sure all personnel are aware of the stages of request handling.
Principle 7: Information security
There is no excuse when it comes to protecting and securing the data and the privacy rights of individuals. Security measures are imperative in the implementation of this principle, and to be compliant organisations are required to put in place adequate protection using methods such as data encryption and anti-malware and ransomware software.
Keep only what data is required, keep policies and procedures up to date and in line with the GDPR principles requirements, educate and provide GDPR principles training all personnel accordingly and ensure all physical areas, hardware and software have security and protection. Security measures need to be taken against innocent as well as malicious breaches and incorporated within the overall security measures to ensure that all access to data is secure and controlled.
Principle 8: Sending personal data outside the European Economic Area
Personal data to be transferred outside the EEA needs to be protected. Within the EU there is deemed to be an “adequate” level of protection allowing for the transfer within the EU, but outside many countries are considered by the European Commission not to have this adequate protection. There is a list of countries that are acceptable which do not include the US. Since the inauguration of the most recent President, any transfers to or from the US should be considered carefully.
Countries who do not have adequate levels of protection such as China, Japan, Brazil and the Middle East and appropriate safeguards will need to be put into place such as the obtaining of explicit and informed consent or by specific and approved contracts with guarantees by way of Model Contract Clauses. Other methods of transferring legally are by the use of Binding Corporate Rules, which allow multinational organisations to transfer data outside the EEA.
GDPR Summary of the Eight GDPR Principles
The eight GDPR principles are in place to ensure that a clear and transparent process is followed and enables a level of protection and security to individuals, but also a checklist and methodology for organisations to assist with compliance. Safeguarding the individual should be at the forefront of any business that collects, stores and manages personal data. Ensuring GDPR principles compliance is an obligation and is not difficult if you are prepared to put in the time and effort that is required.