There are some expectations and necessities regarding the protection and securing of personal data, and the GDPR principles also known as the data protection principles are very clear. However, many organisations are struggling with implementing a workable strategy to ensure GDPR compliance.
The GDPR, however, stipulates some fundamental data protection principles and these should apply to all organisations and businesses who collect, store and use personal data, regardless of the size of the organisation.
If you find yourself questioning what are the key data protection principles under GDPR , then this guide can be very helpful in developing your understanding. These principles can be used as a GDPR compliance template.
These GDPR principles are also known as the Data Protection Act 2018 (DPA) principles in the UK. There are 8 data protection principles under GDPR the companies need to abide by in order to ensure that they are compliant:
Principle 1: Processing Personal Data Fairly And Lawfully
The emphasis is on personal data being managed in such a way that provides a clear and transparent explanation for those individuals whose data is being collected and managed. Best practice by organisations is to inform individuals before obtaining their data and openly and willingly to clarify the reason why and how data is to be collected and used.
All organisations need to have in place strict policies and procedures to deal with data information requests by individuals and to be able to provide such information in an easy to understand.
Such data may have been collected from third-party organisations rather than directly from the data subject, and the GDPR audit has an obligatory list of the types of information that should be made available upon request regardless of where the data originated.
Each one of the DPA principles is essential for the smooth compliance and lawful use of personal information. The fair, lawful processing of personal data in one of the key aspects of these principles.
Principle 2: Processing Personal Data For Specified Purposes
It is imperative that organisations have a policy on the collecting of personal data and that personal data is not collected except where it has been provided with explicit consent, and for the purposes, it was collected for, that purpose being specific and known by the data subject.
This is also known as the GDPR principle 2.
Many organisations collect and hold enormous amounts of data for various purposes, be it monitoring behaviour, marketing purposes, research and often data may be sensitive.
Regardless of the size of the organisation or the type of data stored, the principle advises that organisations need to evaluate the relevance of the data that is stored and that any data held has to be limited to only that required by the organisation for specific purposes.
Principle 4: Keeping Personal Data Accurate And Up-To-Date
Organisations must have a comprehensive policy and procedure for regular reviews to ensure compliance with GDPR. All personnel will be required to keep and maintain an accurate database of all customer and employee personal information.
Principle 5: Retaining Personal Data
According to this principle, data may only be retained for the period that it is necessary for the particular purpose it was collected. To be compliant with this principle, organisations will have to ensure strict control over the retention, storage, and movement of personal data and it would be necessary to draw up a comprehensive list of rules for determining when, and for how long, data may be retained.
For example, in the case of a contract, fulfilled or ceased, between the organisation and a client, the original may be retained for a period of, say, 7 years or in terms of a potential legal claim, a length of time that corresponds with any relevant statute of limitation on the bringing of a claim. Also, organisations will have to understand, in the case of a data breach, how a data subject could be identified, hence the requirement for the careful deletion or anonymising of data once retention is no longer required.
Retaining Personal Data is also known as the GDPR principle 5.
Principle 6: The Rights Of Individuals
In line with the desire for transparency, the GDPR principles have expanded the rights of individuals to include the right to obtain from organisations exactly what data is stored about them, how this data is used, to what purposes and where. Organisations now must provide, upon request, a copy of the data in electronic format, free of charge for portability.
Furthermore, the right to be forgotten or the right to erasure is putting more power in the hands of the individual to control how his or her data is being manipulated or stored. Organisations are obliged to ensure GDPR compliance and focus on policies and procedures to make sure all personnel are aware of the stages of request handling.
The rights of the individual and their sanctity in the shape of a transparent flow of information are essential as one of the data protection principles.
Principle 7: Information Security
There is no excuse when it comes to protecting and securing the personal data and the privacy rights of individuals. Security measures are imperative in the implementation of this principle, and to be compliant organisations are required to put in place adequate protection using methods such as data encryption and anti-malware and ransomware software.
Keep only what data is required, keep policies and procedures up to date and in line with the requirements, educate and provide basic 8 principles of GDPR related training to all personnel accordingly and ensure all physical areas, hardware, and software have security and protection. Security measures need to be taken against innocent as well as malicious breaches and incorporated within the overall security measures to ensure that all access to data is secure and controlled. The data protection principles promote a safe flow and usage of information in the contemporary digital and real world.
Principle 8: Sending Personal Data Outside The European Economic Area (EEA)
Under this principle, organisations must ensure that you are not sending the personal data out of the EEA.
Personal data to be transferred outside the EEA needs to be protected. Within the EU there is deemed to be an “adequate” level of protection allowing for the transfer within the EU, but outside many countries are considered by the European Commission not to have this adequate protection. There is a list of countries that are acceptable which do not include the US. Since the inauguration of the most recent president, any transfers to or from the US should be carefully considered. This is one of the key takeaways from this summary of the data protection principles for beginners.
Countries that do not have adequate levels of protection such as China, Japan, Brazil and the Middle East and appropriate safeguards will need to ensure that they put into place appropriate data privacy measure such as: the obtaining of explicit and informed consent or by specific and approved contracts with guarantees by way of Model Contract Clauses. Other methods of transferring personal data legally are by the use of Binding Corporate Rules, which allow multinational organisations to transfer data outside the EEA.
Summary of the 8 key data protection principles under GDPR
The 8 key data protection principles under GDPR are in place to ensure that a clear and transparent process is followed and that this enables a level of protection and security to individuals, but also a checklist and methodology for organisations to assist with compliance. Safeguarding the individual should be at the forefront of any business that collects, stores and manages personal data.
Ensuring compliance with GDPR is an obligation and is not difficult if you are prepared to put in the time and effort that is required.
The EU GDPR is predicated on 8 main data protection principles as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation