What are the Seven Principles of the GDPR?
For many business owners, taking their business international is a huge milestone. But like any milestone, there comes new challenges to achieve further success. A major roadblock for many companies entering into business in the UK or the EU is the General Data Protection Regulation or GDPR, one of the most stringent data protection laws in the world today. GDPR is extensive, complex, and oftentimes overwhelming.
According to the ICO’s website, The GDPR was developed based upon seven principles: 1) lawfulness, fairness and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability. Accountability is new to data protection regulations. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act. The following definitions are paraphrased from ICO’s site found here. In this article, we will break down each of these seven key principles of the GDPR directly from the Information Commissioner’s Office (ICO) to give you a better understanding of what exactly GDPR is and the importance of becoming compliant.
Lawfulness, Fairness and Transparency
According to the Information Commissioner's Office website, “Data must be processed lawfully, fairly and in a transparent manner.” The entire idea behind these principles is pretty straight forward. The intended use of data needs to be disclosed clearly and efficiently in a way that allows the data subject to understand exactly how their information is being collected and processed. This creates transparency in data sharing so that no one involved can be upset or unaware of how their data was processed.
ISO’s website states, “Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes can be considered to be compatible with the initial purposes.” The Purpose limitation principle asserts that data cannot be stored and repurposed for other means than what was initially disclosed to the data subject. This goes back to the first principle in that data usage needs to be clearly disclosed. This prevents businesses from profiting off of data through its sale or utilization for undisclosed means down the road.
Similarly to the minimum necessary standard in many data security laws in the United States, data minimization essentially means the use of data needs to be limited to its essential needs. According to the ICO, “Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In short, the company or individual should identify the minimum amount of personal data needed to fulfil their purpose and no more.” Data retention, processing, and distribution needs to be limited and strongly considered before it is collected in any form from the data subject.
One potentially overlooked principle is accuracy. The information you are collecting on customers needs to be correct. The ICO states, “Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate personal data that personal data that are inaccurate can be erased or rectified without delay.” Whether it is a typo or outright misinformation, it needs to be identified correctly as soon as possible. This ensures that the data that you are utilizing is clearly tied to the subject as well as ensures professionalism when interacting with the data subject in regards to their data. Nothing is worse than sending a package to a wrong address or even sending sensitive information to an incorrect email address.
This is a crucial part of GDPR compliance. According to the ICO, “Data must be kept in a form which permits identification of subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods if it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. These exceptions must implement appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”. You must clearly explain to your customer how long you will be storing their data as well as ensuring it is properly destroyed after it has been utilized for its intended purpose. This creates clear expectations for your customers and an added level of trust knowing that once their information is used it is not just going to be siloed away waiting to be leaked or stolen in a breach. It limits exposure as well as loss in the event of a data breach.
Integrity and Confidentiality
Similarly to the principle of least privilege, data should be processed on a need to know basis. Only individuals who require access to the information to be given access to the information. Again, this builds trust with the customer as well as limits unnecessary loss. ICO’s website states, “Data must be processed using appropriate technical or organizational measures to ensure appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage”. Confidentiality means keeping the customers' privacy as the forefront of your business practices and using data in a way that is discrete and respectful of the customers information and privacy.
Lastly, this goes without saying but as the ICO website states, “The controller must be responsible for, and able to demonstrate compliance”. Anyone who is handling data needs to be properly trained and fully aware of exactly what GDPR compliance means. Ultimately it is the job of the controller’s themselves to ensure that GDPR compliance is maintained and that customer privacy is held with the utmost importance.
We hope that breaking down these principles will take some of the guesswork out of GDPR compliance and help give you a better understanding of what exactly GDPR compliance means. Ultimately, GDPR compliance serves to better protect customer’s privacy and ensure everyone is aware of exactly how their data is being utilized. For more information on GDPR compliance and other compliance, please visit other articles on our blog!