GDPR and Data Protection Principles
Data protection involves collection, processing and storage of an individual’s personal data. The GDPR lays down a set of principles in Article 5, which are imperative to manage personal data. These principles should be considered an outline of the essentials required to be compliant with the regulations of data protection. They also help us understand and comprehend the process of data protection. The six principles are:
Lawfulness, Fairness and Transparency
The three important elements of this principle are connected to each other. A data subject has the right to know about the data processing in a transparent and fair manner, and it should be done for lawful purposes. An example of this would be stating what data you intend to hold and collect in the privacy policy and the reasons for the same, which must compliant with the GDPR.
Purpose Limitation
Article 5 (1) (b) discusses the significance of collection of data only for specifies, explicit and legitimate purposes. Data should be collected only to fulfil a particular purpose. For example, a perfume brand collects your data in order to send you promotional emails regarding their brand and discounts that suit the customer’s interests. But if the brand decided to pass on this data to one of its subsidiaries that sells car accessories, it would be a breach of this principle due to the sole factor that it goes outside the scope of the purpose behind which this data was collected.
Data Minimisation
Organisations processing personal data should stick to using only data that they need to achieve this purpose. This basically means that you should not hold more data beyond what is strictly required. Data minimisation is a great way to keep data error-free and up to date. In case of infringement, the person committing the breach will only have access to a limited amount of data.
Accuracy
Accuracy of data is one of the most important components of data protection. Measures must be taken to delete or modify inaccurate data. GDPR provides individuals with the right to delete or rectify this data within 30 days. This principle helps provide a sense of security to the data subject from different kinds of data breaches. Apart from being a benefit for the organisation’s goodwill, accurate data will help prevent identity theft as well.
Storage Limitation
Organisations must delete personal data when it is no longer necessary or once the purpose is fulfilled. The period for which the organisation can keep the data after the purpose is fulfilled is uncertain as it depends from one entity to another. Storing and archiving such data would come under the purview of data processing and that would go against this principle. Although, there are some exceptions such as health care establishments that retain personal data for a longer period of time.
Integrity and Confidentiality
This principle is probably the most important one from a business and financial point of view. Breach of this principle directly results in data breaches and interferes with security. Data must be processed in a way that it assures a certain level of security which involves no unauthorised usage or processing. The GDPR also states in Article 5 (1) (f) that any accidental loss, destruction or damage would also amount to breach. As long as the regulations are followed, maintaining integrity and confidentiality of personal data is an easy task.
These are not only some of the principles organisations must comply with but also a way for them to demonstrate that they are complying with the GDPR by showing that these principles and regulations have been completely accepted and embedded into their organisations and business practices. We hope you find this post useful. Do share your thoughts, feedback or send in ideas for topics you would like ComplyStreet to cover by emailing us on anjali@complystreet.com.