Everything there is to know about the GDPR principles of data protection. Discover them, apply them, protect personal data and make your business GDPR compliant.
What are the GDPR principles of data protection?
The GDPR principles are a set of broad rules of paramount importance which inspire the whole european data protection framework. They are listed in Article 5 of the Chapter II of the GDPR and are binding in their nature.
When implementing the Regulation within an organisation, observing the GDPR principles is essential to make the business compliant. The risk of incurring in their violation must be assessed when carrying out risk assessments and privacy impact assessments.
Furthermore, breaching them may expose your organisation to one of the highest fines set out by the Regulation, which can top the astronomical amount of 20 million euros or the 2% of the total worldwide turnover.
Failing to observe to GDPR principles of data protection may expose your business to fines up to 20 000 000 EUR or the 2 % of the total worldwide annual turnover.
Principle of lawfulness, fairness and transparency
The first of the gdpr principles listed by Article 5.1 is the principle of lawfulness, fairness and transparency, which states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
For personal data to be processed lawfully, there must exist a legal basis. Therefore, in order to satisfy this requirement you need to find an appropriate legal ground to process your data amongst the six legal grounds offered by the GDPR:
- Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject
- Vital interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Furthermore, for the processing to be lawful it also needs to be permitted by the relevant national State law and be performed within the boundaries of the law. In other words, it needs to comply with the legal system.
For instance, a processing operation would no be lawful if it breaches a contract or violates fundamental rights.
Personal data is processed in a fairly manner when the processing is fair to data subjects. This means, essentially, that the data should be processed meeting the expectations of data subjects and it should not be used in a way that causes unfair harm.
With that goal in mind, this principle requires you to implement the necessary means to inform data subjects about the processing at the time their data is collected, explaining how their data is going to be used and stored so they can adopt an informed decision.
On the other hand, in some cases processing operations may entail a harm to data subjects and yet be fair. Such is the case, for example, of the record and consultation of credit blacklists by financial entities or keeping criminal records by public authorities.
This principle is closely linked to the gdpr principle of fairness and it means that you should be open, clear and honest with data subjects when processing their data.
The transparency principle is materialised through the different obligation in the Regulation, for instance:
- the obligation to keep a record of processing activities, which must be available for the relevant data protection authorities at request;
- the right of access of data subjects, which empowers them to ask you for a copy of their personal data and information concerning the processing;
- the obligation to notify data breaches to data subjects when they entail a high risk to their rights and freedoms; or
- the obligation, where applicable, to gather the opinion of data subjects when carrying out data protection impact assessments on processing activities that affect them.
Notwithstanding the above, this principle is especially manifested by the right to information of data subjects, which obliges you to communicate certain information about the processing when collecting their data.
Privacy principle of purpose limitation
The second of the GDPR principles is the principle of purpose limitation.
Article 5.1.b of the GDPR establishes that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
When collecting and processing personal data of data subjects you need to have a purpose for that processing such as, for instance, processing payments and delivering orders to customers, or managing the human resources from your organisation.
Additionally, the principle of purpose limitation also prevents you from processing the data for purposes other than those for which the personal data were initially collected, unless these new purposes are compatible.
You shall only process personal data with purposes other than the original when this further processing is compatible.
When is a different purpose compatible?
The GDPR sets out that further processing is compatible with the initial purpose when is performed for the following purposes:
- archiving in the public interest,
- scientific or historical research, or
- statistical purposes
If you desire to process personal data with a different purpose, you first need to assess whether that new purpose is compatible with the initial purpose that entitled you to collect the data in the first place. To such extent, GDPR Recital 50 states that you shall take account, amongst other, of the following factors:
- any link between those purposes and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use;
- the nature of the personal data;
- the consequences of the intended further processing for data subjects; and
- the existence of appropriate safeguards in both the original and intended further processing operations.
Once the prior points have been addressed, if you arrive to the conclusion that the new purpose is compatible, then you can process the data without requiring a legal basis different from the initial. However, in the event you conclude that the further processing is not compatible with the initial purpose, then you will need to inform the data subject and ask their consent or find a different legal ground to back your processing.
Principle of data minimisation
The principle of data minimisation means that you should only collect and process personal data which are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The data is adequate when it is sufficient to attain the purpose of the processing, and relevant when their collection and processing is related to the purpose.
That the personal data is limited to what is necessary in relation to the purposes for which they are processed means that you should not collect any data that is not necessary to fulfil the purpose; collecting big amounts of data that are not necessary to serve the purpose of the processing is not considered good practice.
A good way to demonstrate compliance with this principle is analysing whether the purpose can be attained with anonymised data, that is to say, segregating personal data from any personally identifiable information that may lead to the identification of the individual.
Privacy principle of accuracy
The principle of accuracy obliges you to take reasonable steps to ensure that the personal data you hold is accurate, is kept up to date and is not misleading.
A good practice is to verify the authenticity of the information at the moment is collected and implement operations to keep it up to date, especially when their inaccuracy may have a negative impact on the data subject.
Like with the other gdpr principles, there are different ways to comply with this principle. The means necessary to ensure the accuracy of the data will depend upon the purpose of the processing and the type of personal data.
For the data to not be misleading, you will need to consider whether the data is of objective or subjective nature, like opinions or evaluations. Concerning the latter, it may be useful note their nature in order to avoid taking them as true at a later time.
In addition, sometimes it might also be necessary or advisable to keep a record of the inaccurate data. Such is the case, for instance, when processing health data about a data subject and a prescribing a treatment based on that data.
Finally, this privacy principle also requires from you the implementation of the necessary means to attend data subject requests exercising their right to rectification.
Principle of storage limitation
The principle of storage limitation requires you to define the period for storing the data.
Personal data must be kept only during the time strictly necessary for fulfilling the purposes for which they were collected. They might me stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or where anonymisation techniques were applied to remove any identifiers and prevent re-identification of data subjects permanently.
Additionally, in order to ensure that personal data are not kept longer than necessary, GDPR Recital 39 mandates controllers to establish time limits for erasure or for a periodic review.
How to define data retention periods for personal data processing
To define the retention periods, you shall take into account the following points:
- Legal requirements to keep the data. When establishing the term it is very important to check local law, since frequently there are provisions that will ask you to keep the data for a period of time. Such is the case, for example, of the Spanish anti-money laundering law, which requires companies to keep the data for ten years.
- Limitation periods and contractual agreements. For some categories of data you will also need to check legal statutes of limitation. For example, since infringements of the Spanish Tax Law expire in four years, data of financial nature should be kept for at least four years.
- In the absence of legal provisions, you should determine a reasonable period which needs to be the strictly necessary to fulfil the purpose of the processing. For instance, when a candidate to a position does not advances in the recruitment process, the purpose to keep their data disappears and their data should be erased.
Principle of integrity and confidentiality (security)
Article 5.1.f of the GDPR establishes that:
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Of the different gdpr principles of data protection, integrity and confidentiality (or security) is probably the most significant and the principle that may have a bigger impact on your organisation and data subjects in the event of a breach or non-compliance.
The lack of an appropriate information security framework within the organisation may lead to data breaches that otherwise could have been prevented. Depending on whether the data breach concerns confidentiality, availability or integrity of the information, and the categories of data affected, the impact may be highly severe.
For instance, if an attacker accesses and obtains the personal data a financial entity holds about its customers, these data might be used to commit identity fraud, mortgage fraud, or other frauds of financial nature.
To data subjects, that might result in financial loss, time and stress. To your company, an infringement of the gdpr principles may expose it to administrative fines up to 20 000 000 EUR, or the 4 % of the total worldwide annual turnover, whichever is higher, without prejudice to any other administrative, non-judicial or judicial remedies.
Suffering a personal data breach without having adopted an appropriate information security framework may expose your company to administrative fines up to 20 000 000 EUR, or the 4 % of the total worldwide annual turnover, whichever is higher, without prejudice to any other administrative, non-judicial or judicial remedies.
How to comply with the gdpr principle of security
To comply with this principle you need to assess the risks for the confidentiality, integrity and availability of the information, both in digital and physical support. For that purpose, vulnerabilities and threats must be identified and the probability and impact of threats in the event they occur valuated, taking into account the impact for the organisation but, especially, the impact for the rights and freedoms of data subjects. Thus is established by Article 32.2 of the GDPR:
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Once the risk has been assessed, you shall select and implement the technical or organisational security measures that are appropriate to mitigate or move these risks, provided it surpasses your risk appetite.
Beyond assessing the risk, in order to select and apply controls you need to take into consideration:
- the state of the art;
- the costs of application;
- the nature, scope, context and purposes of the processing.
With these in mind, the GDPR mandates that the measures shall include, inter alia:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In addition to assessing the risks for the confidentiality, integrity and availability of the information, the Regulation also requires you to assess the risks for the rights and freedoms of data subjects, which means you shall:
- recognise the fundamental rights that are affected;
- identify, assess and evaluate the risks;
- specify and implement controls; and
- check and review.
Principle of accountability
The principle of accountability is closely related with the other gdpr principles. Whereas the other principles compel your company to act in a certain manner, the principle of accountability requires that you are able to demonstrate compliance.
The end goal of this principle is not, however, just drafting a few forms or marking some checklists. That is not complying with the accountability principle nor the obligations set out in the GDPR.
Compliance with the accountability principle means developing and embedding a true culture of data protection within the DNA of the business.
How to implement the accountability principle
Every step taken to comply with the GDPR will be useful to demonstrate compliance with this principle. Therefore, try to:
- Appoint a data protection officer. It can be both an employee or a contractor. Sometimes its appointment is mandatory.
- Keep and update the record of processing activities. The record must be up to date at every time, and available to data protection authorities at request.
- Carry out data protection impact assessments. Sometimes mandatory, a DPIA is especially useful to make sure the processing activities do respect the gdpr principles and show evidence of your concern to comply with the european data protection framework.
- Protect the data by design and by default. Before launching a new product, starting a new processing operation or changing a currently in production operation, assess the consequences it can have for personal data and design the product or process taking into account the gdpr principles. For instance, enabling data subjects to exercise their data protection rights in an effortlessly, simple and straightforward manner, collecting only the data that is strictly necessary to fulfil the purpose of the processing, pseudonymising or anonymising the information if possible, etc.
- Drafting and reviewing internal policies. It is recommended to draft internal policies that evidence the responsibilities of the employees and management.
- Assign responsibilities. A good practice is to create a committee or team with representation from every department that is responsible for the data protection of the organisation.
- Provide training in personal data protection to the workforce.