At the core of GDPR are seven principles that provide guidance for organizations as to how they can protect and appropriately use data, as well as clear expectations for EU residents as to how their data should be processed.
Violating these core principles can result in higher GDPR fines and penalties.
Below we’ll cover each of the GDPR data privacy principles so you can better understand how to process personal data and protect it.
Data Privacy Principles
The seven protection and accountability principles organizations must abide by when processing personal data are outlined in Article 5.1-2 of the GDPR document.
These are not explicit instructions for how to comply with GDPR. Instead, they reflect the ethos of the data privacy regulation and help guide organizations in how they process personal information and formulate their data protection protocols.
Below we’ll provide a brief overview of these principles.
1. Lawfulness, fairness, and transparency
Data processing must be lawful, fair, and transparent to the data subject.
Lawfulness means you have a lawful basis for processing personal data. GDPR includes six reasons:
- Consent: The individual has given the data processor consent.
- Contract: The processing is necessary for a contract you have with the individual, or because the individual has asked you to take specific steps before entering into a contract.
- Legal obligation: You must process data in order to follow the law.
- Vital interests: You must process data in order to save an individual’s life.
- Public task: You must process data in the interest of the public.
- Legitimate interest: Processing data is in your legitimate interest or the legitimate interest of a third party and does not violate the fundamental rights or freedoms of the data subject. This is the most flexible lawful basis for data processing. Examples of legitimate interest include marketing, fraud prevention, and IT security.
2. Purpose limitation
Data processing must be limited to the reasons explicitly stated to the data subject when you collected it. Exceptions are if the new purpose is relevant to the old one for collecting that data, or you have a clear responsibility to perform the new purpose as laid out in the law.
For example, let’s say an individual contacted a travel agency to request information about flights to California. In the future, that agency could contact that individual about a special offer on flights to Los Angeles. They could not contact that individual about goods and services unrelated to California holidays though. To do that, they’d have to get the individual’s consent to use their data in a new way.
3. Data minimization
Organizations may only process as much data as absolutely necessary for the purposes specified.
According to the regulation, data must be adequate, relevant, and limited. That can mean different things depending on the reason for collecting the data.
There are three specific stipulations based on this principle:
- If some data is needed for a particular set of individuals, the organization is not allowed to collect it from all data subjects.
- Organizations cannot collect data on the basis that they may use it in the future.
- If the data collected for a purpose is insufficient, it should not be processed.
To follow this guideline, organizations should periodically review the personal data they hold and delete anything unnecessary.
Personal data must be kept accurate and up-to-date.
Under GDPR, data subjects not only have the right to have inaccurate data corrected — organizations are also expected to have appropriate processes in place to ensure the accuracy of the data to begin with. They are also required to update information on a regular basis, which includes recording and correcting any mistakes.
5. Storage limitation
Personal data may only be stored for as long as necessary for its specified purpose.
GDPR does not stipulate a period of time. Instead, organizations must be able to justify how long they keep personal data and review it on a regular basis.
There are some exceptions. Personal data can be preserved for indefinite periods of time for purposes related to public interest, scientific or historical research, or statistics.
6. Integrity and confidentiality
Data must be processed in a way that ensures security, integrity, and confidentiality. This may call for cybersecurity and physical security measures.
GDPR does not specify which security measures should be put in place — only that they are “appropriate” to the risks associated with processing that personal data.
Depending on the organization and level of risk, security measures typically include an information security policy that stipulates who can access and manage data, encryption, and pseudonymization.
Organizations must also have processes for restoring access to or recovering personal data in worst case scenarios.
Data controllers need to be able to demonstrate that their data processing activities are compliant with all of these GDPR principles.
This requires organizations to document evidence of compliance with GDPR, including the following responsibilities:
- Adopting and implementing policies to protect personal data.
- Implementing data protection measures along the entire life cycle of personal data.
- Creating and storing written contracts with organizations that process data for your organization.
- Recording how you process our data.
- Implementing effective technical and organizational security measures.
- Recording and reporting any breaches of personal data.