Sweeping GDPR regulations will go into effect in just a few months, and businesses are scrambling to be in compliance. A must-know for all businesses: There are six GDPR privacy principles that form the core General Data Protection Regulation conditions. Organizations must follow these when collecting, processing, and managing the personal information of European citizens — whether the business is located in Europe or anywhere in the world. The principles are similar to those in the Data Protection Directive (DPD) so organizations should already have some supporting policies in place. However, adjustments must be made to comply with the further intricacies of six GDPR privacy principles — and the extra accountability principle.
The principles are more refined
The six GDPR privacy principles are given to guide organizations. These principles are an overview of their fundamental data protection responsibilities. An organization can reflect upon them when interpreting further requirements of the regulation.
These GDPR privacy principles succeed the ones outlined in the EU Data Protection Directive 95/46/EC (DPD), so they will look familiar to organizations who already comply with this. However, avoid complacency as the scope of the DPD and the GDPR differ and the new regulation is more far-reaching and more detailed. Thus, more is needed to ensure compliance.
Already having frameworks in place to support compliance with the DPD will be advantageous to those organizations looking to comply with GDPR when it goes into effect May 25. However, it is important that the organization has a good understanding of the principles related to the GDPR privacy scope to determine the differences between the two and define any that are new.
Some of the principles are further refined to correlate with advancements in technology that were not around when the DPD was enacted. Today’s privacy requirements are better protected under the GDPR. Additionally, the GDPR privacy principles take into account changes to data processing.
The 6 GDPR privacy principles (that’s 6 and a ‘plus 1’)
The six principles (found in Article 5 of the regulation) emphasize the GDPR aim to drive compliance. They can be used to guide organizations on how to best manage their personal data. They summarize the key responsibilities in complying with the regulation and are very helpful to support organizations to keep on track. The six principles are:
1. Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly, and transparently with regards to the data subject (person to whom the data belongs to). To do this lawfully, the processing must meet the criteria for lawful processing as laid out in the GDPR. To achieve this fairly, the data processed must correlate with how it has been described. By informing the data subject of what, how (in an easy to understand and accessible means), and why their data will be processed ensures that you are transparent with regards to the processing of their data.
Small print will no longer do! But rather targeted techniques ensuring the issues and risks are highlighted. This gives genuine control and choice to the data subject and equates to being transparent and fair.
The GDPR emphasizes this principle as a core principle whereas the DPD touches on it as a forethought for the data controller to process data transparently.
Organizations could incorporate more accessible and straightforward privacy policies to promote the rights of the individuals.
2. Purpose limitations
Personal data can only be collected for specified, explicit, and legitimate purposes. This data can only be used for those described purposes and no other, without further consent first received. Do what you say and say what you mean!
The DPD reflects this principle in a similar way. However, the GDPR widens the scope by allowing processing of other categories such as processing for public interest and scientific purposes.
3. Data minimization
Only collect the personal data that is necessary for the purpose of the business function. If you don’t need it, don’t collect it — ever! The data needs to be adequate, relevant, and limited to what is necessary. This plays an adjacent role with purpose limitation, too (principle No. 2).
Personal data must be kept accurate and current. All necessary steps must be taken to achieve this. No inaccurate data should be kept and any errors in data should be rectified as soon as they become known.
The DPD requires the same criteria. Though, the GDPR builds on this to include that the erasure or rectification of inaccurate personal data must be done without delay.
5. Storage limitation
Do not retain the data if you no longer require it for the purposes defined and agreed for processing. Securely remove the data when it is no longer necessary. Do not store personal data that you no longer use! Review, review, review!
The GDPR adds to the list of exceptions for this principle. The GDPR allows longer storage time of data in the cases of data processing for public interest and scientific purposes. This is added to the exemption displayed under the DPD for longer storage time for processing data for statistical or historical purposes.
6. Integrity and confidentiality
Integrity, confidentiality, and availability are fundamental to security! The confidentiality and integrity of the personal data must always be maintained. Access must also be controlled to achieve this.
The necessary organizational and technical measures must be used to achieve principle No. 6. The personal data must be appropriately protected (encryption is a technical measure to achieve this). If the data is encrypted it remains confidential and maintains its integrity even if it falls into the wrong hands.
The breach impact is drastically reduced for both organizational and individuals whose data it is.
Additionally, measures must be taken to protect against unlawful processing, accidental loss as well as the destruction or damage of personal data.
These are core values in the DPD as well.
Don’t forget the plus 1!
7. Accountability and compliance
Just when you thought it was all over, the most significant addition is revealed…
This is where the ‘plus 1’ shines!
This is one of the areas that make GDPR stand out from the present DPD and causes serious implications (and headaches!) if it is not achieved. Not only do you need to ensure compliance with the above six principles, you must be able to demonstrate this compliance, too. It is probably the most important of the principles as data controllers need to take responsibility for compliance as well as demonstrate it.
Accountability must be fed from the top down and embedded in the organization. This means that data needs to be protected and compliance maintained wherever the data goes as well as at each stage of processing (external, internal, across borders, and jurisdictions, with third parties). Additionally, all decisions taken must be documented to prove accountability. All stages of processing must be taken into account and must be compliant.
This will require organizations to have processes in place to achieve accountability and they will be different for each organization.
The accountability principle also complements the transparency requirements of the GDPR.
Challenge of complying with GDPR privacy standards
Organizations should revise their internal policies and procedures to ensure compliance. The new regulation means that the organization will need to update their current compliance procedures because current practices will not cover the new scope completely. Do not make the mistake and think that if you are compliant with DPD that you will automatically be compliant with the new GDPR privacy principles. The likelihood is that you won’t. You will need to make adjustments, and you will need to make them fast.
Photo credit: Pixabay
More GDPR Preparation articles
- Compliance confusion: What does GDPR mean for mobile data?
- Are you GDPR compliant? Find out here, because what you don’t know will cost you big time
- It’s a small world after all: GDPR across borders
- Why the GDPR's right to erasure may sometimes be wrong
- Personal information under GDPR: What it is — and what it isn’t