The General Data Protection Regulation’s (GDPR) 7 principles enshrined in Article 5 form the foundation of the UK and EU versions of the data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. In this blog we ask: what are these 7 principles, and how has the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. (DPA 2018) adopted them? And, more importantly, what does their adoption mean for your organisation’s data protection practices?
The Data Protection Act 2018
The DPA 2018 transposes the GDPR, an EU Regulation, into UK law and controls how the personal dataInformation which relates to an identified or identifiable natural person. of UK data subjects is used by organisations, businesses, and government institutions. The law came into force two days before the GDPR and replaced the UK Data Protection Act 1998 which was the law in force prior to this.
How does the DPA 2018 differ from the DPA 1998?
Courtesy of the GDPR, the DPA 2018 requires organisations to be more transparent and accountable for their personal data processing activities. It also emphasises to a greater extent the rights of data subjects regarding their personal data, including the right of access, to be informed, to rectification, data portability, processA series of actions or steps taken in order to achieve a particular end. restriction, and objection.
What are the 7 Principles of the GDPR?
The 7 principles of the GDPR lie at the heart of the UK’s data protection regime, and thus are closely linked to the data protection rights of individuals. Understanding these 7 principles is vital because they will inform the structure of your data protection framework and help guide your decision-making as an organisation or business owner.
1. Lawfulness, fairness and transparencyThe first principle of the GDPR, requiring organisations to document a lawful basis for collecting and using personal data, to avoid processing personal data in a way that is unduly detrimental, unexpected or misleading to data subjects, and to be clear and honest about how they use personal data.
All data must be collected and processed lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations., fairly, and transparently.
Lawfulness – For all personal data processing activities, your organisation must identify an Article 6 lawful basis for processing.
Fairness – You must only process personal data in ways that people would reasonably expect you to, and not in such a way that it has unjustified, adverse effects on them.
Transparency – Organisations must be clear about which data they are collecting, why they are collecting it, and how it’s being used. Ultimately, it is about being open and honest and providing as much information about your data collection as possible from the beginning.
2. Purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.
Your organisation may only collect data for specified, explicit, and legitimate purposes that have been made clear to data subjects at the start of the processing. Also, as part of your documentation obligations, your purposes for the collection of personal data must be recorded. By sharing your purposes upfront, individuals can decide if they would like to share their data with you or not, which allows them to make appropriate decisions regarding their data and asserting their rights. Without a clear, stated purpose, you cannot build customer, supplier, partner and stakeholderAn individual with an interest or concern in something (i.e. a Social Worker, Healthcare Professional, Headteacher etc. in respect of the welfare of a child). trust.
An important point to note is that the purpose limitation is closely linked to the first principle of lawfulness, fairness and transparency. If you are already processing data fairly and transparently, it’s likely that you are in adherence to the purpose limitation principle.
3. Data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing.
The data minimisation principle compels organisations to limit the amount of data they collect to only what is necessary to fulfil their stated purpose. Personal data must be “adequate, relevant and limited” but how do you determine which data meets those parameters?
Adequate personal data fulfils your stated purpose, relevant data is linked to your purpose, and collecting limited data means you do not hold more than what you need for your stated purpose.
The minimum amount of data you need to collect will depend on your purpose for processing. Clearly defining your purpose is therefore essential to properly minimising your data collection.
It should also be noted that retaining only necessary personal data helps to minimise the implications associated with data breaches.
4. AccuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading.
Organisations must make reasonable efforts to ensure that the personal data they collect is accurate and kept up to date. In some cases, incorrect information must be deleted, however in others, incorrect information may simply need to be flagged as incorrect. Which approach is most appropriate will depend upon the circumstances of the processing, however, the main thing is that any information held about individuals is not misleading.
Data subjects have the right to have incorrect personal data held about them rectified – the right to rectification – although this is not an absolute right and in some cases will not apply.
5. Storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed.
The storage limitation principle states that you must not hold personal data for any longer than is necessary for fulfilling your stated purposes. The GDPR does not spell out specific time limits for retaining personal data, so it is up to your organisation to determine how long the data you’ve collected is still adequate and relevant. However, specific retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods for certain types of data are located elsewhere, in other pieces of legislation, case law, or industry-specific standards.
Although there is no set duration for data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. in the GDPR, you cannot hold onto personal data forever. If held too long, personal data will become unnecessary and your organisation will likely not have a lawful basis for retaining it.
From an operations perspective, holding onto data for too long is inefficient. It leads to greater storage and security expenses and may inhibit your ability to respond to data subjectAn individual who can be identified or is identifiable from data. access requests in a timely manner.
6. Integrity and confidentialityThe sixth GDPR principle, also know as the security principle. This requires organisations to implement the appropriate security measures to protect personal data. (security)
Your organisation must take measures to secure the integrity and confidentiality of the data you collect and process. You are responsible for ensuring the data you collect and hold is not accidentally or deliberately compromised, which requires having appropriate security measures, policies and protocols in place to protect systems and services.
Security encompasses both cybersecurity measures (firewalls, anti-virus software, etc.) as well as protocols for the physical security of your organisation’s premises (a security alarm for your building, limiting physical access to your office, keeping paper copy files in a locked filing cabinet, etc.). Solid information security measures are also beneficial because they demonstrate your compliance with the GDPR, thus helping to comply with the final GDPR principle – AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..
7. Accountability
Your organisation is accountable for how you handle the data you collect and process, and you must be able to demonstrate compliance with the GDPR principles. Demonstrating compliance requires you to have the correct documentation in place, which shows how you process personal data in a compliant way. Examples of necessary documentation include outward- and inward-facing privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’).; a Records of Processing Activities (RoPA); and Data Protection Impact Assessments (DPIAs).
Accountability is a legal requirement, but it also makes your business more competitive. Your customers or clients, suppliers, partners and stakeholders will be more likely to trust you and do business with you if they can see clear evidence that you respect their privacy. Additionally, if you can demonstrate that you actively consider risks and have protective measures in place, it may help you to mitigate issues if a data breach does occur.
Is your organisation DPA 2018 compliant?
The DPA 2018 affects almost all organisations in the UK. If you haven’t reviewed your data protection policies since it came into force, they are highly likely to be non-compliant, thus leaving you open to financial penalties and reputational damage. Compliance can be difficult, as the DPA 2018 doesn’t prescribe specific ways of maintaining compliance. Instead, it leaves it up to individual organisations to design data protection frameworks that comply with its principles. Understanding your responsibilities as an organisation and putting them into practice should be a priority for your business if you haven’t already taken action.
Do you need assistance with data protection and achieving GDPR compliance for your organisation? The DPO Centre offers cost effective data protection consultancy services tailored to your specific needs. Alternatively, let one of our expert outsourced data protection officers take care of it for you.
Fill in your details below and we’ll get back to you as soon as possible