GDPR: the 7 principles of data processing
Tough, strict and costly – this is a quick way to describe the General Data Protection Regulation (GDPR), which is probably the most controversial and far-reaching privacy and security law in the world.
GDPR first came into effect in May 2018, and it caused quite a stir – not only within the European Union, but across the globe – especially as globalisation and interconnected networks have led to businesses from different regions all wanting to collect personal data from EU citizens.
As mentioned above, the GDPR can be described as:
- tough – because it was designed to guard and protect a wide variety of personal data;
- strict – because the potential penalty or fine for a single violation can reach up to several million euros (€20 million or 4% of the organization’s global revenue, whichever is higher)
- costly – because it has forced many companies to rethink the way that they collect data, reinforce their systems, or even redesign their products and services.
Furthermore, the GDPR lacks specifics, leaving a lot of open to interpretation, making compliance a daunting (though still necessary) process for many business owners. This is why, first and foremost, it is important to familiarise oneself with the principles of data processing, as these principles provide a starting point for further consideration and action.
1. Lawfulness, fairness and transparency
Lawfulness means that you need to have a valid reason to collect, store and process personal data from citizens of the European Union, which is the main requirement of the GDPR. For example, you may need some personal data to create a contract, protect public interests, or fulfil a legal obligation. In each case – users need to first give you consent before you can use any of their personal information.
Transparency means that users have to be fully aware of why and how you are using their personal data. And of course, they should be informed about these purposes and methods of collecting, storing and processing their data before you take any action, not afterwards. Fairness means that you need to uphold the promise you’ve made to your users, without any fear of stretching or misusing the terms of the agreement.
2. Purpose limitation
As stated in the GDPR, you can only collect data for “specified, explicit and legitimate purposes”. This means that you need to clearly communicate what you are going to use the data for in the privacy notice and make sure that you do not use it for any other purposes without asking for additional consent. Of course, you have a lot more leeway if you want to archive data in the public interest, for example, for statistical or scientific purposes.
3. Minimal data collection
You are permitted to collect and process only the minimal amount of personal data that you need to achieve your purposes, and no more. For example, if you want to send out a newsletter, asking for more than just an email address would be inappropriate. This, incidentally, also makes it easier to store data and in case a data breach should occur, there are then much fewer pieces of sensitive information that may be leaked. Collecting minimal amounts of data is to the benefit of both users and companies, despite it sounding unnecessarily restrictive for the latter. Organisations always aim to know everything about their current and potential customers, and the GDPR just prevents things from spinning out of control.
Personal information must always be kept up-to-date. Any outdated or inaccurate data has to be removed from the organisation’s systems without delay. That’s why regular audits of your data stores are a must. And you also have to remember that your users may ask you to erase any information that you have on them within 30 days, starting from the day that they make this request. Plus, they have the right to rectify incomplete or inaccurate information.
5. Storage limitation
You are obligated by the GDPR to set up a standard time period for the storage of data that you need and actively use. Of course, this raises questions about how to define whether you actually need certain pieces of data, and how long you can consider an individual your customer or user. In difficult cases, consulting with a legal professional may be inevitable.
6. Integrity and confidentiality
This one requires you to protect the data that you are storing against “unlawful processing or accidental loss, destruction or damage”. This principle is vague when it comes to the measures you should take to secure your data, especially since the technology is developing rapidly, so the tools and practices used need to be constantly updated. However, you may want to consider, for example, getting the ISO 27001 certificate to demonstrate your due diligence in cybersecurity.
Documentation is key here. You need to be able to prove your compliance with the GDPR standards, so you better have all of your data collection, storage and processing policies on paper. Record every step that you take, collect evidence, and be prepared to justify your actions at any time, whenever you are asked to do so by the authorities – the potential consequences, in the form of a very costly fine, may be devastating to your company.
Don’t shy away from asking questions
It’s been a little over three years since the GDPR has gone into effect, so the majority of companies have already managed to handle most of personal, data-related issues. However, as technology progresses, cybersecurity trends evolve, and new products and services are introduced to the market, you may still find yourself needing legal, as well as technical audits and consultations to help you make sure that you’re doing everything right.
So, if you have any doubts or questions about dealing with the GDPR – don’t hesitate to contact us, and we will be happy to help you strengthen your systems and policies, and help protect you from any data leaks.