Most of these principles already exist in some form in the current legislation and have seen incremental updates, but there are a few significant changes that you should be aware of.
Note that if you cannot abide by all of these principles regarding any piece of data, you cannot lawfully process it. They affect all organisations, regardless of their size. There are no mitigating circumstances.
In this article, we will go over the processing principles, as specified in Article 5 of the GDPR.
1. Lawfulness, Fairness and Transparency
All processing requires a lawful basis. Lawful bases are given in Article 6 of the GDPR. Check this article for more information on how to ensure the legitimacy of your processing activities. Processing of special categories of personal data is generally prohibited, however there are a few exceptions, including when explicit consent has been obtained.
Processing should not cause harm and unexpected consequences to the individual. In the GDPR, the transparency requirement is introduced. This means that individuals have the right to know what is being done with their data at all times. You are obligated to tell them what you are using their data for.
2. Purpose Limitation
Once collected, data may be used only for the purposes for which the individual has consented or for which you have other lawful bases for processing. You must list the purposes when obtaining consent in a clear and simple manner.
If you wish to use the data for purposes other than those you were allowed, you must ask for additional consent, unless these purposes are very similar and it is reasonable to expect that such processing would take place. For example, e-mailing a previous customer about your new offers is fine in most cases, but profiling them and selling their data is not. We advise you to play it safe and employ this exception only when absolutely necessary.
The use of data for scientific, historical and archiving purposes in the public interest is considered compatible with initial purposes.
3. Data Minimisation
You should keep only the data you actually require for processing. Any additional, but unnecessary data should be deleted, even if you have obtained consent for its use. Make sure to include only strictly necessary data in your processing. You should aim to complete your processing activities by using as little personal data as possible.
While you might feel this unnecessarily constrains your data operations, look at the flip side: The risk of data breaches is significantly reduced, and you do not have to waste your resources on protecting data that you do not need in the first place.
Take reasonable steps towards ensuring the personal information you have is up to date and correct. When obtaining data, you should try to obtain as accurate information as reasonably possible, although you cannot do much in this regard, and you are not at fault if incorrect data was provided to you.
You can to this by periodically asking your customers to update and revise their details. However, this is not explicitly required. Still, in some cases you should be extra careful to verify the accuracy. This includes cases of age verification to prevent children from accessing the website, if necessary, or for employment purposes, where information from resumes may need to be independently verified.
What is required, however, is that when your user provides you with revised data, you must update your records immediately and refrain from processing unless you do so. Inaccurate data should be deleted as soon as possible.
5. Storage Limitation
Storage limitation is in fact temporal in its nature. The GDPR does not set out fixed limits for data retention, but this does not mean data can be stored indefinitely.
Instead, you are allowed to keep data only for as long as absolutely necessary for processing – and not any longer, except if required by law or in the case of public interest. This means that you will have to periodically review the data you have and whether it is necessary anymore. If it is not, delete it right away.
While it looks like a lot of work, it in fact simplifies your data handling practices. There is less data to store, check for accuracy, and worry about. The risk of serious consequences of data breaches is markedly reduced.
In order to formalise the data audit process, we recommend the creation of formal data retention policies with help of your data protection officer.
6. Integrity and Confidentiality
Keeping personal data secure is of utmost importance. You must ensure all organisational and technical measures are adhered to at all times. Ensure you do not expose data to excessive security risks. The more sensitive the data, the better the security measures must be.
This includes protection against unlawful processing, damage, destruction, and unauthorised access from within, not only breaches that are the result of hacking. You should regularly perform risk assessments and update your data handling guidelines.
Make sure to consider the potential impact of cross-border data transfers and ensure they are adequately protected. The best practice is to notify individuals beforehand and obtain explicit consent if their data will be transferred outside the EU.
The final principle that builds upon all others is accountability. Under the accountability principle, you essentially need to provide evidence of good practices, as per the aforementioned six criteria.
The bar for compliance is set higher than previously, so it will definitely require more effort on your part. Keeping records of processing activities and consents, setting up proper data handling practices and cooperation with the supervisory authorities are some of the key requirements.
Your data protection officer will assist you in drafting mandatory privacy impact assessments, breach impact assessments and other measures that help you prove you are GDPR-compliant. Remember, it is not enough to only be GDPR-compliant; you must be able to demonstrate compliance.
These data protection principles are sensible and do not stray much from those principles generally enshrined in existing privacy regulations.
However, there will certainly be more bureaucracy and you should make allowances for that in your budget. As for avoiding the huge potential fines, a data protection officer (DPO) is your best bet. Since there is nothing in the GDPR preventing a DPO from working for several clients, smaller companies could greatly benefit from outsourced DPO services, which are cheaper but still ensure the company’s practices are GDPR-compliant.