The data protection principles are laid out within data protection legislation and they form the backbone of the requirements for any organisation processing personal data. Failure to implement the principles throughout the organisation is deemed to be a significant breach of the regulation and could attract the highest level of fines from the supervisory authority.
The principles are summarised here as:
- Personal data shall be processed lawfully, fairly and in a transparent manner
- Personal data shall be collected for specific, explicit and legitimate purposes (Purpose Limitation)
- Personal data shall be adequate, relevant and limited to the what is necessary in relation to the purpose of the processing (Minimisation)
- Personal data shall be accurate and, where necessary kept up to date (Accuracy)
- Personal data shall be kept in a form which permits identification of the data subject for no longer than is necessary (Storage Limitation)
- Personal data shall be processed in a manner that ensures the appropriate security of the personal data (Security)
In addition to the above, the data controller shall be responsible for, and be able to demonstrate that it is in compliance with the above principles (Accountability).
Purpose Limitation
The purpose limitation principle requires that personal data should only be processed if it relates to the purpose of the processing that we needed it for originally. We cannot collect personal data for one purpose and then decide to use this personal data for a further separate purpose, unless the further processing is consistent with the original purposes. For example we cannot process data to support a sale and then use it to promote a different vendors products.
We therefore need to be specific in our reasons for collecting the personal data in the first place and have a legitimate reason for each of its uses. Purpose limitation as defined in the GDPR therefore requires that if we are likely to use the same data for separate purposes then we need to be transparent about this at the outset and have a valid lawful basis.
Minimisation
The minimisation principle requires that we should only collect the personal information that we need to meet the purpose of the processing. Collection of too much personal data could result in a risk to the data subject, so we must ensure that we are collecting only that which is needed. It is important to note that collection of too little information could also result in a harm to the data subject, for example, if insufficient data was collected to post a product to the correct address.
By adhering to the minimisation principle we might have the most appropriate items of personal data and therefore be more efficient in our data protection practices.
Accuracy
The accuracy data protection principle requires that we should endeavour to keep personal data up to date as this supports our ability to provide services based upon current data. Clearly there is a dependency on maintaining a relationship with a source of accurate data, such as maintaining a relationship with the data subject.
There are circumstances where this principle may not apply, for example organisations sometimes need to maintain personal data for archiving purposes where changing the personal data could damage the integrity of the processing.
Storage Limitation
The storage limitation principle recognises that measure should be ‘as long as is necessary’, which could potentially be any length of time if there is a rationale to evidence it. For example it may be necessary to retain asbestos records for 40 years, some HR records for 6 years and other records such as CVs for un-successful candidates for only a few months. This means that we should consider how long data should be retained in its current state, which would in turn translate into our data retention schedule.
To manage this principle effectively, organisations must also have records management processes in place to ensure that personal data is reviewed at the end of the retention period and if appropriate deleted. Even if a data retention schedule exists there may still be a rationale for retaining data for longer periods of time, such as there being a legal hold on data required to support a court case etc.
This data protection principle also requires that we consider how to restrict identification of the data subject whilst the data is still deemed necessary. Techniques such as anonymisation or encryption can be considered as these would have the effect of stopping an unauthorised party from identifying the data subject.
Security
The security principle requires that we should endeavour to keep personal data safe through different levels of technical and organisational controls. Technical controls will be closely aligned with information security standards where organisational controls may be more simple such as physical barriers to protect personal data. Adopting a datamanagement standard, such as ISO 27001 or ISO 27701 may be an appropriate response to implementing and managing security within an organisation.
Accountability
The accountability principle signifies a step change in data protection legislation. This data protection principle requires organisations to be able to demonstrate their adherence to the previously notes principles, which in turn means that organisations now need to better understand personal data risk and evidence how it can be mitigated.
In order to demonstrate accountability an organisation must now maintain records of how it meets all of the principles, plus how it maintains the rights of the data subject. For larger organisations the regulation mandates the documentation of activities in the record of processing activities, however smaller organisation also need to be able to demonstrate accountability, so understanding how you process personal data is an important step to demonstrating accountability. Therefore tools such as a Record of Processing Activities a data breach log or a risk log all add to the ability to evidence compliance and therefore help to meet the accountability principle.
Previous legislation did not contain an accountability principle, which meant that regulators would only be able to enforce any action if an issue were to arise. This new principle now provides for the supervisory authority to review an organisations practices without any issue being identified and they can do this by instigating an audit, either through an on-site or an off site audit of documentation.