The General Data Protection Regulation (GDPR) rewrote privacy rules, forcing companies to update their operations and even reformulate their product design, services and branding.
Perhaps the most important article of the GDPR is Article 5, which succinctly outlines some principles for how organisations and public authorities should process personal data.
The rest of the GDPR, or Data Protection Regulation, is largely a detailed extension of these principles.
In short, all GDPR rules are created on the basis of 7 basic principles to protect individuals. Together, the 7 principles create the mindset that a business must have around general personal data and sensitive personal data and the way in which the business must conduct data protection.
The principles are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
When you understand the 7 principles, it's easier to understand the GDPR rules and why the rules are the way they are. We will now go through the principles one by one.
Principle 1: Lawfulness, fairness and transparency
The first principle basically means that a company or public authority must have a lawful basis to process personal data. This is crucial. When a company processes personal data, it should have legitimate purposes for doing so. The GDPR refers to this principle as lawfulness. Reasons for processing data, called a lawful ground, can include:
- The data subject has consented to it.
- The company needs to be able to fulfil a contract.
- It is necessary to fulfil a legal or judicial obligation.
- To protect the vital interests of a natural person.
- It is a public task performed in the public interest.
- The company can prove that it has a legitimate interest and it is not prejudiced by the rights and interests of the data subject
Whether a company's legitimate interests outweigh the interests of the data subject is a balancing of interests that the data controller in a company must make. A controller is a party that determines the purposes and means of processing personal data.
The concept of fairness, laid down in the Data Protection Act, goes hand in hand with lawfulness. It means that a company should not intentionally withhold information about what or why it collects personal data. In other words, data subjects would not be surprised if they knew how a company was using their data. Fairness means that a company will not misuse the data it collects and that the company will treat it according to best practice.
Transparency is inherently linked to fairness. Transparency means being clear, open and honest with data subjects about who the company is and why and how it processes their personal data. By following this, the company acts fairly towards data subjects.
For example, it is very important for a company to tell data subjects if it is going to transfer their data to third countries or international organisations.
Principle 2: Purpose limitation.
The GDPR's second principle sets limits on using personal data only for specific activities. This purpose limitation means that data is only "collected for specified, explicit and legitimate purposes," as stated in the GDPR. Specific processing situations require specific processing grounds.
A company's purpose for processing personal data must be specific and clearly defined. And it must also be clearly communicated to individuals through a privacy statement. Finally, a company must follow it strictly and limit the processing of personal data to only those purposes that the company has specified.
If at any time a company wants to use the personal data it has collected for a new purpose that is incompatible with the original purpose, it must specifically ask for consent again to do so - unless the company has a clear obligation or function set out in law.
Principle 3: Data minimization.
The third principle is that a company should not collect personal information that is not essential to the purpose for which the personal information is used. The collection of personal data is therefore need-to-have and not nice-to-have.
A company should only collect the minimum amount of data it needs to fulfil the purpose and not just any data that could be useful. For example, if a company wants to get people to sign up for an email newsletter, it should only ask form information necessary to send the newsletters.
A company would not practice data minimisation when it also asks for a telephone number and home address in the example.
Principle 4: Accuracy.
A business must ensure the accuracy of the personal data it collects and processes. It may be that one of the company's customers has changed home address or has changed surname. The customer's new personal data must be corrected as soon as possible in all systems that store the data. If the company has any business partners or a data processor who receive the customer's data, they must also be informed of the change.
It is a good idea for companies to set up systems or procedures so that personal data is checked regularly.
If inaccurate information and old data are processed, the data subject can object, as it is a requirement that companies process only accurate data.
Principle 5: Retention Limitation.
Many companies want to keep customer data for a long time, because it is nice to have it and it might be useful one day. But that's not how the GDPR works. Companies only have to keep personal data for as long as they need to. So there must be a limit on how long personal data is kept.
As long as a company still has a purpose for storing the data, then of course it can do so. When the company no longer needs the personal data, it must delete it or possibly make it anonymous so that it can no longer be used to identify a person.
When personal data is deleted, it means that it is no longer available to the company.
Under the GDPR, a company must justify how long each piece of personal data should be kept. Data retention periods are a good thing to establish in order to comply with this retention policy. Companies can set up a default period, after which it anonymizes or deletes all personal data that the company no longer has a purpose to use.
Principle 6: Integrity and Confidentiality.
The GDPR requires companies to maintain the integrity and confidentiality of the personal data they collect and protect it from internal or external threats. This requires planning and proactive diligence. Businesses must protect personal data from unauthorised or unlawful processing and accidental loss, destruction or damage.
Particularly sensitive information, such as health data, needs extra protection.
There is a security element to this principle. Businesses must carry out risk assessments of their systems and then ensure that security measures are in place to protect personal data as far as possible.
The way to ensure the integrity and confidentiality of personal data is for companies to have adequate security in place. "Adequate security" depends on the business itself.
An adequate level of security may vary internally within the company between the different purposes it has for processing personal data. An adequate level of security also varies between companies and/or business partners.
And they must ensure that personal data is treated with appropriate confidentiality and that unauthorised persons, such as hackers, cannot access it.
Principle 7: Accountability.
Although this is principle number 7, it is one of the most important principles when it comes to following GDPR in practice.
Independent regulators know that an organization can say they follow all the rules without actually doing so. That's why they require a level of accountability: a company must have appropriate measures and documentation in place to prove their compliance with the data processing principles.
The supervisory authorities, which in Denmark is Datatilsynet, can request this proof at any time. Documentation is key here. From the outset, companies must put in place a procedure to demonstrate that they are collecting, handling and storing personal data correctly. This documentation is called an Article 30 record.
It is the data controller's responsibility to prove that a company complies with data protection rules.
The importance of the principles when processing personal data
According to the GDPR, personal data must be processed with the "appropriate organisational and technical measures". This is to protect individuals when a company processes personal data about them and to comply with the 7 Basic Principles.
Companies must assess for themselves how "adequate" security is implemented in the company.
"Organisational measures" means that only those individuals who have a purpose in processing personal data should haveaccess to them. In addition, organisational measures can also be about training employees on GDPR.
Many people in a company handle personal data on a daily basis. Therefore, it is important that all employees know about the GDPR rules and how to handle the different categories of personal data in a secure way.
It is not necessary for everyone in a company to be an expert in GDPR, but there are often more employees who come into contact with personal data than most expect. And if just one employee happens to handle personal data incorrectly, that can lead to a data breach and needs to be taken very seriously.
That's why we recommend that all companies, in both the private and public sectors, use awareness training as a tool to improve their employees' understanding of proper data handling.
"Technical measures" most often relate to the IT systems that companies use. IT systems must be secured against hacking and protect personal data in the best possible way.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.