At the heart of GDPR are seven fundamental principles outlined in Article 5 of the legislation. These principles serve as a guiding framework for the handling of people’s data, providing broad purposes for GDPR rather than rigid rules. Notably, these principles largely align with those present in previous data protection laws.
Key Principles of GDPR
The seven principles of GDPR are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
In practice, only one of these principles—accountability—is a new addition to data protection rules. In the UK, all the other principles are similar to those that existed under the 1998 Data Protection Act.
Data Minimization
The data minimization principle, though not new, remains crucial in an era where we generate more information than ever before. Organizations are advised not to gather more personal information than necessary from their users. According to the ICO, “You should identify the minimum amount of personal data you need to fulfill your purpose. You should hold that much information, but no more.”
This principle is crafted to prevent organizations from excessively collecting data about individuals. For example, it is highly unlikely that an online retailer would need to gather information about people’s political opinions when they sign up for the retailer’s email mailing list to receive notifications about sales.
Integrity and Confidentiality
Under the 1998 data protection laws, security constituted the seventh principle. Over the course of more than two decades of implementation, a set of best practices for safeguarding information emerged, and many of these have been incorporated into the GDPR.
According to GDPR, personal data must be safeguarded against “unauthorized or unlawful processing,” as well as accidental loss, destruction, or damage. In simpler terms, this implies that organizations must implement appropriate information security measures to prevent unauthorized access by hackers or inadvertent leakage in the event of a data breach.
GDPR does not specify the exact criteria for good security practices, as these vary for each organization. A bank, for instance, will need to implement more robust information protection measures compared to a local dentist. However, in general terms, proper access controls should be in place, websites should be encrypted, and pseudonymization is encouraged.
The ICO emphasizes that “your cybersecurity measures need to be appropriate to the size and use of your network and information systems.” In the event of a data breach, data protection regulators will scrutinize a company’s information security setup when determining potential fines.
Accountability
Accountability is the sole new principle introduced under GDPR, aiming to ensure that companies can demonstrate their commitment to complying with the other principles outlined in the regulation. At its core, accountability involves documenting how personal data is managed and the measures taken to ensure that only authorized individuals have access to specific information. This may encompass activities such as training staff in data protection practices and regularly assessing data handling processes.
In the event of the “destruction, loss, alteration, unauthorized disclosure of, or access to” individuals’ data, it must be reported to the country’s data protection regulator if it could have a detrimental impact on the individuals concerned. This impact may include financial loss, breaches of confidentiality, damage to reputation, and more. In the UK, organizations are required to inform the ICO of a data breach within 72 hours of becoming aware of it, and affected individuals must also be notified.
For companies with over 250 employees, there is a requirement to document the reasons for collecting and processing individuals’ information, provide descriptions of the held information, specify the duration of data retention, and detail the technical security measures in place. Article 30 of GDPR mandates most organizations to maintain records of their data processing, data sharing practices, and storage methods.
Organizations engaging in “regular and systematic monitoring” of individuals on a large scale or processing substantial amounts of sensitive personal data are obligated to appoint a Data Protection Officer (DPO). This may involve hiring new staff, although larger businesses and public authorities may already have individuals in this role. The DPO is responsible for reporting to senior staff members, ensuring GDPR compliance, and serving as a point of contact for employees and customers.
The accountability principle becomes crucial if an organization is under investigation for potential breaches of GDPR principles. Maintaining accurate records of systems in place, data processing procedures, and steps taken to address errors can help organizations demonstrate to regulators their serious commitment to fulfilling GDPR obligations.
If you have any more questions or need further assistance, please feel free to ask here. We’d like to help you.