The starting point for being compliant with the GDPR is to understand the main principles behind it. You also must consider the vision of the European Data Protection Board, who wrote the GDPR, which is to create the world’s largest single digital market, which allows the free flow of data between Member States, so that business is enabled whilst protecting the rights, freedoms and interests of the data subject.
Principle 1 – Lawfulness, Fairness and Transparency
To process personal data Lawfully organisations must comply with one of the 6 conditions set out in Article 6 GDPR. Of the six, practically, most commercial organisations would have to use Consent, Contract, or Legitimate Interests as their lawful basis for processing personal data.
The concept of Fairness is more complex. On the one hand it is about the data subject knowing who is processing their data and why. On the other hand it is about the relative bargaining positions between the company and the individual. Often the company can overwhelm the individual, which the EU doesn’t see as fair.
Transparency is how the data controller demonstrates how lawful and fair it is being by giving all the information in the Data Privacy Notice and / or at the time the personal data is collected.
Principle 2 – Purpose Limitation
The GDPR states that organisations must be transparent as to the reasons, or purposes, that they will use the personal data for. What organisations cannot do is to collect the data for one purpose and then decide that they’ll use it for something else. For example if you collect data just to manage a customer’s account, you cannot then send them marketing messages. If you wanted to send marketing messages then you should have told them this at the beginning. However all is not lost because as long as you ask them for permission for the new purpose, and explain the lawful conditions under which the new processing will take place and gain their consent, this is allowed. The most efficient way of telling data subjects about the purposes of the personal data processing is in the Data Privacy Notice.
Principle 3 – Data Minimisation
The personal data that is collected and used by the Data Controller must be the bare minimum required to carry out the processing activity. An example would be an electronic magazine company that never produces a physical product, so why would they need the customer’s home address? Should there be a data breach, holding the least amount of data necessary limits the damage or distress to the data subjects.
Principle 4 – Accuracy
If a data controller is working with inaccurate personal data then their processing activities will be a waste of time. Imagine you are sending out information about a new product, if all your email addresses are wrong then nobody will know about your new product, which in turn will affect your turnover and profits. It is the responsibility of the Data Controller to ensure it collects the correct data in the first place. However if the data subject’s details change, e.g. they move house, then they should inform the Controller. That said it is good practice to check with customers when they telephone or visit the company.
Principle 5 – Retention Limitation
Data Controllers should only store personal data for the period that it is required to perform the service it was collected for. However there are other laws that state how long personal data must be stored for that trump the GDPR. For example financial records must be kept for 6 years. Within your Data Privacy Notice, you must state how long you will retain people’s personal data for. Also in your employee handbook, or in a new employee’s induction pack, you should inform them how long you will keep employee records for. All of this should be encapsulated in a Data Retention Policy.
Principle 6 – Integrity and Confidentiality
Integrity is another part of transparency in that it shows that the Data Controller is always acting in the interests of the data subject and protecting their rights and freedoms. The Data Controller must ensure that the organisational and technical measures it deploys are designed to ensure the confidentiality of the personal data. This is especially important when using third parties to process the personal data in that the Data Controller must assure itself that the Data Processor has the correct measures in place and that these are reflected in Service Level Agreements and Contracts.
Principle 7 – Accountability
Data Controllers and Data Processors must not only comply with the GDPR, but they must be able to demonstrate compliance. This requires organisational measures to be implemented, such as detailed records of processing, evidence of staff awareness and training as well as policies and procedures specifically addressing data protection to name but a few, and technical measures such as data encryption and resilience against hacking attacks.
As can be seen from this list there are some weighty principles that you must bear in mind when considering the GDPR. It is also why organisations such as the ICO keep saying that compliance is not a ‘tick-box exercise’, but rather it requires a fundamental shift in people’s perceptions and attitudes towards personal data and processing activities.
If you would like more information in these Principles, or on the GDPR in general, then please don’t hesitate to contact us at firstname.lastname@example.org or on 020 7368 3104.