The GDPR introduced six data protection principles (listed below) which businesses must comply with when processing personal data. Businesses should also be able to demonstrate compliance through good data governance.
Data protection principles under the GDPR
- Businesses must process personal data fairly and in a transparent manner.
- Businesses must collect personal data only for one or more specified, explicit and legitimate purposes.
- Businesses must ensure personal data is adequate, relevant and limited to what is necessary.
- Businesses must ensure personal data is accurate and kept up-to-date.
- Businesses shall not keep personal data for longer than is necessary.
- Businesses must “ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
What does the principles really mean?
Unless a business complies with the six principles when it processes an individual’s personal data, then the business will not be complying with the GDPR. However, the GDPR contains a lot more detail besides these six principles, and simply complying with these principles will not be enough on its own to demonstrate compliance with the GDPR.
What are the significant changes brought in by the GDPR?
The GPDR requires businesses to process data “in a transparent manner”, so businesses will be expected to deal openly with any individuals with whom they interact.
Transparency is a key theme throughout the GDPR. When collecting data from individuals, businesses must explicitly state the purpose for which that data is being collected. Simply alluding to one or more potential purposes is not enough – the GDPR requires businesses to be explicit in listing those purposes and, if a purpose isn’t on the list, then the data cannot be used for this.
What effect has this had on UK businesses?
Businesses are expected to provide individuals with more information than previously provided, particularly around the purposes for which those individuals’ data is being collected. This is covered in more detail in a separate briefing on privacy notices here.
Businesses must refer back to the six GDPR principles in everything they do. Simply complying with these six principles will not, on its own, guarantee compliance with the GDPR, but a failure to comply with any one of these principles will result in a certain breach of the GDPR. Keeping records demonstrating good data governance has become even more important.
What does my business need to do?
Ensuring compliance with the principles is a continuing obligation rather than a ‘one off’ so you should be frequently reviewing and updating your internal practices and policies, and ensuring that all staff receive regular training on how they should be handling personal data. It’s important that you instil a culture of good data governance within the business and keep accurate records to evidence how you’re complying with the principles.
What does ‘transparent’ mean?
The GDPR does not define the word, but guidance issued by the Article 29 Working Party (‘WP29’) suggests that, in assessing transparency, it is important to consider form, language and accessibility.
- Form – The data controller may decide to provide information to data subjects in any form, including verbal, however the WP29 recommends information to be provided in writing.
- Language – The language should be clear and provided in a simple manner. There should be no ambiguous terms or room for interpretation! It’s also important to remember your audience, if you are processing children’s data you should ensure that the information is prepared for the appropriate reading age.
- Accessibility – Controllers should ensure that information on their processing activities is easily accessible, either by providing it directly to data subjects or by clearly sign posting to it. Data subjects should not need to seek out the information.
So if my business complies with the six GDPR principles, that’s enough?
No. Simply complying with the six principles will not, on its own, guarantee compliance with the GDPR, but a failure to comply with any one of these principles will result in a certain breach of the GDPR. Compliance with the six GDPR principles should be seen as the foundation for satisfying your duties under the GDPR, but there is much more besides.
Do I really have to tell my customers precisely what I’m going to do with their data?
Yes, before or at the time you collect the data from them. A vague statement that you need their data for business reasons won’t be enough – you will need to be ‘explicit’ and ‘transparent’. And if you miss a reason off that list, then you won’t be able to use that customer’s data for that missing reason.
Exactly how long can I keep data in my IT system – what is ‘no longer than necessary’?
The answer depends on a variety of things, including the type of data you are referring to. For some one-off transactions, the data should be erased immediately after the transaction completes. If you can reasonably and genuinely justify keeping the data for a certain period (e.g. for as long as your customer purchases goods/services from your business), then you can retain the data for that period. Do not keep data ‘just in case’ – under the GDPR, your business will be responsible for justifying why you haven’t deleted ‘dormant’ data.
How can I demonstrate that my business is complying with these principles?
Training. Impact assessments. Policies. Privacy Notices. Appointing a data protection officer. Audits.
Your business should put a proper, detailed ‘corporate governance’ framework in place that includes appointing a data protection officer, undertaking impact assessments and audits (both of which should be undertaken regularly, and recorded in writing), and ensuring that you have policies (both internal and external) that satisfy the requirements of the GDPR. All personnel, including directors, partners, employees and consultants, should undergo training on the GDPR and how it is being implemented within your business. This is one of those areas where a paper trail is important but, on its own, is not enough – whilst you do need the paper trail to demonstrate compliance, you also need to police internal compliance to ensure the business and everyone in it is complying with the paper trail in practice. And then document that, too.
- Data subject means the living individual that is identified, or can be identified, from the personal data.
- EEA means the European Economic Area, consisting of all EU member states, together with Iceland, Liechtenstein and Norway.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
- Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
- WP29 is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission, it has since been replaced by the European Data Protection Board.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.