PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity. PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But […]
The 7 Key Principles of GDPR
If you have heard about data privacy then you have no doubt heard about the GDPR. There are 7 key principles that are the foundation of the GDPR, so what are they?
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
On this page
1. Lawfulness, Fairness and Transparency
According to the GDPR “Personal data shall be:
“processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”Article 5.1(a) GDPR
You need to ensure you satisfy all three elements of this principle; lawfulness, fairness and transparency.
What is meant by lawfulness in relation to the GDPR?
In order to satisfy the lawfulness aspect of this principle you must identify grounds for the processing of any personal data. There are 6 lawful basis’s for processing personal data and at least one of these must be applicable when processing personal data. They are:
- Consent: you have been given consent by the individual to process their personal data.
- Contract: there is a contract in place with the individual and processing their personal data is necessary to fulfil this contract, or you have been instructed by the individual to process their data prior to entering into the contract.
- Legal obligation: you must process the information in order to comply with the law.
- Vital interests: you must process the personal data in order to protect an individuals life.
- Public task: processing the personal data of an individual is a necessary component in performing a task in the public interest or for official functions of your company. This task must have a clear legal basis.
- Legitimate interests: the processing of personal data is required in the legitimate interests of yours or a third parties, unless there is a reason to protect the individual, which overrides these interests.
Fairness in relation to the GDPR means that you should only be processing and handling personal data in ways that the individual would expect. There should be no negative effects on the individual through your processing their personal data.
Another aspect of fairness is the way in which the information has been obtained from the individual. You must ensure that the individual is aware of why and how their personal data is being collected. If you have obtained the personal data through unjust means then this is unlikely to comply with the fairness aspect of this principle.
What is meant by transparency in GDPR?
To comply with the lawfulness, fairness and transparency principle you must:
- identify a lawful reason for processing
- identify a condition for processing either special category or criminal offence data
- only use the personal data for lawful purposes
- consider how the processing of personal data will impact the people who’s data it is and be able to justify it if there is any negative impact on them
- process personal data in expected ways or be able to explain why you are processing it for other reasons
- are not deceptive or misleading in your collection of personal data
- open and honest about the collection and use of personal data
2. Purpose Limitation
According to the second key principle of the GDPR “Personal data shall be:
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”Article 5.1(b) GDPR
What this essentially means is that you must be clear about why you collect your users personal data and how you use it and if you use the personal data for another reason than originally specified, that it”s use is fair, lawful and transparent.
To ensure you are complying with the purpose limitation principle you will need to:
- identify the purpose for processing
- document the purpose
- ensure that any personal data you plan to use for a new purpose is either compatible with the original purpose or make sure you get consent for the new purpose.
3. Data Minimisation
The third key principle of the GDPR is data minimisation. According to this principle, “personal data shall be”:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”Article 5.1(c)
This means that you must collect the least amount of personal data to fulfill the purpose it is intended for. Holding more data than is required is unlawful and a breach of the data minimisation principle.
To make sure you are complying with the data minimisation principle you will need to:
- collect personal data only when it is needed for a specific purpose
- have only enough personal data to fulfil the purpose
- review the data from time to time and delete any unnecessary data
The fourth key principle of the GDPR is accuracy. The accuracy principle states that “personal data shall be”:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”Article 5.1.(d) GDPR
The accuracy principle requires that you ensure the accuracy of any personal data you collect (within reason) and that this data remains valid and fit for purpose.
In order to comply with the accuracy principle you will need to:
- ensure the accuracy of any personal data collected
- update the data as required
- keep records of any mistakes
- comply with the right to rectification
5. Storage Limitation
The storage limitation principle is the fifth key principle of the GDPR. According to the storage limitation principle “personal data shall be”:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);”Article 5.1.(e) GDPR
The fifth key principle means that you cannot hold data for longer than is required and you must be able to justify the reason for storing the data.
Personal data may be held for longer periods of time if you are keeping it for one of these reasons:
- public interest archiving
- scientific or historical research
- statistical purposes.
In order to comply with the storage limitation principle you will need to ensure that you:
- know what personal data you hold
- know why you hold this data
- be able to justify the length of time you retain personal data
- erase or make anonymous any personal data that is no longer required
- have a process in place for requests to have personal data erased
6. Integrity and Confidentiality (security)
The sixth key principle in the GDPR is the Integrity and Confidentiality Principle, also known as the Security Principle. According to this principle, “personal data shall be”:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”Article 5.1.(f) GDPR
To ensure you are complying with the Integrity and Confidentiality Principle you need to:
- determine the level of security that is required. This will depend on the type and amount of personal information being processed
- you have a security policy and ensure that you follow it
- have basic technical controls in place to reduce cyber attacks
- use encryption when appropriate
- understand the confidentiality, integrity and availability of the personal data you collect and process
- ensure there is an appropriate back up process in place in the event that personal data is lost
- conduct regular reviews of the security measures in place to ensure their efficacy and make adjustments to your procedures as required
The accountability principle is the seventh key principle in the GDPR. According to Article 5.2 of the GDPR:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”Article 5.2 GDPR
There are two key points in the accountability principle and these are that you must be responsible and comply with the GDPR and you are required to demonstrate how you comply.
To demonstrate your compliance you will need to:
- keep evidence of how you comply with the GDPR
- have a data protection policy in place if applicable
- use a data protection by design approach- implementing the best data protection methods throughout your processing operations
- implement the appropriate security measures
- record and report any personal data breaches if they occur
- appoint a data protection officer if required