The General Data Protect Regulations (GDPR) control how organisations store and use personal data. This ensures that it is not gathered, or used maliciously or given to other entities without consent.
Fines for breaches of data laws can be hefty. So, awareness and understanding, followed by implementation is crucial. In this article, we examine the seven principles of the GDPR that set out the exact rules surrounding data rights. This will ensure you are doing your duty for the clients and others whose personal data you collect.
Why Was The GDPR Legislation Introduced?
GDPR was introduced to standardise data protection laws across all EU member states. The aim was to make it easier for EU citizens to understand how organisations used their data, make requests for their data and raise complaints. Citizens don’t have to be in the country to make a request to access it or a complaint about how it is used.
After Brexit, the UK passed the Data Protection Act 2018, which makes EU GDPR into UK law, with very few changes. This is also often referred to as UK GDPR.
Under these regulations, we all have the right to:
- Be informed on how our data is being used
- Access to our personal data
- Have incorrect data corrected
- Have personal data erased
- Stop/restrict organisations processing our data
- Object on how our data is being processed
What are the 7 principles of GDPR?
GDPR lays out seven principles to help simplify what the legal duties of organisations are when it comes to data. Let’s examine what these are.
1. Lawfulness, Fairness and Transparency
There needs to be good reason to process someone’s personal data. This is what the regulations term as lawfulness. Reasons could include where you have been given consent by the owner to do so, you need to fulfill a legal obligation or the data is a public task carried out in the public interest.
Fairness is linked to lawfulness in that you should not misuse or mishandle personal data. Lastly, transparency is all about being open, clear and honest about what you do with the data and why and how you process it.
2. Purpose Limitation
Data must only be used for specific activities and organisations must clearly state why they are processing personal data and what for. As stated in the GDPR regulations, data must only be “collected for specified, explicit and legitimate purposes”.
Privacy notices, often found at the end of a company website, is where the purpose of usage and the handling details are explained.
If you want to use the data collected for a new, specific purpose, you will have to get consent from the individual again. Not doing so will count as a breach of the regulations.
3. Data Minimisation
You only need to gather the smallest amount of data for an intended purpose. For example, if you want to sign customers or service users up to an email newsletter, you will just need their email address. You won’t need to ask for and use their home addresses and telephone numbers too.
This principle is pretty straightforward. Personal data you collect must be accurate and updated regularly. Incorrect or incomplete data should be erased. It is a good idea to have a plan in place to regularly check the data you hold, for accuracy.
5. Storage Limitation
Depending on what you are storing, there should be a reasonable storage time. This will need to be justified. So, it’s good practice to have a standard length of time during which you hold data. Once this time lapses, a process should be in place to safely and lawfully discard it.
6. Integrity and Confidentiality
This relates to making sure that processes are in place to keep data secure from internal and external threats, like cyber hacks. It’s your responsibility to have robust systems in place to prevent unlawful and unauthorised access or processing, as well as data loss and damage.
The case study below is an example of what can happen if customer data is unlawfully accessed because of a lack of robust systems being in place to prevent it.
A whopping 383 million Marriot hotel guest records were compromised after their reservation database was breached. The personal data of the hotel chains’ guests including names, addresses, payment card details and passport numbers were exposed.
The hack originated in 2014 in Starwood Group’s reservation system. Marriot acquired the group in 2016 but the hack was not discovered for another two years, in 2018. Marriot’s was given an £18.4m fine.
The last principle is accountability. This is around proving you are compliant with data laws. Evidence of this can be asked for at any time. Documenting everything will create an audit trail that you and the authorities can follow if and when needed.
Why Are The 7 Principles of The GDPR Important?
These seven principles are central to UK GDPR. Set out at the beginning of the legislation, they inform everything thereafter. Making sure that you are compliant with the regulations and have control systems in place is vital. We all deserve to have our personal data handled and stored correctly and the penalty for not doing so is fines of up to £17.5 million or 4% of total annual turnover, whichever is higher.
Greater Awareness Reduces the Likelihood of Breaches
Hopefully, this blog has broken down the seven principles of the GDPR into understandable chunks. To gain further knowledge and understanding of data laws, why not take a look at our GDPR awareness training course.
Our course can be taken online and helps to create awareness within your workforce to keep your business compliant with the GDPR law.
Learning outcomes of this course include a greater knowledge of the GDPR legislation, understanding of the key terms, awareness of what personal data is and how best to protect it, as well as knowledge of the consequences of non-compliance.
If you have any questions about this or our other training options, we have friendly support teams waiting for you to contact them.