GDPR – The six privacy principles

With GDPR, there are six principles which give companies a broad, top level overview of which areas are covered by the new regulation. These principles are:

Lawfulness, fairness and transparency

Transparent: The subject must be told what data processing will be done.
Fair: What is processed must match how it has been described
Lawful: Processing of the data must meet the tests described in GDPR [article 5, clause 1(a)].

Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. This means that data can only be used for a specific processing purpose that the subject has been made aware of and no other, without obtaining further consent from the subject.

Data minimisation

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. [Article 5, clause 1(c)]. This means that no more than the minimum amount of data should be kept for specific processing.

Accuracy

Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining (comparing current computer network performance to a historical metric) can help to ensure good protection, and protection against identity theft. Data holders should also build rectification processes into data management and archiving activities for subject data.

Storage limitations

The Regulator will expect all personal data to be “kept in a form which permits identification of data subjects for no longer than necessary”. [Article 5, clause 1(e)]. This means that businesses / organisations will need to stay on top of the job of removing any data that is no longer required.

Integrity and confidentiality

Processors of data will need to handle that data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. [Article 5, clause 1(f)].