The EU GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements. Some refer to them as the six data ‘processing’ principles.
These principles lie at the heart of the Regulation. Meeting them goes a long way towards overall GDPR compliance.
In this blog
- An overview of each principle:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
1. Lawfulness, fairness and transparency
The first principle is relatively self-evident: organisations need to ensure their data collection practices don’t break the law and they aren’t hiding anything from data subjects.
Going through one point at a time:
- To process data ‘lawfully’, you must be meeting at least one of the GDPR’s lawful bases. Your data processing must also not breach any other laws.
- To process data ‘fairly’, it must not be unduly detrimental, unexpected or misleading to data subjects.
- To process data ‘transparently’, you must be clear, open and honest with your data subjects about how you’ll use their data. Privacy notices are a common tool for communicating this.
2. Purpose limitation
You may only collect and process personal data for specific purposes.
In the interests of transparency, you must also make those purposes clear from the start to data subjects. Plus, you must document those purposes to demonstrate accountability.
If you later want to process the data for a new purpose, either:
- This is necessary to meet a clear obligation or a function set out in law; or
- You need to obtain specific consent.
The GDPR gives more freedom to further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.
3. Data minimisation
Quite simply, keep the amount of data you collect and process to a minimum.
You do this by ensuring:
- The data is sufficient to fulfil your declared purpose for processing;
- The data is clearly linked to that purpose; and
- You don’t hold more data than you need to fulfil that purpose.
Doing the above has two major benefits:
- In the event of a breach, less data will be compromised.
- Keeping data accurate and up to date (a GDPR requirement) will be easier.
- Keep the personal data you hold secure; and
- Ensure its security when you (or someone else on your behalf) process it.
- Integrity: protecting your data from unauthorised modification, destruction and loss.
- Confidentiality: preventing the data from falling into the wrong hands.
- Technical controls, like firewalls, password protection and anti-malware software, offer a basic, first layer of defence, preventing most common cyber attacks from succeeding.
- Organisational controls tend to cover both people and processes:
- Staff awareness training, so that your employees don’t fall for phishing attacks and do report them, combines well with technical controls.
- Documented policies and procedures will also help guide staff and demonstrate accountability.
- Privacy notices;
- Staff training records;
- Controller–processor contracts;
- Relevant policies and procedures;
- DPIAs (data protection impact assessments); and
- Security monitoring, event logging and data breach records.
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- An audit checklist and competence matrix.
Finding this blog helpful? If you want to be notified of future blogs, free webinars and other free resources, subscribe to our free weekly newsletter: the Security Spotlight.
Subscribe now
4. Accuracy
The accuracy of personal data is integral to data protection. The GDPR states that you must take “every reasonable step” to rectify or erase data that’s inaccurate or incomplete.
On top of that, you must keep the data up to date if necessary for your purpose for processing. For example, you must keep payroll data up to date, but not address details for a one-off order.
If you discover any inaccuracies in your data – because a data subject tells you so, for example – you must correct them as soon as possible. You should also keep records of any challenges to the accuracy of your data.
5. Storage limitation
Similarly, you must delete personal data you no longer need. This is usually because you’ve already fulfilled your purpose for processing.
To help you both meet this principle and demonstrate your compliance, you should document the standard retention periods for different types of data.
You should also periodically review the data you hold, and destroy it when no longer required.
6. Integrity and confidentiality
Using “appropriate technical or organisational measures”, you must:
The best way to ensure both effective and affordable security is to start with a risk assessment. Then, based on its results, you implement appropriate mitigating controls.
As you do so, bear in mind the following:
Your measures must cover both integrity and confidentiality
We also recommend considering availability: that the data is accessible when needed.
Your measures can be both technical and organisational
Security best practice says you use a combination of both:
How can you demonstrate you’ve met this principle?
The Europrivacy™/® certification scheme offers a practical solution to this problem. Even if you are happy with your security, how can you assure others, such as regulators?
By achieving Europrivacy certification, you can demonstrate compliance with the GDPR.
As Alice Turley, our senior privacy consultant and trainer, explained:
It was only when the EDPB [European Data Protection Board] approved Europrivacy that we got a mechanism for organisations to definitively stamp their data processing activities as ‘GDPR compliant’.
The scheme offers a structured approach for organisations globally to demonstrate their GDPR compliance. And, for that matter, to demonstrate compliance with other national data privacy obligations.
What are the benefits of Europrivacy certification?
When we asked Alice, she said:
The GDPR frequently [18 times] mentions the requirement for “appropriate technical and organisational measures” to protect personal data when stored or processed.
But it doesn’t specify a framework on what appropriate technical and organisational measures may actually look like. This has left a gap for organisations to fill.
That’s your first benefit of Europrivacy: providing a detailed framework of those appropriate technical and organisational measures.
Certification therefore allows organisations to conveniently demonstrate that their data processing activities are GDPR compliant. This is an assurance that customers, partners and other stakeholders will welcome. It gives the organisation an edge over competitors – data breaches are constantly in the news, and no one wants to be the next headline.
The seventh principle: accountability
The GDPR includes an additional principle: the ‘accountability’ principle. This requires organisations to demonstrate they’re complying with the other six principles.
This is typically done through a combination of technical measures and documentation such as:
This isn’t an exhaustive list, but it covers the essentials.
Organisations should also consider appointing a DPO (data protection officer) or another formal data protection lead to demonstrate compliance.
Achieving certification to Europrivacy, or a more general information security standard like ISO 27001, also shows your commitment to data security.
Looking for more GDPR expertise?
If you want to learn more about the GDPR and how to achieve and maintain compliance, take a look at our GDPR Toolkit.
Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.
Ideal for anyone who wants help completing their documentation requirements quickly and easily!
But our toolkit contains more than simply a set of templates. It also includes:
Find out more
We originally published a version of this blog in January 2018.