Last modified: December 7th, 2021
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.
The General Data Protection Regulation (GDPR) sets out seven principles for the lawful processing of personal data. These guiding principles are at the center of the GDPR and compliant processing, but they are far from comprehensive.
We are obliged to comply with these principles for all personal data processing activities protected under the GDPR. There is a value in Vendasta complying with these principles as a standard and not only for GDPR purposes. Namely, we will be able to successfully create a compliance program, which is a fundamental building block for a good data protection practice. Doing so has global appeal.
Let’s go over each of the seven principles of the GDPR.
1. Lawfulness, fairness, and transparency principle
This principle concerns, in particular, information to the data subjects
- On the identity of the controller and the purpose of the processing. This also includes further information to ensure fair and transparent processing in respect to the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them.
- On the risks, rules, safeguards, and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
Lawfulness is related to two things in regards to the GDPR: choosing a proper lawful basis for processing personal data and ensuring that the processing itself is not in breach of any other law.
Before processing personal data, we should always identify an appropriate lawful base or grounds for the processing and document it. Picking a correct lawful base will depend on our relationship with the data subject and circumstances of the processing. We must also be aware that we cannot switch to another legal base at a later date. So we must take care to get it right the first time.
If we cannot apply any lawful basis to our processing activity, then the processing is unlawful. The six lawful bases for processing personal data are:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Legal obligation
Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Vital interests
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Public interest
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Legitimate interests
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Fairness means that we must process personal data only in a way that is reasonably expected from us. Collecting, storing, and processing personal data that were collected in a deceiving way or by misleading the data subject will lead to a breach of the fairness principle.
Fairness also requires an assessment on how the processing will affect the data subject in the following ways:
- If processing negatively affects data subjects and is not justified, the processing will be unfair.
- If processing negatively affects data subjects but it is justified, the processing will be considered fair.
At the time of data collection, the transparency principle requires us to have clear, open and honest communication towards data subjects about how their personal data is being collected, used, consulted, or otherwise processed and to what extent the personal data will be processed.
This allows data subjects to make informed decisions about whether they agree with such processing and also enables them to exercise their data protection rights, if they wish.
Any information and communication should be easily accessible and written in clear and plain language.
2. Purpose limitation principle
Purpose limitation means personal data must be collected for specified, explicit, and legitimate purposes only and it should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
The purpose for processing data must be clearly established and documented from the outset so that it can be followed closely to avoid ‘function creep.’ It must be clearly communicated to individuals through a privacy notice.
We can only use personal data for the purpose we have collected it for in the first place. Any additional processing has to be compatible with the original purpose, or we must obtain consent from a data subject.
If we are trying to define whether our new purpose is compatible with the old one, we can ask ourselves the following questions:
- Is the new purpose vastly different from the original purpose?
- Would additional processing have a negative impact on data subjects?
- Is a new purpose completely disconnected from the original purpose?
- Is a new purpose unexpected?
Answering any of those questions with a ‘yes’ will more than likely require new consent.
3. Data minimization principle
The data minimization principle limits the data controller to collect, store, process, and use only personal information that is necessary to provide the required service or fulfill a specific purpose.
This means we will have to identify the minimal amount of data needed to fulfill the purpose of collecting personal data in the first place in order to ensure that the processing is:
- adequate – sufficient to properly fulfil the stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – not more than what is needed to achieve the purpose.
If we want to ensure that we are collecting the minimal amount of data needed, we can ask ourselves the following:
- Can we achieve the stated purpose without collecting the data?
- Is the data collection limited to information that is strictly necessary for us to provide the service or fulfill a purpose?
A periodic review of data must be done to identify data that is no longer needed and can be deleted.
Data minimization has two major benefits:
- In the event of a data breach, limited and minimal data is exposed, thus reducing the scope and impact of the breach;
- Data minimisation makes it easy to keep data accurate and up to date.
For example, if we have a newsletter subscription, it is unnecessary to collect anything other than an e-mail address and possibly the first name (if we want to provide a personalized experience for subscribers).
4. Accuracy principle
The accuracy of personal data is integral to data protection. It should not be incorrect or misleading as to any matter of fact.
This means that we are responsible for taking all reasonable measures to ensure that the personal data we hold is correct and accurate. Inaccurate personal data should be either rectified or erased without delay. Also, data subjects have the right to rectification that grants them the ability to demand inaccurate personal data to be erased or rectified.
The intention behind the accuracy principle is to encourage the regular updating and maintenance of personal data to get rid of all unnecessary, incorrect, and irrelevant data, keeping only relevant personal data for processing. This can be done by conducting regular audits to double check the cleanliness of stored data.
5. Storage limitation principle
The storage limitation principle ensures that personal data stored is limited to a strict minimum period, preventing us from keeping it for longer than we need to. Therefore, we must be able to justify why we are keeping it as well as the length of time we are storing it for (keeping data for longer than the stated period must also be justified)
A periodic review of personal data will help identify data that is no longer needed so it can be erased or anonymised. Data retention policy and data deletion schedules can help us comply with the storage limitation principle and documentation requirements.
In some cases, it is still appropriate to retain enough information, for example to stop including a person in future direct marketing activities. Retaining the person’s email id in a suppression list is justified because an email id in suppression list can’t be accidentally reimported or added to the regular mailing lists.
6. Integrity and confidentiality principle
The integrity and confidentiality principle, also known as the security principle, is tightly connected with the security and confidentiality of the personal data as well as the equipment used for data processing.
This principle goes beyond the way we store or transmit data to cover every aspect of personal data processing. It ensures appropriate security of the personal data against any intentional or unintentional risks, unauthorized third-party access, malicious attacks, unauthorized or unlawful processing, accidental loss, destruction or damage and exploitation of data, and using appropriate technical and organizational measures.
Planning, proactive diligence, and security measures like policies, risk assessments, cybersecurity, encryption, pseudonymisation, 3-2-1 backup strategies, etc. helps to keep data secure from threats.
7. Accountability principle
Last but not least, the accountability principle means that we, as a data controller and also as data processor, are responsible for what we do with personal data and how we comply with all of the above-mentioned GDPR principles. Most importantly, we are responsible for demonstrating compliance not just to the regulator but also to data subjects if necessary.
A business can say it is following all the rules without actually doing so. That’s why regulators require a level of accountability like having:
- Appropriate measures and records in place as proof of compliance with the data processing principles;
- Logs and documentation to create an audit trail to prove accountability and compliance.
This means we should complete the following:
- Keep evidence of the steps we take to comply with GDPR;
- Document of processing activities;
- Implement technical and organizational measures;
- Implement data protection policies and procedures;
- Prepare data protection impact assessments (if we had to conduct one); and
- Appoint a data protection and privacy officer.
Documenting in different systems in different ways for different departments, or documenting processing activities manually may cause problems or errors, so automating these processes may help.
Why are these principles of GDPR important?
GDPR principles represent the main building blocks of data protection and set the tone for the rest of the regulation. It is often easy to overlook these principles, which is why they should be intertwined and implemented in every aspect of the compliance journey. Any violation of GDPR principles will accrue hefty administrative fines—up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.