An overview of core GDPR principles
While we are all evolving into data-driven corporations, it is important to understand that this is about much more than just technology. This kind of (r)evolution has an impact that is much broader and it is important to be aware of that. This includes hot topics such as the need for change management, attention for security, but also for example the General Data Protection Regulation (GDPR). And, for the latter, DataMiner can be leveraged to ensure compliance. In a series of blogs, we’ll further explore that.
But let’s get started first with a refresher of what the GDPR is exactly about.
The GDPR remains a hot topic two years after its implementation and still gives rise to dizzying fines, the most recent being British Airways getting a 20 million pound fine for inadequately dealing with a data breach (here’s an overview of GDPR fines). These are the core GDPR principles that you should be aware of.
The GDPR sets out the following 7 core principles:
Lawfulness, fairness and transparency
Lawfulness implies that your processing activity should have a lawful basis from article 6 GDPR. You must also ensure fairness by only using personal data in a way that the data subjects can reasonably expect. Data subjects should not be exposed to unjustified adverse effects of your processing activities. Transparency is about being honest about how and why you use personal data. Although these three concepts have some overlap, it is important to ensure that all three principles are met separately.
To process personal data, your purposes must be clear from the start. Additionally, the purposes for the processing activity should be documented and made known to the data subjects.
This principle entails that you should only use the personal data that is needed to achieve the processing purposes. The collected data should be adequate, relevant and limited in relation to the purpose of the processing activities. The GDPR does not define ‘adequate, relevant and limited’, which means that this assessment will have to be made per processing activity and case-by-case.
The data you hold should not be incorrect or misleading. By consequence you are obligated to keep the personal data you process updated as the GDPR requires that every reasonable step must be taken to erase or rectify data that is inaccurate or incomplete. This is strongly linked with the right of data subjects to have their data rectified.
This principle is closely linked to the data minimization principle; it requires that the personal data you have collected is not kept longer than you actually need it. From a practical point of view, a good data governance policy will be paramount to comply with the storage limitation principle. This policy should include retention periods and possibly also a procedure on how to anonymise personal data that is no longer actively used.
Integrity and confidentiality
Under the GDPR it’s paramount that you keep personal data safe by installing appropriate technical and organizational safeguards, which links the subject of data protection with cyber security and clarifies that even under GDPR, topics such as network security cannot be neglected.
The accountability principle requires that you not only comply with GDPR requirements but must also be able to show your compliance. A GDPR implementation plan that establishes a good level of GDPR knowledge among staff and includes policies and procedure that helps with GDPR compliance management.
Keep an eye out for more blogposts on GDPR and on how to leverage DataMiner to ensure GDPR compliance.