The General Data Protection Regulation (GDPR) sets a new standard for data privacy. Under the GDPR, anyone wishing to process the personal data of European Union (EU) citizens must abide by a clear set of rules, underpinned by six privacy principles.
These fundamentally important precepts should be at the center of any processing of EU citizens' personal data.
Let's explore each of them to see how they affect your business.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Privacy Principles of the GDPR
- 2. Lawfulness, Fairness and Transparency
- 2.1. Lawfulness
- 2.2. Fairness
- 2.3. Transparency
- 3. Limitations on Purposes of Processing
- 4. Data Minimization
- 5. Accuracy of Data
- 5.1. Accuracy of Personal Data Provided By Your Customers
- 5.2. Keeping Personal Data Up-To-Date
- 5.3. Facilitating Data Correction
- 6. Limitations on Data Storage
- 7. Integrity and Confidentiality
- 8. Complying with the Six Privacy Principles
Privacy Principles of the GDPR
According to Article 1 (2) of the GDPR, the GDPR:
"protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."
The six principles are set out at Article 5 (1) and are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
These principles should be taken together with the additional requirement given at Article 5 (2) - "accountability."
If your company processes the data of EU citizens - whether or not you're based in the EU - you need to integrate these principles into your practices. Without doing so, you won't be GDPR compliant, and thus you risk being hit with huge fines.
Thankfully, these principles are not difficult to understand. Integrating them into your company's processes is just good practice that could help you to avoid bigger problems further down the line.
Lawfulness, Fairness and Transparency
Article 5 (1)(a) of the GDPR states that personal data must be:
"processed lawfully, fairly and in a transparent manner in relation to the data subject"
This first data privacy principle might look like three principles, but these concepts are mutually inclusive - each principle is contingent on the other two.
Think about the GDPR this way: it's now illegal to process the personal data of EU citizens - except if you have a lawful basis for doing so.
There are six lawful bases for processing personal data, set out at Article 6 (1):
- Consent - you have a person's permission to process their personal data. Article 7 gives the requirements you must fulfill when seeking consent.
- Contract - you have a contract with a person and you need to process the personal data to fulfill your contractual obligations.
- Legal obligation - you're required to process a person's personal data by law.
- Vital interests - a person's health or life depends on you processing the personal data.
- Public task - public authorities and their contractors are permitted to process personal data under certain conditions.
- Legitimate interests - processing of a person's personal data is in the legitimate interests of your company.
It's not necessary to use terms like "lawful basis" or "legitimate interests." If you can explain the necessary information to your customers in simpler language then you can do so.
Fairness is an idea that runs throughout the GDPR. You should only process people's personal data in ways that do not produce any unreasonable negative consequences for them. You shouldn't mislead people in any way about how you'll be using their personal data, even if it's technically legal to do so.
Here's an example given by the Information Commissioner's Office (ICO) - the UK's data protection authority:
You need to be very clear and transparent about how you'll process people's personal data if they use your service. Individuals have the Right to Be Informed under Article 13 of the GDPR.
- Why you need to process their personal data
- How you'll be processing it
- Contact details of the person(s) within your company who are responsible for data protection
- Details of any other organizations, or types of organization, you'll be sharing their personal data with and why you share it
This clause provides a lot of information in a concise, clear and streamlined way and is very transparent. It mentions third parties, that data is used for a number of different reasons and for other "legitimate purposes."
Limitations on Purposes of Processing
Article 5 (1)(b) of the GDPR states that personal data must be:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [...]"
One of the most important functions of privacy law is to keep people's personal data from being used in ways that they haven't agreed to or wouldn't expect.
Here are some examples of why and how a retail company may need to process personal data:
- To promote its products, the company may wish to collect, store and use potential customers' names and email addresses.
- To sell those products, the company may need to collect payment card details and send them to a third party payment processing service.
- To send out those purchases in the mail, the company will need to collect its customers' address details and send them to a third party mail carrier.
- To improve its practices, the company may wish to email its customers to request feedback.
The customer would not expect your company to sell their email address to a totally unrelated company, or use their mailing address to sign them up to other mail services.
Article 5 (1)(c) of the GDPR states that personal data must be:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"
This is closely linked to the principle of purpose limitation. Once you have identified your purposes for processing personal data, you must only process the personal data that is necessary to fulfill this purpose.
Here are some examples of how your company might end up processing irrelevant data:
- A website that asks visitors for their date of birth in order to sign up to their mailing list.
- A recruitment firm which asks all applicants about health conditions that aren't relevant to their prospective job.
- An employer who asks its employees about their religious beliefs for non-statistical purposes.
If you don't need a piece of personal data to fulfill your company's purposes, don't collect it. If you already have data that you aren't likely to need, erase or anonymize it.
Accuracy of Data
Article 5 (1)(d) of the GDPR states that personal data must be:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay"
There are several components to this principle. The personal data your company holds must be accurate, it must be up-to-date, and you must be able to erase or rectify it if it's inaccurate.
Accuracy of Personal Data Provided By Your Customers
Ensuring that any personal data your company processes is fully accurate can be particularly difficult if you're relying on data submitted by your customers about themselves. It would be wrong for your company to be held liable for inaccurate information if you aren't the ones who supplied it.
Even if the personal data your company holds comes from the individual themselves, you can take steps to ensure compliance with the principle of accuracy if you:
- Make sure the personal data you collect is recorded accurately.
- Record the source of the information.
- Do your best to ensure that your customers are providing accurate personal information (for example, by adding a clause about this in your Terms of Service).
- Treat seriously any notifications you receive about allegedly inaccurate data.
Keeping Personal Data Up-To-Date
The extent to which you have to worry about keeping personal data up-to-date will depend on what you're using it for. Consider the following two examples:
- A company that sells espresso machines makes a one-off sale to a customer. This company has no good reason to check that this customer's address details are up-to-date after this transaction has been concluded.
- A company sells coffee beans as part of a subscription service. This company has a long-term relationship with its customers and uses their addresses regularly. It has a good reason to check that its records are up-to-date.
Always keep your customers' expectations in mind. Would you reasonably expect a company from whom you bought a desk lamp four years ago to contact you to check your address details? Probably not. But your home insurance company has good reason to double-check this information.
Facilitating Data Correction
Article 16 of the GDPR states:
"The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."
If someone believes that your company holds inaccurate personal data about them, they have a right to request its deletion or correction. This is one of their fundamental privacy rights provided by the GDPR and is known as the Right to Rectification.
Here's how games company Dovetail explains this to its users:
Limitations on Data Storage
Article 5 (1)(e) of the GDPR states that personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [...]"
- Must consider, document, and be able to justify how long it keeps personal data.
- Must not keep personal data for any longer than necessary.
- Must keep the length of time you're storing personal data under regular review.
The documentation requirements set out under Article 30 require you to keep records of your decisions about data processing. This means that you should document how long you've decided to store various types of personal data. You can do this by writing a "retention schedule."
There's no straight answer as to how long you should be keeping hold of your customers' personal data. The GDPR only says, at Recital 39, that "the period for which the personal data are stored [must be] limited to a strict minimum."
Your company is in the best position to decide this. Just make sure you document and can justify your decision.
Here's how GOV.UK, the UK Government's website, explains this to its users:
Note that a minimum and maximum time frame is included to help give some reference for users.
Integrity and Confidentiality
Article 5 (1)(f) GDPR states that personal data must be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"
Data security is extremely important. Even before the GDPR, EU companies faced huge fines when lax security systems led to data breaches. For example, Telecoms operator TalkTalk was fined 400,000 GBP (over 500,000 USD) after a cyber-attack led to a breach of customer data.
- Your company must implement appropriate data security measures. This can be anything from locks on your doors to anonymization or encryption of your customers' personal data. Your employees must be vigilant about keeping personal data safe, particularly if they work from home.
- Your company must inform their relevant supervisory authority about any significant data breach or loss within 72 hours. Each EU Member State has its own supervisory authority with whom companies must co-operate. The Article 29 Working Party produces some guidance on supervisory authorities which sets out how non-EU companies can do this.
- If the breach is serious, your company must quickly inform any individuals who might be affected.
- Your company must have systems in place which allow it to quickly detect and report security breaches.
Complying with the Six Privacy Principles
If your company has good data protection practices, complying with the six privacy principles of the GDPR should come naturally. If you haven't been compliant up until now, changing your practices so that you adhere to these principles might seem complicated, but remember - this is a matter of law. Your customers' personal data deserves to be handled with respect.
Your company needs to:
- Only ever process personal data in a lawful, fair and transparent way.
- Identify a lawful basis for each way in which you process personal data.
- Only process personal data in a fair way that your customers would reasonably expect.
- Act with clarity and transparency in all aspects of data processing.
- Identify and adhere to the purposes for which you're processing personal data.
- Only process the minimum amount of personal data that you need.
- Take steps to ensure that all data you processes is accurate.
- Keep data up-to-date as far as this is appropriate.
- Allow your customers to request changes to any of their personal data they believe to be inaccurate.
- Only store personal data for as long as you need to.
- Make sure any personal data you process is kept secure and confidential.
- Report any data breaches to the relevant supervisory authorities in a timely way.
- Inform your customers directly if a significant breach has occurred with regard to their data.
And remember the "bonus" seventh principle at Article 5 (2) - be accountable for these principles.