The General Data Protection Regulation (GDPR) sets a new standard for data privacy. Under the GDPR, anyone wishing to process the personal data of European Union (EU) citizens must abide by a clear set of rules, underpinned by six privacy principles.
These fundamentally important precepts should be at the center of any processing of EU citizens' personal data.
Let's explore each of them to see how they affect your business.
According to Article 1 (2) of the GDPR, the GDPR:
"protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."
The six principles are set out at Article 5 (1) and are:
These principles should be taken together with the additional requirement given at Article 5 (2) - "accountability."
If your company processes the data of EU citizens - whether or not you're based in the EU - you need to integrate these principles into your practices. Without doing so, you won't be GDPR compliant, and thus you risk being hit with huge fines.
Thankfully, these principles are not difficult to understand. Integrating them into your company's processes is just good practice that could help you to avoid bigger problems further down the line.
Article 5 (1)(a) of the GDPR states that personal data must be:
"processed lawfully, fairly and in a transparent manner in relation to the data subject"
This first data privacy principle might look like three principles, but these concepts are mutually inclusive - each principle is contingent on the other two.
Think about the GDPR this way: it's now illegal to process the personal data of EU citizens - except if you have a lawful basis for doing so.
There are six lawful bases for processing personal data, set out at Article 6 (1):
It's not necessary to use terms like "lawful basis" or "legitimate interests." If you can explain the necessary information to your customers in simpler language then you can do so.
Fairness is an idea that runs throughout the GDPR. You should only process people's personal data in ways that do not produce any unreasonable negative consequences for them. You shouldn't mislead people in any way about how you'll be using their personal data, even if it's technically legal to do so.
Here's an example given by the Information Commissioner's Office (ICO) - the UK's data protection authority:
You need to be very clear and transparent about how you'll process people's personal data if they use your service. Individuals have the Right to Be Informed under Article 13 of the GDPR.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
This clause provides a lot of information in a concise, clear and streamlined way and is very transparent. It mentions third parties, that data is used for a number of different reasons and for other "legitimate purposes."
Article 5 (1)(b) of the GDPR states that personal data must be:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [...]"
One of the most important functions of privacy law is to keep people's personal data from being used in ways that they haven't agreed to or wouldn't expect.
Here are some examples of why and how a retail company may need to process personal data:
The customer would not expect your company to sell their email address to a totally unrelated company, or use their mailing address to sign them up to other mail services.
Article 5 (1)(c) of the GDPR states that personal data must be:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"
This is closely linked to the principle of purpose limitation. Once you have identified your purposes for processing personal data, you must only process the personal data that is necessary to fulfill this purpose.
Here are some examples of how your company might end up processing irrelevant data:
If you don't need a piece of personal data to fulfill your company's purposes, don't collect it. If you already have data that you aren't likely to need, erase or anonymize it.
Article 5 (1)(d) of the GDPR states that personal data must be:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay"
There are several components to this principle. The personal data your company holds must be accurate, it must be up-to-date, and you must be able to erase or rectify it if it's inaccurate.
Ensuring that any personal data your company processes is fully accurate can be particularly difficult if you're relying on data submitted by your customers about themselves. It would be wrong for your company to be held liable for inaccurate information if you aren't the ones who supplied it.
Even if the personal data your company holds comes from the individual themselves, you can take steps to ensure compliance with the principle of accuracy if you:
The extent to which you have to worry about keeping personal data up-to-date will depend on what you're using it for. Consider the following two examples:
Always keep your customers' expectations in mind. Would you reasonably expect a company from whom you bought a desk lamp four years ago to contact you to check your address details? Probably not. But your home insurance company has good reason to double-check this information.
Article 16 of the GDPR states:
"The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."
If someone believes that your company holds inaccurate personal data about them, they have a right to request its deletion or correction. This is one of their fundamental privacy rights provided by the GDPR and is known as the Right to Rectification.
Here's how games company Dovetail explains this to its users:
Article 5 (1)(e) of the GDPR states that personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [...]"
The documentation requirements set out under Article 30 require you to keep records of your decisions about data processing. This means that you should document how long you've decided to store various types of personal data. You can do this by writing a "retention schedule."
There's no straight answer as to how long you should be keeping hold of your customers' personal data. The GDPR only says, at Recital 39, that "the period for which the personal data are stored [must be] limited to a strict minimum."
Your company is in the best position to decide this. Just make sure you document and can justify your decision.
Here's how GOV.UK, the UK Government's website, explains this to its users:
Note that a minimum and maximum time frame is included to help give some reference for users.
Article 5 (1)(f) GDPR states that personal data must be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"
Data security is extremely important. Even before the GDPR, EU companies faced huge fines when lax security systems led to data breaches. For example, Telecoms operator TalkTalk was fined 400,000 GBP (over 500,000 USD) after a cyber-attack led to a breach of customer data.
If your company has good data protection practices, complying with the six privacy principles of the GDPR should come naturally. If you haven't been compliant up until now, changing your practices so that you adhere to these principles might seem complicated, but remember - this is a matter of law. Your customers' personal data deserves to be handled with respect.
Your company needs to:
And remember the "bonus" seventh principle at Article 5 (2) - be accountable for these principles.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
23 December 2020