As we discussed in our previous post, Chapter 2, Article 5 of the General Data Protection Regulation (GDPR) lays out GDPR’s seven protection and accountability principles.
Rather than act as hard rules, these principles serve as an overarching framework designed to lay out the broad purposes of GDPR. In this post, we’ll take a look at all seven principles of GDPR and what they mean for you and your business.
Let’s start by looking at each of these terms:
This principle ensures data is only used for specific activities, and that it is “collected for specified, explicit, and legitimate purposes”. These purposes must be clearly established and openly communicated via a privacy notice. Make sure your organization follows them closely and limits the processing of data only to the purposes you’ve stated.
Like purpose limitation, data minimization ensures organizations only collect the smallest amount of data they’ll need to fulfill their purposes. For example, if your company wants to collect user information in order for website visitors to download an asset, you can only ask for the information you need in order to send them that asset. While email addresses are directly related to that purpose, first and last names are less so — but still applicable — and home addresses and phone numbers aren’t at all.
Your organization must ensure that the data you collect and store is accurate. In order to do this, set up checks and balances to correct, update, or erase incorrect or incomplete data and conduct regular audits to ensure everything remains accurate.
The storage limitation principle requires your organization to justify the length of time it keeps each piece of data it stores. To comply, establish data retention periods and create a standard time period after which your organization anonymizes any data it isn’t actively using.
Maintaining the integrity and confidentiality of the data your organization collects refers to keeping it secure from both internal and external threats — including accidental loss, destruction, or damage and unauthorized or unlawful processing. This can be achieved via planning and proactive diligence.
Accountability requires that your organization have the appropriate measures and records in place as proof of its compliance. Ensure you have such measures documented, as supervisory authorities can ask for this evidence at any time.
Use these seven principles of GDPR to inform all of your business practices and processing activities. This will ensure you get — and remain — GDPR compliant.