Here’s how to get started with personal data under GDPR (The 6 Principles)
Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.
This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:
1. ‘Lawfulness, fairness and transparency’
Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.
All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).
And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers, as these are the ones who own the personal data.
2. ‘Purpose limitation’
You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.
3. ‘Data minimisation’
‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.
Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.
5. ‘Storage limitation’
You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.
6. ‘Integrity and confidentiality’
The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.
Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).
To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.
If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.
Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.