Understanding GDPR Principles

posted in: Blog | 0

A Guide to Understanding GDPR Principles and Article 5

Understanding GDPR Principles and the key points and how to implement them has never been more important. GDPR applies to any business that processes the personal data of EU citizens including customer, supplier and employee data.

GDPR under Chapter Two; Article 5 of the GDPR law outlines the key principles for businesses and organisations collecting, storing and processing personal data. While larger businesses must hire a DPO (Data Protection Officer) to handle processes and compliance, any business or organisation that handles client or staff data must adhere to these 6 principles.

Read our overview of the data protection principles.

GDPR Article 5 Principles relating to processing of personal data
The principles of GDPR as laid out in Article 5, stipulates that personal data shall be;

Principle 1 – Lawfulness, Fairness and Transparency

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

This principle focuses on collecting and using personal data. It will no longer be legal to collect data on an opt out basis. Under the GDPR, potential clients/customers must opt in to any communications and any handling of individuals information without clear and transparent consent will be illegal and subject to possible fines.

Principle 2 – Purpose Limitation

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes;

Principle 2 states that once you have collected opt in consensual personal data and have fully demonstrated how the information will be used, it must not be used for any other purpose that stated at the time of consent.

Principle 3 – Data Minimisation

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Streamline the amount of personal data you collect and only collect what is necessary to communicate your business or organisation’s message. This reduces overall risk

Principle 4 – Accuracy

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Principle 4 is about keeping your data accurate and up to date. Regular updates must be made to ensure information is correct.

Principle 5 – Storage Limitation

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;

This principle looks at the length of time personal data is stored. It will be vital to identify when data collected should be deleted.

Principle 6 – Integrity and Confidentiality

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle 6 focuses on security. Businesses and organisations will be held accountable for any personal data held on your systems, for the entire period of time that you store it. This includes all customer, supplier, partner and employee personal data. This will mean the implementation of new processes and procedures around the collection and storage of individuals data, and review their business data storage solutions. In the event of a data breach, a business or organisation will now have to defend themselves in front of the ICO and prove that responsible measures were applied.

Read more on the EU Data Protection Regulation requirements full regulation PDF.
Click here to sign up and start using UNIQUEDOC for free, or read more about our features