The Six Core Principles of Data Privacy


INTRODUCTION:

You may have arrived here because you're looking to understand more about how to acheive Data Privacy. To help you in your approach to complying with the latest privacy laws and regulations and in particular the GDPR. The General Data Protect Regulation highlights six key principles. In this article we'll look to provide each of the six and explain what each of them mean. 

 

Some common section headers include:

#1 Data Privacy Principle  - Lawfulness, Fairness & Transparency.

The first principle states individual personal data processing should be lawful, fair and transparent. It is the responsbility of the Data Controller to explain in a clear, concise, transparent and easily understood manner how you are processing an individuals data. 

Furthermore, the concept of fairness implies processing matches the original intention. So you must ensure that you don't put the data to use in a way in which the individual hasn't consented to ahead of time. 

Finally, lawfulness means that processing must meet the tests as stated in the GDPR [article 5, clause 1(a)]:
http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm

 

#2 Data Privacy Principle  - Purpose Limitations

According to this principle, Data Collectors and Data Processors collect personal information ‘for specific explicit and legitimate purposes’, and do not process it in an incompatible manner.

This means personal data processing is limited to the original purpose for which it was intended. Processing for any other purpose, or at a later stage, is not permissible without further legal permission and consent from the data subject. 

 

#3 Data Privacy Principle  - Data Minimisation

Only processing personal data that is ‘adequate and relevant’. Collection is limited to what is necessary in relation to the original purposes of use. Therefore, Data Processors cannot gather data for possible future use, or use it for creating detailed customer profiles, unless it serves a lawful purpose.

Data minimisation follows from the purpose limitation principle and makes it clear that companies have to gather enough data to achieve their purpose from the very beginning, but not more than is necessary.

 

#4 Data Privacy Principle  - Accuracy

As was the case with the Data Protection Act, the principle of accuracy aims to maintain high standards of data quality. This means personal data must be accurate and periodically checked to keep it up-to-date.

 

#5 Data Privacy Principle  - Storage Limitations

One of the most important principles enshrined in GDPR is that of personal information, which must be ‘kept in a form which permits identification of data subjects for no longer than is necessary, for the purposes for which the personal data are processed.’

Business owners must periodically review and evaluate the data they hold. Methodical cleansing to remove data no longer required should be discarded responsibly.

 

#6 Data Privacy Principle  - Integrity and Confidentiality

This principle is particularly important for Data Processors, failing to observe it can attract punitive fines. It states that ‘personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

The application of this principle is a key change in the GDPR. In the wake of high profile data breaches and ever-growing data security risks, Data Processors must focus attention here.



CONCLUSION:

In summary, Data Controllers and Processors must conduct risk assessments and implement a robust data security policy. They must also observe the GDPR’s strict breach reporting provisions. High profile data breaches can cause significant embarrassment and expense. We hope this list has helped clarify the core pillars of data privacy, if you have any comments we'd love to hear your views and opinions. 

 

For further help the ICO has produced ‘Preparing for the GDPR: 12 steps to take now to help organisations on how to address the key issues.’  You can also refer to this Whitepaper – GDPR – What you need to know… which includes FAQs and lots of other straightforward guidance.

Also, to help SMEs prepare we have a Whitepaper: GDPR for small businesses. This provides a full overview together with some helpful information and practical steps for working towards compliance. To access this Whitepaper Sign Up to Gravicus Osprey where you will also get


5 Free Data Protection Impact Assessments (DPIAs) with Osprey DPIA as well as access to our Resource Centre.