After our introduction to GDPR and our first post on roles and responsibilities, our 2nd blog post will discuss the importance of the six principles of processing data. These principles are the core of the Regulation and you need to keep them in mind during your entire compliance journey.
Infringements of the six principles carry the maximum penalty up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83.) These numbers are huge! So it’s worth reading this blog post carefully in its entirety. ;)
The six data protection principles are:
Let’s go through each of them.
Fairness and transparency mean the following:
For processing to be lawful according to the GDPR Article 6 at least one of the following conditions needs to be met:
But note that the last condition is not absolute. It can be overruled by the interests or fundamental rights and freedoms of the data subject, especially if the data subject is a child.
One important point, mentioned in the EU GDPR Implementation Guide, is that if there is no lawful basis, then by definition the processing data will be illegal.
According to Bird & Bird guide to GDPR, to demonstrate lawfulness of processing you should do the following:
We cannot talk about lawfulness without mentioning people’s consent. Let’s see what consent is and which conditions you should meet so that consent is lawful.
Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Keep in mind that silence, pre-ticked boxes or inactivity cannot demonstrate consent. You can’t just dance your way around this. The fine print won’t do.
Here’s some pointers to bear in mind when asking for consent:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Recital 42. GDPR.
Children are less aware of risk and consequences hence specific protection will be applied to processing their data.
As we have already mentioned in our first blog post, there are special categories of data for which processing is not allowed under GDPR. There are, of course, exceptions if the data subject has given explicit consent, or processing is necessary to protect the vital interest of the data subject or to use for or defend legal claims, public health, and scientific or historical research purposes. A third reason is if the data subject made it public herself. It is important to emphasize, however, that the first rule of processing this data is that the data subject gives explicit consent. This consent must be very clearly documented and that the procedures are very well stated.
According to the second principle, data should only be collected for specified, explicit, and legitimate purposes. Further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes.
In short, the data subject must have clear information for what the data will be used for and you must limit the processing to only what is necessary.
Data minimization means that the data you collect and process must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Personal data should be accurate and, where necessary, kept up to date. Make sure to verify that the data you collect is accurate and include steps to identify out of date data and send requests to the data subject to provide accurate information.
A person’s right to rectification as cited in Article 16 of the GDPR is closely associated with this principle. It says that a data subject has the right to correct any inaccurate data concerning him or her and to have incomplete personal data completed.
Personal data should be kept only for as long as necessary. However, it could be possible to store data for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
All in all, if you do not need the data anymore, destroy it. And this again, is hard. This is a domain in which you might need to carefully review what you are doing. Things like backups make this difficult. You are going to need to have a very strict retention policy. Your approach to storage limitation should be a part of data retention policy, along with maximum and minimum retention periods. Do not hold out-of-date information unless there is a lawful basis for processing the data - deal with it.
The last principle requires data to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The security part is easy to understand, but you might wonder about the rationality of integrity. Why would the regulator care? The reason is simple. Under this framework the basic assumption is that companies are going to store data on you, so you have a personal interest that this data is accurate (as noted above) and available.
And as for the security part, this is extremely important because violation of this principle can result in data breaches and these might bring the heaviest penalties.
Confidentiality means that data should be available only to a restricted few in the organization, not everyone.
At any rate you should perform a Data Protection Impact Assessment to identify the risks to personal data. This is as simple as mapping all the places you have personal data in and asking yourself the questions: If someone was to gain access to this (read or write access) what is the outcome? How bad is this? Would they risk being spammed? (bad) Would they risk their identity stolen (much worse)?
This is paramount and if you can’t do everything, we suggest that you take a look at carrying out the assessment as a minimum. This is one action you should not skip.
Another recommendation by the EU GDPR Implementation Guide is to implement an information security solution, which will help you protect the confidentiality, integrity, and availability of your organization’s information assets. Be sure you have all physical and technical security in place. There is no “One True Guide” for this. You are expected to apply security measures based on your impact analysis. So if a database leak could be “bad, real bad” then you have to put in security measures that would mitigate that scenario. For example, combining pseudonymization and encryption are good tools for that, but often this requires a lot of thought and planning, so don’t take this lightly.
It should be clear now how important these principles are. All levels within the organization have to be dedicated in protecting the information and to feel a sense of responsibility. Training and staff awareness programs are great ways to ensure this.
We will go into further details in the following articles on how you can go about prioritizing what you need to do. The main message here is that this whole regulation flows from some simple principles. You need to understand those principles and implement your responses accordingly - not only in light of what checkboxes you need to tick as some consultants may tell you. Respecting the spirit of the law here may bring you much better closer to compliance than mechanically implementing this or that security mechanism.