Your Guide to GDPR Compliance: The Six Principles of Processing Personal Data
After our introduction to GDPR and our first post on roles and responsibilities, our 2nd blog post will discuss the importance of the six principles of processing data. These principles are the core of the Regulation and you need to keep them in mind during your entire compliance journey.
Infringements of the six principles carry the maximum penalty up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83.) These numbers are huge! So it’s worth reading this blog post carefully in its entirety. ;)
The six data protection principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Let’s go through each of them.
1. Lawfulness, fairness, and transparency
Fairness and transparency mean the following:
- The data subject (a person whom you have data) must know how their data will be processed
- The controller (the entity for which the data is stored or processed, the service provider) should provide the data subject with any further information regarding the specific circumstances and context in which the personal data are processed
- The data subject should be informed of the existence of profiling and the consequences of such profiling (the ‘why’ and the ‘what for’)
- Companies should use privacy notices and terms and conditions
For processing to be lawful according to the GDPR Article 6 at least one of the following conditions needs to be met:
- The data subject gave their consent
- There’s a contractual obligation to which the data subject is party
- There’s a legal obligation to which the controller is subject
- To protect the vital interests of the data subject or of another natural person
- To perform a task that’s in the public interest or in the exercise of official authority vested in the controller
- There are legitimate interests pursued by the controller or by a third party
But note that the last condition is not absolute. It can be overruled by the interests or fundamental rights and freedoms of the data subject, especially if the data subject is a child.
One important point, mentioned in the EU GDPR Implementation Guide, is that if there is no lawful basis, then by definition the processing data will be illegal.
According to Bird & Bird guide to GDPR, to demonstrate lawfulness of processing you should do the following:
- Ensure you are clear about the grounds for lawful processing used by your organization and check that these grounds will still be applicable under the GDPR
- Ensure the quality of consent meets new requirements
- Consider whether new rules on children’s data are likely to affect you, and, if so, which national rules you will need to follow
- Ensure that your internal governance processes will enable you to demonstrate how decisions to use data for further processing purposes have been reached and that relevant factors have been considered
We cannot talk about lawfulness without mentioning people’s consent. Let’s see what consent is and which conditions you should meet so that consent is lawful.
Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Keep in mind that silence, pre-ticked boxes or inactivity cannot demonstrate consent. You can’t just dance your way around this. The fine print won’t do.
Here’s some pointers to bear in mind when asking for consent:
- The controller must be able to demonstrate that the consent has been given. This is really important, because you might need to profoundly change some of your systems: you need to track consent. When was it given? In what context? Remember opt-out simply no longer works.
- The request for consent must be presented in an intelligible and easily accessible form, using clear and plain language.
- If processing is carried out for multiple purposes, consent must be given for each of them.
- The data subject should have the right to withdraw consent at any time (but withdrawal cannot affect the lawfulness of processing based on consent before its withdrawal.)
- The consent must be as easy to withdraw as it was given. And this too needs to be tracked.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Recital 42. GDPR.
Children are less aware of risk and consequences hence specific protection will be applied to processing their data.
- For consent to be lawful children need to be at least 16 years old
- Below the age of 16 years parental authorization is required
- Member states can reduce the child’s age but not below 13 years
- The Controller shall make reasonable efforts to verify parental authorization
- These rules shall not affect the general contract law of Member States
As we have already mentioned in our first blog post, there are special categories of data for which processing is not allowed under GDPR. There are, of course, exceptions if the data subject has given explicit consent, or processing is necessary to protect the vital interest of the data subject or to use for or defend legal claims, public health, and scientific or historical research purposes. A third reason is if the data subject made it public herself. It is important to emphasize, however, that the first rule of processing this data is that the data subject gives explicit consent. This consent must be very clearly documented and that the procedures are very well stated.
2. Purpose limitation
According to the second principle, data should only be collected for specified, explicit, and legitimate purposes. Further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes.
In short, the data subject must have clear information for what the data will be used for and you must limit the processing to only what is necessary.
3. Data minimization
Data minimization means that the data you collect and process must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Don’t hold any more data than it is required
- Don’t collect additional data if you don’t need it for processing
- Be sure that you know how the data is used in order to ensure data minimization
Personal data should be accurate and, where necessary, kept up to date. Make sure to verify that the data you collect is accurate and include steps to identify out of date data and send requests to the data subject to provide accurate information.
A person’s right to rectification as cited in Article 16 of the GDPR is closely associated with this principle. It says that a data subject has the right to correct any inaccurate data concerning him or her and to have incomplete personal data completed.
5. Storage limitation
Personal data should be kept only for as long as necessary. However, it could be possible to store data for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
All in all, if you do not need the data anymore, destroy it. And this again, is hard. This is a domain in which you might need to carefully review what you are doing. Things like backups make this difficult. You are going to need to have a very strict retention policy. Your approach to storage limitation should be a part of data retention policy, along with maximum and minimum retention periods. Do not hold out-of-date information unless there is a lawful basis for processing the data - deal with it.
6. Integrity and confidentiality
The last principle requires data to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The security part is easy to understand, but you might wonder about the rationality of integrity. Why would the regulator care? The reason is simple. Under this framework the basic assumption is that companies are going to store data on you, so you have a personal interest that this data is accurate (as noted above) and available.
And as for the security part, this is extremely important because violation of this principle can result in data breaches and these might bring the heaviest penalties.
Confidentiality means that data should be available only to a restricted few in the organization, not everyone.
At any rate you should perform a Data Protection Impact Assessment to identify the risks to personal data. This is as simple as mapping all the places you have personal data in and asking yourself the questions: If someone was to gain access to this (read or write access) what is the outcome? How bad is this? Would they risk being spammed? (bad) Would they risk their identity stolen (much worse)?
This is paramount and if you can’t do everything, we suggest that you take a look at carrying out the assessment as a minimum. This is one action you should not skip.
Another recommendation by the EU GDPR Implementation Guide is to implement an information security solution, which will help you protect the confidentiality, integrity, and availability of your organization’s information assets. Be sure you have all physical and technical security in place. There is no “One True Guide” for this. You are expected to apply security measures based on your impact analysis. So if a database leak could be “bad, real bad” then you have to put in security measures that would mitigate that scenario. For example, combining pseudonymization and encryption are good tools for that, but often this requires a lot of thought and planning, so don’t take this lightly.
It should be clear now how important these principles are. All levels within the organization have to be dedicated in protecting the information and to feel a sense of responsibility. Training and staff awareness programs are great ways to ensure this.
We will go into further details in the following articles on how you can go about prioritizing what you need to do. The main message here is that this whole regulation flows from some simple principles. You need to understand those principles and implement your responses accordingly - not only in light of what checkboxes you need to tick as some consultants may tell you. Respecting the spirit of the law here may bring you much better closer to compliance than mechanically implementing this or that security mechanism.