What are the Data Protection Principles?
The General Data Protection Regulation (GDPR) defines principles for the lawful handling of personal information. Handling involves the organization, collection, storage, structuring, use, consultation, combination, communication, restriction, destruction, or erasure of personal data.
Generally, these principles include:
- Purpose limitation
- Fairness, lawfulness, and transparency
- Data minimization
- Storage limitation
- Confidentiality and integrity
These data protection principles primarily apply to the Data Controller, which the GDPR defines as a “natural or legal person, public authority, agency or other body which … determines the purposes and means of the processing of personal data”. Data Controllers must comply with these principles of the GDPR, and in light of the accountability principle, be able to demonstrate their compliance.
Related content: Read our guide to data protection regulations
In this article:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitations
- Integrity and Confidentiality
Why Are the Data Protection Principles Important?
These principles are an essential part of the GDPR. They are established at the opening of the legislation and influence all the provisions that follow. They don’t provide absolute rules, but instead reflect the essence of the information protection regime.
Compliance with the essence of these core principles is, thus, an essential building block for solid data protection procedures. It is also essential to the compliance with any specific provision of the GDPR.
If your organization does not comply with any of the principles, you may be vulnerable to sizable fines. The GDPR includes penalties for infringements on the principles for processing of personally identifiable information, which can include fines of 4% of total global annual turnover or up to €20 million, whatever is higher.
Related content: Read our guide to GDPR data protection
The 7 Data Protection Principles in Detail
1. Lawfulness, Fairness and Transparency
GDPR Article 5(1)(a) states that: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
This principle specifies that organizations must ensure their practices around data collection don’t compromise the law and that their use of data is transparent to data subjects.
2. Purpose Limitation
GDPR Article 5(1)(b) states that: “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”
Organizations must only gather personal data for a specified purpose. They must outline what that end goal is, and only collect data for the time that they need to carry out this goal.
Processing that is carried out for archiving reasons for historical, scientific or statistical reasons, or for reasons in the public interest, is allowed greater freedom.
3. Data Minimisation
Article 5(1)(c) states that: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization).”
According to the GDPR, organizations should only retain the smallest amount of data needed for their requirements.
Organizations cannot collect personal data for the possibility that it could be useful later on. If they are retaining more data than is needed, this is likely to be non-compliant with this GDPR principle.
Article 5(1)(d) states that: “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
Personal data collected should be suitable for the purpose stated by the organization, accurate and up-to-date. Organizations must review information they hold about individuals regularly. They must also amend or delete inaccurate information. Data subjects can ask that incomplete or inaccurate data be fixed or erased within 30 days.
5. Storage Limitations
Article 5(1)(e) states that: “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)”
After an organization no longer requires personal data, for the reason for which it was gathered, it should be deleted. If there is an acceptable reason for keeping the information, for example that it can be used for public interest or historical research, the organization must establish a retention period and justify why this period was chosen.
6. Integrity and Confidentiality
Article 5(1)(f) states that: “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The security of the information you retain is essential. Your organization should make sure that all the proper measures are set to safeguard personal information. This may include safeguarding from internal threats, including accidental damage or loss, unauthorised use, and from external threats, for example cyber attacks.
Your organization must think about working towards achieving official certification, for example ISO 27001, to show you are committed to cyber security. Data theft can take place offline and online. Common security measures include securing your physical facility, encrypting data at rest and in transit, and saving a backup of personal information in an off-site location.
Article 5(2) of the GDPR states that “The controller shall be responsible for, and be able to demonstrate compliance with [the other data protection principles]”
The last principle notes that organizations should take responsibility for the data they retain and show compliance with all the principles. This indicates that organizations should be able to provide evidence of the measure they have taken to ensure compliance.
This may involve:
- Studying current practices
- Creating a Data Protection Officer (DPO) position
- Establishing a personal data inventory
- Ensuring proper consent is given
- Performing Data Protection Impact Assessments
Data Protection with Cloudian Secure Storage
Data protection requires powerful storage technology. Cloudian’s storage appliances are easy to deploy and use, let you store Petabyte-scale data and access it instantly. Cloudian supports high-speed backup and restore with parallel data transfer (18TB per hour writes with 16 nodes).
Cloudian provides durability and availability for your data. HyperStore can backup and archive your data, providing you with highly available versions to restore in times of need.
In HyperStore, storage occurs behind the firewall, you can configure geo boundaries for data access, and define policies for data sync between user devices. HyperStore gives you the power of cloud-based file sharing in an on-premise device, and the control to protect your data in any cloud environment.
Learn more about data protection with Cloudian.