What are the Data Protection Principles?
The General Data Protection Regulation (GDPR) defines principles for the lawful handling of personal information. Handling involves the organization, collection, storage, structuring, use, consultation, combination, communication, restriction, destruction, or erasure of personal data.
Generally, these principles include:
- Purpose limitation
- Fairness, lawfulness, and transparency
- Data minimization
- Storage limitation
- Accuracy
- Confidentiality and integrity
- Accountability
These data protection principles primarily apply to the Data Controller, which the GDPR defines as a “natural or legal person, public authority, agency or other body which … determines the purposes and means of the processing of personal data”. Data Controllers must comply with these principles of the GDPR, and in light of the accountability principle, be able to demonstrate their compliance.
Related content: Read our guide to data protection regulations.
In this article:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitations
- Integrity and Confidentiality
- Accountability
- Examples of the Data Protection Principles in Action
- Best Practices to Follow the GDPR Data Protection Principles
- Data Protection with Cloudian Secure Storage
Note: This article is part of a series on Data Protection.
Why Are the Data Protection Principles Important?
These principles are an essential part of the GDPR. They are established at the opening of the legislation and influence all the provisions that follow. They don’t provide absolute rules, but instead reflect the essence of the information protection regime.
Compliance with the essence of these core principles is, thus, an essential building block for solid data protection procedures. It is also essential to the compliance with any specific provision of the GDPR.
If your organization does not comply with any of the principles, you may be vulnerable to sizable fines. The GDPR includes penalties for infringements on the principles for processing of personally identifiable information, which can include fines of 4% of total global annual turnover or up to €20 million, whatever is higher.
Related content: Read our guide to GDPR data protection
Data Protection Principles in Detail
Lawfulness, Fairness and Transparency
GDPR Article 5(1)(a) states that: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
This principle specifies that organizations must ensure their practices around data collection don’t compromise the law and that their use of data is transparent to data subjects.
To ensure adherence to the law, you must have a deep appreciation of the GDPR and its principles surrounding data collection. To ensure transparency with data subjects, you must outline in a privacy policy the sort of data you gather, and why you are gathering this data.
Purpose Limitation
GDPR Article 5(1)(b) states that: “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”
Organizations must only gather personal data for a specified purpose. They must outline what that end goal is, and only collect data for the time that they need to carry out this goal.
Processing that is carried out for archiving reasons for historical, scientific or statistical reasons, or for reasons in the public interest, is allowed greater freedom.
Data Minimisation
Article 5(1)(c) states that: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization).”
According to the GDPR, organizations should only retain the smallest amount of data needed for their requirements.
Organizations cannot collect personal data for the possibility that it could be useful later on. If they are retaining more data than is needed, this is likely to be non-compliant with this GDPR principle.
Accuracy
Article 5(1)(d) states that: “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
Personal data collected should be suitable for the purpose stated by the organization, accurate and up-to-date. Organizations must review information they hold about individuals regularly. They must also amend or delete inaccurate information. Data subjects can ask that incomplete or inaccurate data be fixed or erased within 30 days.
Storage Limitations
Article 5(1)(e) states that: “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)”
After an organization no longer requires personal data, for the reason for which it was gathered, it should be deleted. If there is an acceptable reason for keeping the information, for example that it can be used for public interest or historical research, the organization must establish a retention period and justify why this period was chosen.
Integrity and Confidentiality
Article 5(1)(f) states that: “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The security of the information you retain is essential. Your organization should make sure that all the proper measures are set to safeguard personal information. This may include safeguarding from internal threats, including accidental damage or loss, unauthorised use, and from external threats, for example cyber attacks.
Your organization must think about working towards achieving official certification, for example ISO 27001, to show you are committed to cyber security. Data theft can take place offline and online. Common security measures include securing your physical facility, encrypting data at rest and in transit, and saving a backup of personal information in an off-site location.
Accountability
Article 5(2) of the GDPR states that “The controller shall be responsible for, and be able to demonstrate compliance with [the other data protection principles]”
The last principle notes that organizations should take responsibility for the data they retain and show compliance with all the principles. This indicates that organizations should be able to provide evidence of the measure they have taken to ensure compliance.
This may involve:
- Studying current practices
- Creating a Data Protection Officer (DPO) position
- Establishing a personal data inventory
- Ensuring proper consent is given
- Performing Data Protection Impact Assessments
Examples of the Data Protection Principles in Action
To understand how the data protection principles work in practice, let’s look at some examples.
Example 1: E-Commerce Website
An e-commerce website collects personal data from customers, such as their name, address, and payment information. The website must comply with the data protection principles to ensure that this data is processed lawfully, fairly, and transparently.
To achieve this, the website must:
- Provide clear and concise information about the data it collects and how it will be used.
- Obtain the customer’s consent to collect and process their personal data.
- Ensure that the personal data is accurate and kept up to date, and that it is only used for the purposes for which it was collected.
- Take appropriate security measures to protect the personal data from unauthorized access or theft.
Example 2: Healthcare Provider
A healthcare provider collects personal data from patients, such as their medical history and contact information. The healthcare provider must comply with the data protection principles to ensure that this data is processed lawfully, fairly, and transparently.
To achieve this, the healthcare provider must:
- Obtain the patient’s consent to collect and process their personal data.
- Ensure that the personal data is accurate and kept up to date, and that it is only used for the purposes for which it was collected.
- Take appropriate security measures to protect the personal data from unauthorized access or theft.
Best Practices to Follow the GDPR Data Protection Principles
Adhering to the GDPR data protection principles may seem daunting, but with careful planning and implementation, organizations can successfully comply with these guidelines. Here are some best practices to follow:
- Develop a clear privacy policy: Your privacy policy should outline the types of personal data you collect, the purposes for which it is used, and how individuals can exercise their rights under the GDPR. Ensure that it is written in clear, concise language and is easily accessible.
- Obtain consent when necessary: If your organization relies on consent as a legal basis for processing personal data, ensure that it is freely given, specific, informed, and unambiguous. This may involve using clear opt-in mechanisms and providing detailed information about how the data will be used.
- Implement data minimisation practices: Review your data collection processes and ensure that you are only collecting the information you genuinely need. Regularly audit your data storage systems to identify and delete redundant or unnecessary data.
- Keep data accurate and up to date: Regularly review and update the personal data you hold, and provide individuals with the means to correct or update their information when necessary.
- Establish data retention policies: Determine how long personal data should be retained for each processing purpose and ensure that it is deleted or anonymised once it is no longer needed.
- Invest in data security: Implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage. Regularly review and update your security measures to keep pace with evolving threats.
- Promote a culture of accountability: Ensure that your organization’s leadership is committed to data protection and that all staff are trained in GDPR compliance. Maintain clear records of your processing activities and be prepared to demonstrate your compliance in the event of an audit or investigation.
Data Protection with Cloudian Secure Storage
Data protection requires powerful storage technology. Cloudian’s storage appliances are easy to deploy and use, let you store Petabyte-scale data and access it instantly. Cloudian supports high-speed backup and restore with parallel data transfer (18TB per hour writes with 16 nodes).
Cloudian provides durability and availability for your data. HyperStore can backup and archive your data, providing you with highly available versions to restore in times of need.
In HyperStore, storage occurs behind the firewall, you can configure geo boundaries for data access, and define policies for data sync between user devices. HyperStore gives you the power of cloud-based file sharing in an on-premise device, and the control to protect your data in any cloud environment.
Learn more about data protection with Cloudian.
