The General Data Protection Regulation (GDPR) rewrote the rules on privacy, forcing companies to update their operations and even reimagine their product designs, services, and branding.
So although the GDPR passed in 2016, its core tenets are as relevant today as when legislators first issued them. The key principles at the heart of the law should inform every step of a modern privacy management program.
These are the 7 key principles of GDPR:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Refamiliarize yourself with their intentions and ensure your personal data processing practices support them.
Download the infographic: The 7 Principles of the GDPR
1. Lawfulness, fairness, and transparency
Whenever you’re processing personal data, you should have a good reason for doing so. GDPR terms this principle lawfulness. Reasons for processing data can include:
- The user has given you consent to do so.
- You must do it to make good on a contract.
- It’s necessary to fulfill a legal obligation.
- For protection of vital interests of a natural person.
- It’s a public task done in public interest.
- You can prove you have legitimate interest, and it’s not overridden by data subject’s rights and interests.
The concept of fairness laid out in the GDPR goes hand-in-hand with lawfulness. It means you shouldn’t purposely withhold information about what or why you’re collecting data. In other words, users wouldn’t be surprised if they knew how you were using their data. Fairness means you won’t mishandle or misuse the data you collect.
Transparency is inherently linked to fairness: Being clear, open, and honest with data subjects about who you are, and why and how you’re processing their personal data is the definition of transparency. By following it, you act fairly towards your data subjects.
2. Purpose limitation
The GDPR’s second principle sets boundaries around using data only for specific activities. This purpose limitation means data is “collected for specified, explicit, and legitimate purposes” only, as stated in the GDPR.
Your purposes for processing data must be clearly established. And they must also be clearly communicated to individuals through a privacy notice. Finally, you must follow them closely, limiting the processing of data to only the purposes you’ve stated.
If at any point, you want to use the data you’ve collected for a new purpose that’s incompatible with your original purpose, you must ask specifically for consent again to do it — unless you have a clear obligation or function set out in law.
3. Data minimization
Only collect the smallest amount of data you’ll need to complete your purposes. This is the GDPR principle of data minimization. For example, if you want to gather subscribers for your email newsletter, you should only ask for information necessary to send out the newsletters. Avoid gathering personal data such as phone numbers or home addresses, which aren’t directly related to your purpose.
It’s up to you to ensure the accuracy of the data you collect and store. Set up checks and balances to correct, update, or erase incorrect or incomplete data that comes in. Also have regular audits on the calendar to double check the cleanliness of stored data.
5. Storage limitation
According to the GDPR, you have to justify the length of time you’re keeping each piece of data you store. Data retention periods are a good thing to establish to meet this storage limitation policy. Create a standard time period after which you’ll anonymize any data you’re not actively using.
6. Integrity and confidentiality
The GDPR requires you maintain the integrity and confidentiality of the data you collect, essentially keeping it secure from internal or external threats. This takes planning and proactive diligence. You must protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
The GDPR regulators know an organization can say they’re following all the rules without actually doing it. That’s why they require a level of accountability: You must have appropriate measures and records in place as proof of your compliance with the data processing principles. Supervisory authorities can ask for this evidence at any time. Documentation is key here. It creates an audit trail you — and authorities — can follow if you do need to prove responsibility.
Conclusion: Integration of the 7 Principles of the GDPR
The 7 principles of the GDPR communicate the spirit and thought process behind data processing best practices. In addition, the GDPR sets out data controller and processor responsibilities that support each of the principles.
Instead of being a piece of the operational puzzle, these 7 principles inform all processing activity and business practices — from the design stage across the entire data processing lifecycle. This can be best fulfilled by implementing privacy by design and default.
To learn how this works and find out more about the principles of the GDPR, navigate to our ultimate guide for GDPR Compliance. It’s a roadmap for complete implementation and integration of the GDPR principles into your privacy program.
Further GDPR Reading:
- Complete Guide to General Data Protection Regulation (GDPR) Compliance
- What Does the Brexit Transition Period Mean for GDPR and Privacy Pros?
- What Are the Differences Between CCPA and GDPR and LGPD?
- UK Adequacy Decision FAQ: Your Top 5 Questions Answered
- The 7 Principles of Privacy by Design
- Test drive the tools with a free trial or schedule a demo for a customized tour
- Learn more about OneTrust Privacy Management Software