The essence of GDPR: Data Protection Principles

Owned by Heather Hartman (Unlicensed)
Oct 31, 2018
2 min read

Disclaimer

This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

Despite the complexity of GDPR, the underlying principles are actually very simple and help make sense out of the rules.

According to GDPR Art. 5, data processing has to:

  1.  be lawful, fair, transparent;
  2.  be limited to the purpose (purpose limitation);
  3.  be done with minimal data (data minimisation)
  4.  ensure data accuracy;
  5.  be limited with a time period (storage limitation);
  6.  ensure integrity and confidentiality of data; and
  7.  have someone accountable for it (accountability).

Let’s briefly walk through the meaning of each of these principles.

Lawful – All processing activities must have legal grounds. Consent is one of them, but there are others as well. If there are no legal grounds, processing personal data is not allowed. See GDPR Art. 6 for more info.

Fair and transparent – When processing personal data, you have to take the data subject’s interests and rights into consideration. [todo: what this means?] You also need to provide information about all processing activities and the personal data you are gathering.

Purpose limitation – When gathering personal data, you need to have a specific purpose (and explain it to the data subject). If you want to use this data for a different purpose, you will need to ask consent again.

Data minimisation – For any purpose, you can only gather the data you actually need for that purpose. For example, you are not allowed to store your customers home address if you are not doing anything with it (for example, shipping a product there).

Storage limitation – You may not store personal data for a longer period of time than you actually need for the purpose of processing (unless you have the explicit consent of the data subject).

Data accuracy – Personal data has to be accurate and kept up-to-date. The best way to handle this would be giving your customers a way to update their data by themselves.

Integrity and confidentiality – You must ensure the safety and security of your customers personal data. This means that you might be held accountable for hacks, data leaks, etc.

Accountability – You (the controller) have to be able to demonstrate your GDPR compliance to authorities.

Maarja Lehemets

Lawyer @ Triniti
maarja.lehemets@triniti.ee