The various requirements of data protection and privacy are directly related to some basic principles in the GDPR. This blog post is intended to be a ‘GDPR for dummies’ handbook, where I will guide you through the 7 principles of the GDPR, with examples of what they mean and recommendations on what you can do to comply with them. Understanding the data protection principles will help you get better at complying with the GDPR.
Short Summary:
- If your company handles personal data, it's important to understand and comply with the 7 principles of the GDPR.
- The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.
- We take you through an example of creating an online newsletter to illustrate how each principle works.
What are the 7 principles of the GDPR?
Simply put, the data processing requirements enforced by the GDPR are rooted in 7 general principles for privacy. Understanding the 7 principles of the GDPR will make it easier for you to understand the rules and regulations.
The 7 data protection principles are:
-
Lawfulness, fairness, and transparency
-
Purpose limitation
-
Data minimisation
-
Accuracy
-
Storage limitations
-
Integrity and confidentiality
-
Accountability
Before we look at each principle and examples of practices, let me point out why it is important to understand the data protection principles, and how you can benefit from them.
Understanding the data protection principles in the GDPR
Following the introduction of the GDPR in 2018, many companies are faced with challenges regarding how to deal with the requirements. These challenges are still true in 2022. The proper processing and handling of personal data is not only an ethical responsibility, but also a legal requirement which, if not complied with, may lead to huge GDPR fines, financial consequences, and loss of reputation.
Combined with the fact that personal data is everywhere and that every organisation is processing personal data in one way or another, this leaves organisations with a great challenge.
For a clear picture of your role as a data processor or controller you need to consider both the rules set by your organisation and the GDPR.
GDPR compliance starts with knowing the 7 principles
The issue is that the GDPR might seem like a long and chaotic policy that is written in complex language. You might think that you would need to seek help from a lawyer to understand it.
However, all requirements of the GDPR are based on 7 basic principles. This means that if you understand these 7 data protection principles, you are a step closer to understanding and complying with the GDPR. Though, bear in mind that this blogpost is meant for beginners. Therefore, it is simplified, and it’s not meant to be a replacement for a lawyer or consultant.
If you are just getting started with the GDPR or are looking for an approach that can help you with your general work towards data protection, then privacy by design might be a suitable approach for you. Privacy by design takes a proactive approach to privacy, which can strengthen your security defense and your reputation as a company that values privacy.
Since it is almost impossible to avoid processing personal data these days, these 7 principles probably apply to you, but their extent may vary depending on your context. Therefore, I will explain the 7 GDPR principles with an example that will follow throughout this article. The example is designed to be as generic and applicable as possible.
Example of the 7 principles of data protection
Let’s say that your organisation would like to create an online newsletter for your customers and/or members. Your audience can register for the newsletter in several ways. They can, for instance, subscribe to your newsletter by filling out a form on your website, or they can tick a box when they make a purchase on your website. In this way, you obtain a database of your customers, and you send out relevant content to them every now and then. You can also use this database to customise your message to your audience, for example, by monitoring their behaviour on your website.
It’s quite straight forward, right?
Now, we’ll use this example as we look at each of the 7 data protection principles in the GDPR.
But, let me make a disclaimer first: these 7 principles of the GDPR are relevant in many other cases too, and you should translate the points from this article to your own practices. This could, for instance, be when you are running an Instagram contest, organising an event for your employees, or maintaining a database with your business contacts.
Now it’s time to dive into the 7 principles. Let’s go!
1. Lawfulness, fairness and transparency
Ok, I know, I said principle 1 and you see three things. I promise this is the only principle that has more than one main concept in it (kind of). So, without confusing you even more, let me explain:
Basically, this principle tells us that the processing of personal data must be conducted in a lawful, fair, and transparent way. Here’s what that means:
Lawful means that you are gathering data and processing it with a valid legal basis. For instance, getting consent from the user that you can process their data is a very common way of obtaining a legal basis for processing personal data. There are many legal grounds for processing personal data in the GDPR.
Fair means that your processing of personal data is in the best interest of the person the data is about and that the scope of the processing can be reasonably expected by the person.
Transparent means that you clearly communicate what, how, and why you process data to those whose data you process. This should be in a way that enables the people whose data you process to easily understand the scope and methods of your processing.
Lawfulness, fairness and transparency in our example
Lawfulness
In our example, a newsletter often needs the names and e-mail addresses of people who register for it, at a minimum. You need to obtain a legal basis for this, by e.g., letting the user give consent to your processing by ticking a box. It is, however, also important that you give the users the option to limit the gathering of their data to only what is essential to deliver the newsletter. For example, do you really need the person’s job title for your newsletter? If you require that, you should be prepared to present some good arguments. Furthermore, you will need to document when and how that consent was given, in case you are asked for it.
Fairness
The data that you are processing for the newsletter must also be fair. For example, if you are a company that sells beauty products, your customers expect to receive information about new beauty products or blog posts about beauty. You should, for instance, not use this database of customers to send out e-mails that are not relevant (i.e., not expected) to your subscribers’ intention upon registering for your newsletter.
Transparency
Finally, you need to be transparent and communicate the ‘what’, ‘how’, and ‘why’ of your processing. Remember, those whose data you process (called the “data subject” in the GDPR), have the right to know exactly what data you collect about them, and how and why this data is processed. You can achieve transparency in your newsletter by e.g., having a clear privacy policy on your website and letting your subscribers easily contact your organisation’s Data Protection Officer (DPO).
2. Purpose limitation
This principle tells us that you should only process personal data for the purpose that you originally intended. In other words, you should not reuse personal data for other purposes.
Purpose limitation in our example
In our example, this means that you should not use the data you get through your newsletter for purposes other than what you stated. For example, if in your newsletter consent, you state that you are storing the IP addresses of your subscribers to document when and how the consent was obtained (because this is a requirement of the GDPR), you cannot use the IP addresses of your subscribers to send them customised content, e.g., product suggestions, that is targeted to their geographical area. That would be using their personal data for another purpose.
However, if you, for instance, have stated that you gather their IP addresses to send out the newsletter and relevant content, you might be able to use their personal data to send out targeted e-mails. Though, please keep in mind the word ‘might’, because there are very strict requirements for this.
When it comes to dealing with personal data, your team acts like front-line workers. You must ensure that they do not accidentally reuse data in a non-compliant way. The best way to communicate this is by training your team and making them aware of privacy issues.
3. Data minimisation
When it comes to data, we are all guilty of hoarding it. We keep things because they’re nice to have, but we never end up using them. Regarding the third GDPR principle, we shouldn’t keep data lying around if we have no need for it.
This principle tells us that we should not gather more personal data than we need to deliver the service. In other words, only gather and process the exact amount of data that is needed.
Data minimisation in our example
In our example, this would mean that you should only gather the necessary personal data to deliver the newsletter. For instance, you might need the names and e-mail addresses of the subscribers, but you won’t need to know their job titles. This information is perhaps ‘nice to have’, but not necessary and you might not even use it anyway.
Nevertheless, knowing how to implement data minimisation is beneficial for you in several ways. Not only will it bring you one step closer to GDPR compliance, but you will also be less impacted by a possible data breach.
4. Accuracy
This principle might be a little confusing. While all the other principles that we have seen so far are about knowing as little as possible about the people whose data we process, this one is sort of the opposite. This principle is about having the most accurate data possible.
It means that the personal data we are processing must be correct and up to date, and that you as the data controller and/or processor should take “reasonable measures” to ensure that.
This is, however, only relevant when the accuracy of the personal data is of importance for the person the data is about.
Accuracy in our example
Let me explain by going back to our example. Say that one of your subscribers registered for your newsletter with their company e-mail address while working at company X. If this person changes their job and now works at company Y, the e-mail address for company X will no longer work. Thus, the data you have on this user is no longer accurate.
A ‘reasonable measure’ in this scenario could be to include a link in your newsletter where your subscribers can change their e-mail addresses. So, when the person knows that they are going to change jobs, they can easily update the personal information that you have on them.
You could also have a CRM system or an e-mail marketing system that keeps track of e-mail addresses that reply automatically when you send out your newsletter. If a person has left a company, the company will normally set up an automatic reply stating that the person does not work there anymore. However, people might also set automatic replies for other reasons, for instance when they are on vacation. That is why you should regularly go through these automatic replies to see if you have subscribers with invalid e-mail addresses.
If the data you have is inaccurate or wrong, then there is no reason for you to handle the data and it should be updated or deleted.
5. Storage limitations
This principle is about deleting personal data when you don’t need it anymore. Basically, you should not store personal data which is no longer of use for the purpose it was intended. This principle is very similar to the data minimisation principle, and many organisations consider deleting old data as a part of data minimisation. Implementing a process for destroying data in a secure way can help you ensure that the data no longer needed is really removed and not still stored on a device or in the cloud, where it could be a potential security risk.
Storage limitations in our example
In our example, storage limitations could look like you deleting the information of people who unsubscribe from your newsletter. Similarly, if your organisation decides not to send newsletters anymore, you will have to delete the personal data of your subscribers. That is because the purpose for gathering your subscribers’ personal data is to send them the newsletter, and if that purpose does not exist anymore, the data that was gathered for that purpose should not either.
In some cases, it might be relevant to keep personal data for some time after the purpose has ended or to anonymise the data and use it for statistical or historical purposes. Keep in mind though, that these situations are exceptions rather than rules and they must be carefully considered.
6. Integrity and confidentiality
If you are familiar with cyber security or information security, you have probably heard about the ‘CIA-Triangle’. It sounds cool, but rather than the Central Intelligence Agency, it relates to a triangle that stands for confidentiality, integrity and availability.
This principle is concerned with two of the edges of that triangle. Integrity is about making sure that personal data is correct and cannot be manipulated by others (i.e., you should opt to protect your systems against hackers). Confidentiality is about making sure that only the people who should have access to the personal data are processing it.
Integrity and confidentiality in our example
In our example, this would mean that the data you gather through your newsletter should not be accessed by unauthorised people. This also includes people in your own organisation. In other words, only people that need to have access to the information about your subscribers in order to deliver the newsletter should have access to it. Furthermore, you should have systems and measures in place so that the data cannot be manipulated.
For instance, the personal data of your subscribers should not be stored in a shared drive that everyone in your organisation can access, and you must take necessary measures to ensure that the place you store this information is protected against cyberattacks and breaches.
Integrity also plays an important role when it comes to safely posting pictures and videos online, and so do many of the other GDPR principles.
7. Accountability
As the name suggests, this principle relates to taking responsibility for your data processing. It means that you, as the data controller and/or processor, must be accountable for the proper processing of personal data and compliance with the rules of the GDPR.
When we talk about taking responsibility, it is not only about fulfilling the various requirements of the GDPR, but also being able to document that you are doing so.
Examples of accountability
For instance, if you use consent as a legal basis for processing the personal data of your newsletter subscribers, and thus ensure the lawfulness-principle, you will have to document how and when this consent was given. To do so, you will have to have a system in place that logs the consent.
Another example is that many of the principles of the GDPR require you to take organisational measures, in addition to technical measures. This could for instance be regarding principle 2, where you should train your employees about not re-using personal data for purposes other than its original intent. By providing training to your team and documenting the initiative, you are both fulfilling and demonstrating a GDPR requirement.
Conclusion: Training is key
In summary, the GDPR can sometimes be overwhelming to understand due to its heavy language and loaded explanations. This guide was intended as a starting point for beginners. I hope that you enjoyed the reading and that the insight you get from this article will make your work with compliance easier.
As a final note, we have discussed that your staff are a vital part of ensuring GDPR compliance in your organisation. They are the ones who must deal with processing personal data on a daily basis. We recommend making sure that your team is equipped with the necessary skills and knowledge in dealing with personal data. There are many ways to train your team. At CyberPilot we offer a broad number of courses related to cybersecurity. You can take a look at our awareness training course catalog to see the topics that we currently cover.
If you are curious about training your team, the courses we have developed are short, fun, and interactive. Right now, we offer a 14-day free trial without any commitment or any purchase. I would highly recommend giving it a try.
Frequently asked questions about the GDPR
How does the GDPR address cross-border data transfers, especially concerning countries with varying data protection laws?
The GDPR addresses cross-border data transfers through a set of stringent requirements aimed at safeguarding personal data when it moves outside the European Economic Area (EEA). It establishes that transfers to countries outside the EEA can only occur if the receiving country ensures an adequate level of data protection comparable to that of the GDPR.
This adequacy can be determined by the European Commission, which assesses the data protection laws and practices of non-EEA countries. Alternatively, organizations can rely on specific legal mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to facilitate lawful data transfers.
However, navigating these mechanisms can be complex, especially when dealing with countries with divergent data protection regulations.
Are there any specific requirements or guidelines outlined by the GDPR regarding the encryption and anonymization of personal data?
While the GDPR emphasizes the importance of implementing technical and organizational measures to protect personal data, it does not prescribe specific encryption or anonymization methods. Instead, it requires organizations to adopt measures that ensure the ongoing confidentiality, integrity, availability, and resilience of data processing systems and services.
Encryption and anonymization are recognized as effective means of enhancing data security and minimizing privacy risks. However, the choice of encryption algorithms, key management practices, and anonymization techniques may vary depending on factors such as the nature of the data and the processing activities involved.
Organizations must assess their specific circumstances and employ suitable measures to achieve GDPR compliance.
What are the potential consequences for organizations that fail to comply with the GDPR principles, beyond the mentioned fines?
Beyond the possibility of fines for non-compliance, organizations failing to adhere to GDPR principles may face a range of additional consequences.
These could include legal proceedings, regulatory investigations, and corrective measures imposed by supervisory authorities. Moreover, non-compliance can lead to reputational damage, loss of customer trust, and negative publicity, which can have long-term impacts on business operations and relationships.
Overall, the consequences of non-compliance extend beyond monetary fines and encompass legal, reputational, and operational risks that organizations must consider in their compliance efforts.
You can also watch our video where we explain the 7 GDPR principles in just 7 minutes
