GDPR The Basic Facts — GDPR Processing Principles
This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the manner in which personal data should be processed.
Data protection law has traditionally established core principles that govern all processing of personal data; the GDPR is no exception to this. In this section we will work through the GDPR data principles that underpin the law. If you are familiar with older versions of the UK Data Protection Act you are likely to already be familiar with most of these concepts as the GDPR principles are broadly the same.
The principles govern how data should be processed. For processing of personal data to be compliant, organisations must demonstrate that they are following the principles. The one exception to this is the accountability principle as this relates to the behaviour of processing organisations instead of the processing activities themselves.
So, what are the principles?
The GDPR core principles are as follows;
· Lawful, fair and transparent
· Purpose limitation
· Data minimisation
· Storage limitation
· Integrity and confidentiality
In addition to the core principles, there is an entirely new “accountability” principle which means that organisations must be able to demonstrate that they are in compliance with the regulations if they process personal data. This means that the emphasis is on all data users to understand their processes and have adequate policies, procedures and supporting documentation to show that they understand and are following the regulations. This applies equally to Data Processors as well as Data Controllers.
The principles are the most important bit to get right; if you are following these, then you won’t go far wrong so we’ll look at these in a bit of detail.
Lawful, fair and transparent
Data must be processed lawfully, fairly and in a transparent manner. You must be open and honest about what data you collect, why you process it and how that relates to the law. You must communicate your lawful basis for processing to people whose data is being processed.
Transparency is achieved by keeping the individual informed and this should be done before data is collected and where any subsequent changes are made. The GDPR requires that the Data Controller provide the data subject with information about the personal data processing in a concise, transparent and intelligible manner, which is easily accessible, using clear and plain language.
It is important to remember that data is not always collected directly from individuals but may be collected from others, derived from other data sets, observed by tracking or created using algorithms. The GDPR has a mandatory list of the information which must be given to individuals where data is obtained directly from them but also where it is obtained indirectly. How you let individuals know about what you are doing will depend both on the method of communication and on the target audience.
The UK’s Information Commissioner’s Office (ICO) has created a “Code of Practice on privacy notices, transparency and control” which can assist with preparing a notice to comply with the GDPR. The ICO recommends creating communications that are likely to be understood and are easy to use by the target audience. They recommend that you take advantage of techniques such as layering of information, directing users to a ‘privacy dashboard’, using pop ups, tick-boxes and ‘just-in-time’ notices or icons in order to highlight particular issues. The pop up notices that interrupt you every time you visit and new website and warn you about data collection and internet cookies are a great example of a “just in time” privacy notice.
As a general rule, the more unusual your use of data or the more risk there is to the individual, the more you are obligated to make efforts to bring your activities to the data subject’s attention.
Organisations must only use Personal data for the purpose it was gathered and not then use it for other undeclared purposes.
This means that processing personal data is only permissible if you stick to the original purpose for which data was collected. Processing “for another purpose” later on requires further legal permission or consent. The only exception to this requirement is where the “other purpose” is “compatible” with the original purpose.
Examining where an additional purpose may be permissible will include factors such as a clear link with the original purpose, the context in which the personal data has been collected, the nature of the personal data, the possible consequences of the intended further processing for data subjects and the existence of appropriate safeguards.
A recent case in the US, where a service that allowed the public to upload photos to be stored and shared and then used the images to train artificial intelligence facial recognition systems is an example where users of the service appear to have been surprised by the additional use. In this case, it is possible that, if the company processes data for EU citizens, the privacy notices issued by the company may have fallen short of the GDPR principle of purpose limitation (and the transparency requirement) and could be open to challenge.
Any personal data collected by organisations must be relevant to the processing and limited to that necessary for the processing.
Organisations must ensure that only personal data which is necessary for the specified purpose is processed. This means that the amount of personal data collected, the extent of the processing and the period of storage and use must be the minimum needed for the purpose stated by the organisation. Under the GDPR, data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This principle also links back to the purpose limitation principle.
Organisations must not only limit the data they collect to what is needed, but also that they need to make sure that they collect enough data to achieve their purpose. The reasoning here is that if you haven’t collected enough data to fulfil your purpose, then the data you do hold becomes useless and you can end up holding personal data for no reason or purpose; which obviously fails under the data minimisation principle.
The data minimisation principle is all about minimising the risk to data subjects by limiting the amount of personal data that is gathered; loss of a limited amount of data is preferably to loss of a more extensive data set.
Organisations must keep personal data up to date and maintain it as necessary. Inaccurate data must be corrected, put beyond use or deleted.
Data that is inaccurate poses a risk to the rights of the data subject as incorrect decisions and outcomes may occur. The accuracy principle is largely unchanged from existing data protection law in place before the GDPR. Data Controllers are required to take “every reasonable step” to comply with this principle.
Personal data must not be stored for longer than necessary.
Once you no longer need personal data for the purpose for which it was collected, it follows that there is no longer a lawful basis of processing in place. In this case data should be deleted, anonymised or placed beyond use. This means there should be a regular review process in place with regular “housekeeping” processes to clear up databases.
When you no longer have a need for the data, you should delete it. Many organisations have predefined retention policies for their various data types to help define when data can be deleted. Organisations need to ensure that they understand how long data should be retained. For example, it may be necessary to keep data for the duration of a contract and then for a longer period in case of legal challenge; in this case it is legitimate for the organisation to retain the data for the longer period as a legitimate basis of processing is in place.
Integrity and confidentiality
Organisations must process personal data in a manner that ensures that data is kept confidential, protected from unlawful access and is safeguarded against loss or corruption by malicious or accidental means.
Under the GDPR personal data must be protected using appropriate “organisational and technical measures”. This goes to the heart of protecting the privacy of individuals. What this means is that both Data Controllers and processors must assess the risk presented by their data processing (or proposed data processing), and then implement appropriate security for the data concerned taking account of those risks and, crucially, check on a regular basis that those measures remain up to date and working effectively.
This principle is designed to create an obligation on organisations to do whatever is necessary to protect individuals’ data from loss or unauthorised disclosure.
What are the principles for?
The GDPR principles are the fundamental standards that organisations should try to follow. They act as guidelines against which to compare an organisation’s activities. As well as outlining the principles, the GDPR marks a fundamental shift in the approach to protecting individuals personal data by adding in a requirement for organisations to demonstrate their compliance.
The accountability principle
The accountability principle of the GDPR requires Data Controllers to demonstrate that they comply with the GDPR principles. The regulation states explicitly that it is the responsibility of every Data Controller, without exception, to be able to show their compliance.
This means that, as well as following the data protection principles and rules within the regulation, you have to be able to show that you have followed them through maintaining appropriate documentation. Think of this as a requirement to “show your workings” in an exam!
We will cover some of the documentation you may use to assist in demonstrating compliance (such as processing records and internal process manuals) in this course. This is important as, without an accountability structure in place, it won’t matter if you’re processing the right way; you have to be able to demonstrate your compliance should you be subject to scrutiny.
It is worth noting that under the old UK Data Protection Act 1998 the data principles were similar but applied without the need to be able to demonstrate compliance. Every organisation that processed the personal data of individuals was required to follow the requirements of that Act to ensure that data was kept safe and use of personal data was fair.
This law was written largely before the digital age, when data processing was moving towards more computerised and eventually online activities. Organisations could comply with the law by providing a privacy notice, ensuring people could exercise their rights and keeping their data safe without needing to demonstrated how this was done. Generally, an organisation would only have to demonstrate its compliance if it was actually being investigated for a data breach.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.