Kiran BhagotraCEO, ProtectBox
Nov 6th, 2020
The Seven Data Protection Principles You Need to Follow
The Data Protection Act – the UK’s implementation of the EU’s General Data Protection Regulation (GDPR) – outlines seven data protection principles organisations processing the personal data of EU citizens should follow to remain compliant with the legislation.
Failure to follow these seven data protection principles leaves you at risk of facing a huge fine (at time of writing, 410 fines have been issued totalling just under €178 million since the legislation came into effect in May 2018) – but there are further risks too.
Consumers are placing increasing importance on data privacy and security concerns. A 2019 report by Cisco revealed that nearly one half (48%) of consumers not only care about privacy, but are willing to (and already have) acted on these concerns by switching companies.
(Image source: cisco.com)
The financial damage done by poor data protection policies is clear.
To help you make sure your processes for collecting, storing and processing customer data are watertight, we’ve broken down the seven data protection principles – and what they mean for your organisation.
What are the Seven Data Protection Principles?
1. Lawfulness, Fairness and Transparency
The first of the seven data protection principles defines how and in what manner you should be collecting data.
According to the GDPR, individual data should be “processed lawfully, fairly and in a transparent manner in relation to individuals.”
This means that:
• All processes that involve personal data of EU citizens must be compliant with the precautions set out by the GDPR. The GDPR lays out clear directions for every step of your data protection policy, so you’ll need to know these inside out.
• You must obtain personal data fairly, with data subjects being fully informed of why you need it.
• You should keep data subjects informed about the purpose of you holding their data and the timescale in which you intend to keep it.
2. Purpose Limitation
Purpose limitation underlines the concept of fairness introduced in the first principle.
Personal data should be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
This means that you must only use personal data for purposes that you explicitly shared with data subjects when they gave it to you. You cannot gather data for one purpose, hold it and then use it again for a different purpose – unless you obtain permission from the data subject.
The GDPR does, however, lay out that you can process data further for archiving purposes in the following cases:
• It’s in the public interest to do so
• You need to do so for explicit scientific or research purposes
• Statistical analysis where data is anonymous and amalgamated
3. Data Minimisation
The GDPR states that data gathering activities should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
In other words, you should only gather the personal data you explicitly need for the purposes you have outlined. You will also be required to justify why you collected the data you did – so make sure you have solid policies in place for reporting and documenting this.
This helps minimise the risk of accidental leakage and of data subjects becoming victims of cybercrime.
Data should be “accurate and, where necessary, kept up to date” for your organisation to remain GDPR compliant.
The principle also states that you should “take every reasonable step” to ensure old, out-of-date, or otherwise inaccurate personal data is either updated (where relevant) or erased as soon as possible.
Regular data audits will help significantly with this – so, if you haven’t done so already, now’s the time to start implementing these into your organisation.
5. Storage Limitation
Organisations should not keep data in any form that could identify its subject for longer than is strictly necessary. Once you’ve used the data for the purposes you collected it, you should anonymise it or delete it.
The GDPR makes the same allowances for archiving in the public interest, scientific or historical research, or statistical analysis as it does in the purpose limitation principle, “subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.”
6. Integrity and Confidentiality
Organisations should handle personal data responsibly and securely, taking all reasonable measures to ensure “protection against unlawful processing or accidental loss, destruction or damage.”
Having the means of anonymising personal data, such as through data encryption or pseudonymisation, is an essential requirement under the GDPR. To further augment security, you should also ensure your storage systems are secure enough to withstand potential cyberattacks or accidental data loss or damage.
You can do this by:
• Implementing the right cybersecurity software package with data encryption tools, strict access controls, firewalls and antivirus software – and perhaps diagnostic programmes, intrusion detection and prevention as well
• Investing in secure data backup and recovery solutions
• Working towards official certification like ISO 27001 to expand your knowledge of cybercrime and prove your commitment to fighting it
• Instilling good data security practices in your workforce, such as phishing awareness, regular password changes and device security awareness
Out of the GDPR’s seven data protection principles, the accountability principle is the one that outlines your responsibilities most explicitly.
Your organisation is explicitly accountable for complying with the other six principles and should be able to demonstrate compliance when requested by GDPR authorities. Failure to do so could result in a financial penalty – which since May 2018 have ranged from €48 to €50,000,000.
(Image source: privacyaffairs.com)
This means you need watertight data documentation, protection, and audit policies in place. Every step of your policies should be documented extensively so that you can justify your actions to regulators if needed.
Find Software to Help You Meet the Seven Data Protection Principles
GDPR regulations are stringent – fines will be administered to companies that breach the seven data protection principles outlined above. At the same time, customers will vote with their feet if they feel that their data isn’t in a safe pair of hands. Both can result in serious financial damage to your business.
That’s why finding the right IT security software – which will help protect you from avoidable and negligent data breaches – has never been more important.
That’s where ProtectBox comes in.
By filling out an easy-to-understand survey (designed for both techies and non-techies), we can recommend data security packages that are tailored to your data protection needs, so you get to access expert advice free of charge, all whilst saving hours of individual research.