Data protection principles

If you process data, you can stay lawful by adhering to these principles

Data protection

Pretty much every single business in Europe will have been affected in some way by the introduction of the General Data Protection Regulations (GDPR) back on 25 May. In fact, a lot of businesses were forced to quickly change their data protection policies last minute as the deadline loomed (or just afterwards when the realisation the law was going to change hit).

And that's because the introduction of the GDPR marked the biggest shift in data protection for decades, making sure the data subject (ie., the individual) is protected from unwanted data use such as spam, and of course, prevent their data falling into the wrong hands. It put the subject at the centre of everything, giving them a say into how their data is used and stored.

The GDPR rules apply to all businesses both based in and operating any kind of trade in the EU, so even though the UK is supposedly leaving the EU at some point, the laws will still apply to the majority of businesses. Added to that, even if you don't conduct business with other EU-based companies, the UK's own data laws have changed to be in line with the Europe-wide regulations.

The move doesn't just apply to the protection of customer data - it applies to all of the personal data a company may have access to, such as customer data, employee information, partner records and more.

The Information Commissioner's Office (ICO) is the UK's national data regulator, tasked with enforcing GDPR in the UK, as well as the Data Protection Act 2018, which offers UK-specific provisions outside of GDPR.

This authority, which has been operating up till now under the terms of the Data Protection Act 1998, has outlined in clear terms a set of principles that lie at the heart of how a company should structure their data policies to ensure maximum compliance with modern standards for data protection.

Lawfulness, fairness and transparency

The first principle is quite possibly the most important. All personal data needs to be processed fairly and lawfully, and in a way that's completely transparent. An organisation has a responsibility to inform every individual that they collect data on exactly how that data will be used and who it will be passed on to. The collection, the processing and the disclosure of data must all be done in accordance with the law.

Purpose limitation

Data collection must be for a stated reason that is lawful and transparent, it must not be processed in a way that's at odds with that original purpose.

Data minimisation

Organisations in charge of collecting data are obligated to make sure the information is adequate, relevant and not excessive in relation to the original reason it was gathered. The subject of the data also has the right to access any data held about them, in whatever format that data is stored, whether it be handwritten notes, emails or formal documents.

Accuracy

Organisations are obligated to ensure personal data held is accurate and up to date. This means that an organisation should review information held about individuals at regular intervals and amend out of date or inaccurate information. Individuals have the right to have inaccurate data about them erased or destroyed. 

Storage Limitation

When data on an individual has served its purpose, it must be deleted or destroyed, unless there are other grounds for retaining it. Organisations should have a review process in place to clean up databases. 

Integrity and confidentiality

The data an organisation has must be kept secure. The data controller has a responsibility to take reasonable steps to ensure the reliability of any employees who have access to personal data. If a third party is used to process data, an organisation must ensure that a contract in place with that data processor which provides for appropriate security measures. 

Other principles

The need to process data in accordance with an individual's rights and the transfer of data to countries abroad were two principles under the previous act but were afforded their own separate chapters under GDPR detailing extensively how these applied under the law.

The principle of 'accountability' also applies under the EU's new set of regulations, with data controllers expected to take greater responsibility for what is done with personal data, and how to comply with the other principles. Under this principle, the appropriate measures, and records must be in place to demonstrate compliance when expected.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020