Data protection principles

If you process data, you can stay lawful by adhering to these principles

Data protection

Pretty much every single business in Europe will have been affected in some way by the introduction of the General Data Protection Regulations (GDPR) back on 25 May. In fact, a lot of businesses were forced to quickly change their data protection policies last minute as the deadline loomed (or just afterwards when the realisation the law was going to change hit).

And that's because the introduction of the GDPR marked the biggest shift in data protection for decades, making sure the data subject (ie., the individual) is protected from unwanted data use such as spam, and of course, prevent their data falling into the wrong hands. It put the subject at the centre of everything, giving them a say into how their data is used and stored.

The GDPR rules apply to all businesses both based in and operating any kind of trade in the EU, so even though the UK is supposedly leaving the EU at some point, the laws will still apply to the majority of businesses. Added to that, even if you don't conduct business with other EU-based companies, the UK's own data laws have changed to be in line with the Europe-wide regulations.

The move doesn't just apply to the protection of customer data - it applies to all of the personal data a company may have access to, such as customer data, employee information, partner records and more.

The Information Commissioner's Office (ICO) is the UK's national data regulator, tasked with enforcing GDPR in the UK, as well as the Data Protection Act 2018, which offers UK-specific provisions outside of GDPR.

This authority, which has been operating up till now under the terms of the Data Protection Act 1998, has outlined in clear terms a set of principles that lie at the heart of how a company should structure their data policies to ensure maximum compliance with modern standards for data protection.

Lawfulness, fairness and transparency

The first principle is quite possibly the most important. All personal data needs to be processed fairly and lawfully, and in a way that's completely transparent. An organisation has a responsibility to inform every individual that they collect data on exactly how that data will be used and who it will be passed on to. The collection, the processing and the disclosure of data must all be done in accordance with the law.

Purpose limitation

Data collection must be for a stated reason that is lawful and transparent, it must not be processed in a way that's at odds with that original purpose.

Data minimisation

Organisations in charge of collecting data are obligated to make sure the information is adequate, relevant and not excessive in relation to the original reason it was gathered. The subject of the data also has the right to access any data held about them, in whatever format that data is stored, whether it be handwritten notes, emails or formal documents.

Accuracy

Organisations are obligated to ensure personal data held is accurate and up to date. This means that an organisation should review information held about individuals at regular intervals and amend out of date or inaccurate information. Individuals have the right to have inaccurate data about them erased or destroyed. 

Storage Limitation

When data on an individual has served its purpose, it must be deleted or destroyed, unless there are other grounds for retaining it. Organisations should have a review process in place to clean up databases. 

Integrity and confidentiality

The data an organisation has must be kept secure. The data controller has a responsibility to take reasonable steps to ensure the reliability of any employees who have access to personal data. If a third party is used to process data, an organisation must ensure that a contract in place with that data processor which provides for appropriate security measures. 

Other principles

The need to process data in accordance with an individual's rights and the transfer of data to countries abroad were two principles under the previous act but were afforded their own separate chapters under GDPR detailing extensively how these applied under the law.

The principle of 'accountability' also applies under the EU's new set of regulations, with data controllers expected to take greater responsibility for what is done with personal data, and how to comply with the other principles. Under this principle, the appropriate measures, and records must be in place to demonstrate compliance when expected.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020