Six principles of GDPR that you need to know about

Computer with a GDPR padlock on it
GDPR will come into full force in May 2018

The six principles of GDPR (General Data Protection Regulations) are similar in many ways to the eight principles of the Data Protection Act. While the six principles of GDPR do not include individuals’ rights or overseas transfers, these are included elsewhere in GDPR.

One key difference is that under GDPR, you must show how you comply with the principles, not just that you do. This is a separate requirement known as the accountability principle which is integrated across GDPR.

Free mini course on the six principles of GDPR

VinciWorks has recently released a new mini course on the six principles of GDPR. The five minute course tests users’ knowledge on the six principles of GDPR and is part of VinciWorks’ course Data Protection: Privacy at Work. You can take the short course here.

What are the 6 GDPR Principles?

The six principles of data protection in GDPR are that data must be treated in a way that is:

1. Lawful, fair and transparent

There has to be legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.

2. Limited for its purpose

Data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.

3. Adequate and necessary

It must be clear why the data is being collected and what will be done with it. Unnecessary data or information without any purpose should not be collected.

4. Accurate

Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.

5. Not kept longer than needed

Data should not be kept for longer than is needed, and it must be properly destroyed or deleted when it is no longer used or goes out of date.

6. Integrity and confidentiality

Data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, loss, damage or destruction, and kept safe and secure.

For example, a car dealership is running a competition in partnership with a local newspaper to win a test drive in a Ferrari. To enter, people have to put in their phone number, email address and their top three favourite cars. The dealership and the local newspaper plan to share the data between them. The dealership wants to directly market people’s favourite cars back to them, and the newspaper has plans to launch an auto-trading magazine.

The data protection principles that would be impacted include 1 – lawful, fair and transparent; 2 – limited for its purpose and 6 – integrity and confidentiality. Data that is collected for deceptive or misleading purposes is not fair and may not be lawful. When data is being collected the reasons for its collection must be stated, and people have a right not to be marketed to without their consent. In this case, those who entered the competition are not being made aware of the true purpose for collecting their information and are being tricked into a marketing ploy.

Remembering the 6 Principles of Data Protection

Data protection officers, risk managers and those involved in processing and distributing data should become familiar with these principles in order to ensure their organisation is compliant. Short online data protection courses are available and can be customised to suit any industry and job role. Further, familiarity with the GDPR guide will help you and your staff stay up to date with the requirements of the Data Protection Act. You can download our GDPR guide here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.