Rather than act as hard rules, these principles serve as an overarching framework designed to lay out the broad purposes of GDPR. In this post, we’ll take a look at all seven principles of GDPR and what they mean for you and your business.
1. Lawfulness, fairness, and transparency
Let’s start by looking at each of these terms:
- Lawfulness refers to the fact that whenever a company is processing personal data, it should have a good reason for doing so. For example, a company is processing data because it must fulfill a legal obligation, it must make good on a contract, the user has given the company consent, etc.
- Fairness refers to the fact that a company shouldn’t purposely withhold information about what or why it's collecting data, or mishandle or misuse the data it collects.
- Transparency means a company must be clear, open, and honest with data subjects about who it is and why and how it's processing personal data.
Learn more about how Strike Graph can help your business become GDPR compliant. Request a demo today.
2. Purpose limitation
This principle ensures data is only used for specific activities, and that it is “collected for specified, explicit, and legitimate purposes”. These purposes must be clearly established and openly communicated via a privacy notice. Make sure your organization follows them closely and limits the processing of data only to the purposes you’ve stated.
3. Data minimization
Like purpose limitation, data minimization ensures organizations only collect the smallest amount of data they’ll need to fulfill their purposes. For example, if your company wants to collect user information in order for website visitors to download an asset, you can only ask for the information you need in order to send them that asset. While email addresses are directly related to that purpose, first and last names are less so — but still applicable — and home addresses and phone numbers aren’t at all.
Your organization must ensure that the data you collect and store is accurate. In order to do this, set up checks and balances to correct, update, or erase incorrect or incomplete data and conduct regular audits to ensure everything remains accurate.
5. Storage limitation
The storage limitation principle requires your organization to justify the length of time it keeps each piece of data it stores. To comply, establish data retention periods and create a standard time period after which your organization anonymizes any data it isn’t actively using.
6. Integrity and confidentiality
Maintaining the integrity and confidentiality of the data your organization collects refers to keeping it secure from both internal and external threats — including accidental loss, destruction, or damage and unauthorized or unlawful processing. This can be achieved via planning and proactive diligence.
Accountability requires that your organization have the appropriate measures and records in place as proof of its compliance. Ensure you have such measures documented, as supervisory authorities can ask for this evidence at any time.
Use these seven principles of GDPR to inform all of your business practices and processing activities. This will ensure you get — and remain — GDPR compliant.