The EU General Data Protection Regulation (GDPR) brings the most revolutionary changes to European data protection laws since the 90’s. Many of the GDPR’s data protection principles derive from the Data Protection Directive (DPD) the GDPR is set to repeal in May 2018. However, some principles found from the GDPR are further refined to correspond to both the technological developments since the passing of the DPD, and to better answer the requirements for privacy protection in the digitized world of today and tomorrow. Even though the changes to the data protection principles may not be fundamental of nature, they do consolidate the significance of these principles of data processing.
The principles relating to the processing of personal data are set out in GDPR’s Article 5(1):
- Lawfulness, fairness and transparency ⇒ Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The DPD makes some provision for the data controller to process data in a transparent way, but this principle is enshrined as a core principle for the first time in the GDPR. Data processing in a more transparent way could include things such as making privacy policies more user friendly and promoting the rights of users.
- Purpose limitation ⇒ Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This principle already exists in the DPD and it stays relatively unchanged. However, the GDPR does additionally allow further processing for public interest and/or scientific purposes, which widens the scope for further processing by controllers.
- Data minimization ⇒ Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Thus, data controllers need to ensure that considering the purpose, only necessary personal data is processed. Data minimization plays a close role with purpose limitation, since controllers should collect enough data to achieve their purpose, but only the amount needed to do that.
- Accuracy ⇒ Personal data shall be accurate and, where necessary, kept up to date. The same standards are required as under the DPD however, the GDPR specifies that the erasure or rectification of inaccurate personal data must be implemented without delay,
- Storage limitation ⇒ Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The GDPR expands the DPD’s list of exemptions to this principle. While the DPD allows longer storage time of data than necessary in cases where the data processing takes place in order to achieve statistical or historical purposes, the GDPR adds public interest and scientific purposes to this list.
- Integrity and confidentiality ⇒ Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The GDPR mirrors the core values deriving from the DPD.
The Principle of Accountability in GDPR's Article 5(2)
- Article 5(2) provides for the perhaps most important principle of all: the principle of accountability, which sets an obligation on data controllers to be responsible for and to be able to demonstrate compliance with the GDPR. It complements the GDPR’s transparency requirements and it is the most significant addition which sets an increased compliance burden. In the light of this principle, data controllers must not only comply with the GDPR, they must also be able to demonstrate it by eg. documenting their decisions when taking processing activities.
Organizations should revise their internal policies and procedures to ensure compliance. Since the GDPR allows for financial sanctions for breach, compliance is more important than ever before. Moreover, organizations should ensure that the personal data they hold is accurate and document how and what for it is being processed to hold evidence of compliance. Other actions to consider include considering the appointing of a Data Protection Office (DPO), staff training, auditing, creating internal processes and certification.