Six Principles of GDPR

published on February 14, 2018

This note is an overview of the six principles of the GDPR. These principles are the foundations for processing personal data and you should ensure that any personal data you process (including personal data which you store) is compliant with these principles.
 
This toolkit does not deal with special category data or criminal data.

The Six principles

Article 5 of the GDPR sets out the six principles of data protection. These principles are the foundation of the GDPR and require that personal data is:

1. processed lawfully, fairly and in a transparent manner;
2. used for the purpose for which it was collected (and that purpose is expressly specified and legitimate);
3. relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. stored for no longer than is necessary for the purpose for which the personal data is processed; and
6. processed in a manner than protects the security and confidentiality of the personal data.

The controller of the personal data is responsible for complying with the above six principles. Further, the controller of the personal data will be required to be able to demonstrate compliance with these principles, it is therefore important that appropriate policies are in place to facilitate compliance with these principles and that compliance is documented.
 

What do these principles mean?

• Lawful, Fair and Transparent

• Purpose

• Data Minimisation

• Accuracy

• Storage Limitations

• Security and Confidentiality

• Accountability and documentation

Lawful, Fair and Transparent

Before processing any personal data the lawful basis for which the personal data is being processed should be established and this lawful basis should be documented.
 

Having a lawful basis for processing personal data is not a new concept however the GDPR has a particular focus on accountability and transparency. Further the GDPR emphasises “privacy by design” which encourages data protection to be at the forefront of decisions and policies rather than an afterthought.
 

• Consent. Where there is clear and positive consent of the data subject to process their personal data;
• Contract. Processing personal data is necessary to fulfil contract with the data subject;
• Legal Obligation. Processing personal data is necessary to comply with legal obligations/with the law;
• Vital Interest. Processing personal data is necessary to protect someone’s life;
• Public Task. Processing personal data is necessary to perform a task which is in the public interest or for official purpose which has a clear basis in law;
• Legitimate Interest. This lawful basis does not apply if there is a good reason to protect the individuals data which overrides the legitimate interests for processing it. 

 
It is also important that the reasons, grounds and purpose for processing personal data are transparent and clear to the data subject. This requires that the data subject is not mislead, for example, if personal data is processed on the basis that there is a contract with the data subject; asking for the data subjects consent could mislead them about their position and the lawful grounds for processing. This may also be seen to be contray to the requirement of transparency.  
 
You will also need to consider Individual Rights which are explored within our other GDPR toolkits.
 

Purpose

It is important that the most appropriate lawful basis for processing any personal data is determined. In particular, each lawful basis for processing personal data provides the data subject with different individual rights, for example there is no right for the data subject to object to their personal data being processed if it is processed to fulfil a contract with the data subject.
 

Data can only be used for the purpose which the data subject has been made aware of and no other reason. If the purpose for processing the data has changed however it is still compatible with the purpose for which the data was originally processed, the GDPR may allow you to continue to process the data. However, this rule does not apply if the lawful ground for processing the data is “consent”, in which case the consent of the data subject will need to be obtained for the new purpose.
 

Data Minimisation

In order to have a lawful basis for processing personal data, it must be necessary  (or proprotionate for the purposes to which the data is being collected) to process the data. If the same outcome can be reasonably achieved without processing personal data than it is unlikely there will be a lawful basis to do so.
 

Accuracy

The GDPR requires the data controller to ensure that any personal data held is accurate and kept up to date. Procedures should be put in place check accuracy of any personal data and allow for it to be easily updated, if required.
 

Storage Limitations

Personal data should not be held in an itenfiable form for longer than is necessary. To determine how long any personal data should be held the purpose for which the personal data has been processed and any statutory requirements should be considered. It is recommended that clear policy is put in place which deals with and justifies the storage timeframes used. 

Once any personal data is no longer required, it should be securely deleted. If personal data needs to be held for longer, i.e. for statistical purposes than it should be considered whether anonymising the personal data (so that it is no longer possible to in any way identify the individual), is appropriate. 
 

Security and Confidentiality

Any personal data which is processed should be securely stored and remain confidential. This requires adeqate measures to be taken to protect against unlawful processing, accidental loss, destruction or damage. These measures should be reviewed on an on-going basis to ensure compliance with modern practices and any reviews or policies should be documented.
 

The GDPR rules allow for a fine of £17 million or 4% of global turnover for failure to comply with the GDPR. It remains to be seen how fines will be calculated in practice however it is most likely that the larger fines will be for security breaches.
 

Accountability and documentation

The GDPR creates an accountability obligation where the data controller must be able to demonstrate their compliance with the GDPR (and the six principles) through evidence. This requires more than having policies in place. It is recommended that employees receive training on data protection matters (including internal policies), that policies are tested to ensure they are effective (and any test results are used to demonstrate continuous improvement) and that the technology and processes used are reviewed to ensure it is sufficient to ensure compliance with the GDPR. Any documentation which evidences compliance with the GDPR should be kept.