The new European data protection legislation, otherwise known as the General Data Protection Regulation, has been implemented with regards to the protection of individuals and processing personal data.
The regulation includes protection of individuals with regards to processing personal data. It’s becoming a vital component of EU privacy and human rights law.
There are seven principles of the new law. These include:
Lawfulness, fairness and transparency
- Identifying valid grounds under the GDPR for collecting and using personal data.
- Ensuring that no other laws are breached.
- Using personal data in a way that is fair. Must not be unexpected or misleading to the individuals concerned.
- Being clear, open and honest with people from the start about how you will use their personal data.
Purpose Limitation
- Ensuring clarity about what your purposes for processing are from the start.
- Recording your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
- Only using the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear basis in law.
Data Minimisation
You must ensure the personal data you are processing is:
- Adequate – sufficient to properly fulfil your stated purpose;
- Relevant – has a rational link to that purpose; and
- Limited to what is necessary – you do not hold more than you need for that purpose.
Accuracy
- Ensuring all reasonable steps are taken to ensure the personal data you hold is not incorrect or misleading
- Keeping the personal data updated, although this will depend on what you are using it for.
- If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
- Carefully consider any challenges to the accuracy of personal data.
Storage Limitation
- Do not keep personal data for longer than you need it.
- Justify long you keep personal data. This will depend on your purposes for holding the data.
- Create a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- Periodically review the data you hold, and erase or anonymise it when you no longer need it.
- Consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
Integrity and Confidentiality
- Ensure that you have appropriate security measures in place to protect the personal data you hold.
- This is the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle.
Accountability
- Take responsibility for what you do with personal data and how you comply with the other principles.
- Have appropriate measures and records in place to be able to demonstrate your compliance.