The various requirements of data protection and privacy is directly related to some basic principles in GDPR. This blog post is intended to be a ‘GDPR for dummies’ handbook, where I will guide you through the 7 principles of the GDPR, with examples of what they mean and recommendations on what you can do to comply with them. Understanding the data processing principles will help you get better at complying with GDPR.
Simply put, the data processing requirements enforced by the GDPR are rooted in 7 general principles for privacy. Understanding the 7 principles of the GDPR will make it easier for you to understand the rules and regulations. The 7 principles are:
Before we look at each principle and examples of practices, let me point out why it is important to understand the data protection principles, and how you can benefit from them.
Following the introduction of the GDPR in 2018, many companies are faced with challenges regarding how to deal with the requirements. These challenges are still true in 2021. The proper processing and handling of personal data is not only an ethical responsibility, but also a legal requirement which, if not complied with, may lead to huge fines, financial consequences, and loss of reputation.
Combined with the fact that personal data is everywhere and that every organisation is processing personal data in one way or another, this leaves organisations with a great challenge.
The issue is that GDPR might seem like a long and chaotic legislation that is written in a heavy language, and you might think that you would need to seek help from a lawyer to understand it.
However, all requirements of the GDPR are based on 7 basic principles. This means that if you understand these 7 principles, you are a step closer to understand and comply with the GDPR. Though, bear in mind that this blogpost is meant for beginners, and it is therefore simplified and is not meant as a replacement for a lawyer or consultant.
Since it is almost impossible to avoid processing personal data these days, these 7 principles may apply to you, but its extent will vary depending on your context. Therefore, I will explain the 7 GDPR principles with an example that will follow throughout this article. The example is designed to be as generic as possible, and as applicable for as many organisations as possible.
Let us say that your organisation would like to create an online newsletter for your customers and/or members. Your audience can register for the newsletter in several ways. They can for instance subscribe to your newsletter by filling out a form on your website, or they can also tick a box when they make a purchase on your website. In this way, you obtain a database of your customers, and you send out relevant content to them every now and then. Further, you use this database to customise your message to your audience, for instance by monitoring their behaviour on your website.
It is quite straight forward, right?
Well, now that we have agreed on an example that almost everyone can relate to, let us look at the 7 data protection principles in GDPR, and see how they relate to our example.
But, let me make a disclaimer first: these 7 principles of GDPR are relevant in many other cases too, and you should translate the points from this article to your own practices. This could for instance be when you are running an Instagram contest, organising an event for your employees, or maintaining a database with your business contacts.
It is now time to dive into the 7 principles. Let’s go!
Ok, I know, I said principle 1 and you are seeing three things. I promise this is the only principle that has more than one main thing in it (kind of). So, without confusing you even more, let me explain:
Basically, this principle tells us that the processing of personal data must be conducted in a lawful, fair, and transparent way:
Lawful means that you are gathering data and processing it on a valid legal basis. For instance, getting consent from the user that you can process their data is a very common way of obtaining a legal basis for processing personal data. There are many legal grounds for processing personal data, which you can read more about here.
Fair means that your processing of personal data is in the best interest of the person the data is about and that the scope of the processing can be reasonable expected by the person.
Transparent means that you clearly communicate what, how, and why you process data to those you process data of. This should be in a way that the people who you process data of, can easily understand the scope and ways of your processing.
For our example, a newsletter often needs the names and e-mail addresses of people who register on it, as a minimum. You need to obtain a legal basis for this, by e.g., letting the user give consent to your processing by ticking a box. It is, however, also important that you for instance give the users the option to limit the gathering of their data to only what is essential to deliver the newsletter (i.e., do you really need the person’s job title for your newsletter? If you do so, you should be prepared to present good arguments for that). Furthermore, you will need to document when and how that consent was given, if asked to.
The data that you are processing for the newsletter, must be fair. For example, if you are a company that is selling beauty products, your customers expect to receive information about new products or blog posts about beauty. Then, you should for instance not use this database of customers to send out e-mails that are not relevant (I.e., not expected) to your subscribers’ intention of registering on your newsletter.
This principle tells us that you should only process personal data for the purpose that you have intended it for. In other words, you should not reuse personal data for purposes other than what it is intended for.
In our example, this would mean that you should not use the data you get through your newsletter, for other purposes than what you have stated. For example, if you in your newsletter consent have stated that you are storing the IP addresses of your subscribers to document when and how the consent was obtained (because this is a requirement of the GDPR), you cannot use the IP addresses of your subscribers to send them customised content, e.g., product suggestions, that is targeted for their geographical area. That would be using their personal data for another purpose.
However, if you for instance have stated that you gather their IP address to send out the newsletter and relevant content, you might be able to use their personal data to send out targeted e-mails. Though, please mind the emphasis on the word ‘might’, because there are very strict requirements for this.
When it comes to dealing with personal data, your team are acting as front-line workers. You must ensure that they do not accidentally reuse data in a non-compliant way. The best way to communicate this is by training your team and making them aware of privacy issues.
The best way you can ensure this, is by training your employees and making them aware of privacy issues. Consider looking at this free e-book we have written about how your team can become you best defence for cyberattacks and data breaches.
When it comes to data, we are all guilty of hoarding it. We keep things because it’s nice to have, but we never use it. Regarding the third GDPR principle, we shouldn’t keep data lying around if we have no need for it.
This principle tells us that we should not gather more personal data than what is needed to deliver the service we intend. In other words, only gather and process the exact amount of data that is needed.
In our example, this would mean that you should only gather the necessary personal data to deliver the newsletter. For instance, you might need the name and e-mail address of the subscribers, but you won’t need to know their job title. It is perhaps ‘nice to have’, but not necessary and you might not even use it anyway.
Nevertheless, data minimisation is beneficial for you in several ways. Not only will it bring you one step closer to GDPR compliance, but you will also be less impacted by a possible data breach.
This might be a little confusing. While all the other principles that we have seen so far is about knowing as little as possible about the people we process data about, this one is sort of the opposite. This principle is about having the most accurate data as possible.
It means that the personal data we are processing must be correct and up to date, and that you as the data controller and/or processor should take “reasonable measures” to ensure that.
This is, however, only relevant when the accuracy of the personal data is of importance for the person the data is about.
Let me explain by going back to our example. Say that one of your subscribers registered on your newsletter with their company e-mail while working at company X. If this person changes job and now works at company Y, the e-mail address for company X will no longer work. Thus, the data you have on this user is no longer accurate.
A ‘reasonable measure’ in this scenario could be to include a link in your newsletter where your subscribers can change their e-mail address. So, when the person knows that they are going to change jobs, they can easily update their personal information that you have on them.
You could also have a CRM system or an e-mail marketing system that keeps track of e-mail addresses that reply automatically when you send out your newsletter. If a person has left a company, the company will normally set up an automatic reply stating that the person does not work there anymore. However, people might also set automatic replies for other reasons, for instance when they are on vacation. That is why you should regularly go through these automatic replies to see if you have subscribers with invalid e-mail addresses.
If the data you have is inaccurate or wrong then there is no reason for you to handle the data and it should be updated or deleted.
This principle is about deleting personal data when you don’t need it anymore. Basically, you should not store personal data which is no longer of use for the purpose it was intended for. This principle is very similar to the data minimisation principle, and many organisations consider deleting old data as a part of data minimisation.
Looking at our example, it can for instance be that if people unsubscribe from your newsletter, you should delete their information. Similarly, if your organisation decides to not send newsletters anymore, you will have to delete the personal data of your subscribers. That is because, the purpose of you gathering your subscribers’ personal data is to send them the newsletter, and if that purpose does not exist anymore, the data that was gathered for that purpose should not either.
In some cases, it might be relevant to keep personal data for some time after the purpose of them has ended or anonymise them and use the data for statistical or historical purposes. These situations are, though, exceptions rather than rules and they must be carefully considered.
If you are familiar with cyber security or information security, you have probably heard about the ‘CIA-Triangle’. It sounds cool, but rather than the Central Intelligence Agency, it relates to a triangle that stands for confidentiality, integrity and availability.
This principle is concerned with two of the edges of that triangle. Integrity is about making sure that personal data is correct and cannot be manipulated by others (i.e., you should opt to protect your systems against hackers). Confidentiality is about making sure that only the people who should have access to the personal data are processing it.
In our example, this would mean that the data you gather through your newsletter, should not be accessed by unauthorised people – this also includes people in your own organisation. In other words, only people that need to have access to the information to your subscribers in order to deliver the newsletter should have access to it. Furthermore, you should have systems and measures in place so that the data cannot be manipulated.
For instance, the personal data of your subscribers should not be stored in a shared drive that everyone can access in your organisation, and you must take necessary measures to ensure that the place you store this information, is protected against cyberattacks and breaches.
You can read more about giving access to personal data here.
As the name suggests, this principle relates to taking responsibility for your data processing. It means that you, as the data controller and/or processor, must be accountable for the proper processing of personal data and compliance with the rules of GDPR.
When we talk about taking responsibility, it is not only about fulfilling the various requirements of the GDPR, but also being able to document that you are doing so.
For instance, if you are using consent as a legal basis to ensure that you process the personal data of your subscribers to your newsletter, and thus ensure the lawfulness-principle, you will have to document how and when this consent was given. To do so, you will have to have a system in place which logs the consent.
Another example is that many of the principles of the GDPR require you to take organisational measures, in addition to technical measures. This could for instance be regarding principle 2, where you should train your employees in not re-using personal data for purposes other than its initial purpose. By providing training to your team and documenting the initiative, you are both fulfilling and demonstrating a requirement.
In summary, the GDPR can sometimes be overwhelming to understand due to its heavy language and loaded explanations. This guide was intended as a starting point for beginners. I hope that you enjoyed the reading, and that the insight you get from this article will ease your work with compliance.
As a final note, we have discussed that your staff are a vital part of ensuring GDPR compliance in your organisation. They are the ones who must deal with processing personal data on a daily basis. We recommend making sure that your team is equipped with the necessary skills and knowledge in dealing with personal data. There is many ways to do this and you can read more about using awareness training to be compliant here.
If you are curious about training your team, we at CyberPilot have developed an online platform for awareness training where they can take short, fun, and interactive courses in information security and the GDPR. Right now, we offer a free 3-months trial without any commitment or any purchase. I would highly recommend giving it a try.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.