The 7 Most Important GDPR Principles
The General Data Protection Regulation (GDPR) is a massive 261-page piece of legislation. It contains 173 regulations and 99 different articles, all outlining proper data privacy practices. With all of this information, it seems like a completely daunting task to tackle the GDPR. But what if the GDPR could boil down to just a few key concepts to help guide your efforts. Well, the office of the United Kingdom’s Information Commissioner, among others, provides a list of seven key GDPR principles. Following these will help you start on your GDPR journey. Let’s look at each of the principles:
1. Lawfulness, fairness, transparency
From the perspective of your clients, one of the most important aspects of becoming privacy compliant is being transparent. If you provide details about the way you conduct business, and what you do with data, clients will be set more at ease, and be more trusting of your organization. People appreciate a company that is open and honest with them. It’s also important that you consider whether the way you are collecting information is (a) lawful and (b) fair. Make sure there is a clear purpose to collecting the data, and make sure you take care of it once you receive it.
2. Purpose limitation and 3. Data minimization
Certain pieces of information are essential to collect from a client in the course of your business. For example, if you are shipping a product to a new customer, their name, email and shipping address should be collected because without that information, you would not be able to fulfill the order. You would not, however, need a Social Insurance Number, any health information, or their ethnicity to deliver the order. It’s important to limit the data you collect to only those pieces that are actually needed to fulfill the purpose for which they are collected.
Data controllers need to make sure that data they hold onto is kept as accurate as possible. At the very least, if a client alerts you to an inaccuracy in the data they have provided you, make sure you change it (as long as it is permitted by law). You should also think about ways you can proactively keep the data you hold valid. It’s not only a great practice for compliance, but it can help your business practices at the same time.
5. Storage limitation
Multiple, redundant copies of personal data in various parts of your organization become very difficult to control, and increase the risk of a data breach. To stay on track and better protect data, keep as few copies of data as possible. Don’t let employees save copies to unauthorized external devices, and consolidate the data you already have as much as makes sense.
6. Integrity and confidentiality (security)
Good data handling and privacy practices are useless if there isn’t an adequate security framework to protect the data you hold. Data security can include things such as encryption, use of VPNs, firewalls, strong passwords, and access keys. It’s also important to note that data security is about more than just protecting against external hacking threats; it also applies internally to threats within your organization. Think about how many employees have access to the data you hold, and how you manage authorizations to data. Also think about consequences if an employee accidentally or purposely causes a data incident. Good staff training and clear computer usage guidelines are essential for this.
In the end, your organization needs to be accountable for its own privacy. Make sure people within your organization know who to go to with privacy concerns: your Privacy Officer, IT Manager, executive leadership, etc. Also, make sure your company is compliant with the law to the best of your ability, and have documents ready in case of an inquiry or investigation (though this will hopefully never happen!)
We’ve whittled the GDPR to just seven principles, but even then, the question remains: where do I begin? My suggestion would be to start with a Data Privacy Plan. A data privacy plan is a set of policies and procedures that have to do with data privacy and security in your organization. It includes things like Internal Data Procedures, an Information Request procedure, a Data Breach procedure and more. Developing a written plan for your organization gives your employees guidelines to work with, and will make you think about all of the aspects of data handling in your organization.
Once you have created a data privacy plan, you can continue by looking at the aspects of your organization that clients interact with, and considering whether they are privacy complaint, for example: the design of your website and the content of your client contracts.
For more about data privacy plans, check out my first blog post GDPR Readiness: Creating a Data Privacy Plan.
Luke Henderson is privacy officer at Velsoft Training Materials.