Understanding the GDPR’s data processing principles.

What are the GDPR’s principles for processing personal data?

The GDPR’s principles for processing personal data are:

1. Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently.
2. Purpose limitation: Personal data may only be collected for specified, explicit, and legitimate purposes, and never further processed for anything other than it’s original purpose.
3. Data minimization: Personal data may only be collected for specified, explicit, and legitimate purposes, and not further processed for anything other than that original purpose.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
5. Storage limitation: Personal data must be kept no longer than necessary to fulfil its original purpose.
6. Integrity and confidentiality: Personal data must be processed in a manner that ensures its appropriate security.
7. Accountability: The controller is responsible for, and must be able to demonstrate, compliance with all principles for processing data.

How do I process personal data lawfully under the GDPR?

To process personal data lawfully under the GDPR, make sure that one of the 6 six lawful bases for data processing has always been met for each processing activity.

What are the six lawful bases for processing data under the GDPR?

1. The individual knows exactly what you’re doing with their data, and they’ve told you (clearly and specifically) that you can process their data.
2. You need the data to deliver a service or contract that the data subject requested or played a part in requesting.
3. You are legally obligated to process the data.
4. The processing is essential to someone’s life, i.e. it’s the difference between breathing and not breathing.
5. You’re carrying out work that serves the public interest, e.g. government functions like issuing driver’s licenses.
6. The processing is required to serve your business or a third party’s legitimate interests, as long as these interests don’t conflict with the rights and freedoms of the data subject. E.g. Requesting a resume and references before you recruit a new employee is a fair and legitimate reason.

What does processing data fairly mean under GDPR?

As humans, we should all have a sense for when we’re doing something wrong or unfair to others. The GDPR asks that you apply that sense to your data processing activities. It’s simple – handle all personal data in a reasonable and predictable manner, and never use it in ways that could adversely affect your data subjects.

You’re not processing data fairly if:

• You don’t have a lawful basis for collecting their data.
• The purpose you’re using that data for isn’t ethical – e.g. discriminatory profiling or automated decision making.
• The data subject isn’t aware you’re processing their data.
• You haven’t accurately disclosed the purpose for collecting personal data.

How to handle automatic data collection and consent

When you collect personal data, it’s either provided voluntarily or collected automatically. Unlike voluntarily given data, automatically collected data – such as data collected through tracking cookies – is usually done without the users knowledge. This distinction matters under GDPR because people must know when you are processing their data. To address this, add a cookie banner to your website if you use cookies to collect data for purposes that don’t fall under one of the six lawful bases.

What does processing data transparently mean under GDPR?

In data privacy, transparency means being open about all data processing done by your business. Your goal is to tell people what you are doing with their data before, or at the time, you start processing it. The most reliable way to do this is through a well written privacy policy, and a consent banner for any automatic tracking.

An informed data subject will understand:

1. The different ways you process personal data.
   • Data Handling: Collection, recording, organization, structuring, and storage.
   • Data Modification: Adaptation, alteration, deletion.
   • Data Usage: Retrieval, consultation, and use.
   • Data Sharing: Disclosure by transmission, dissemination, or otherwise making available.
   • Data Management: Alignment, combination, restriction, erasure, or destruction.
2. When and how data collection occurs: Automatically (e.g. tracking cookies) or manually (e.g. actively entered into a contact form)
3. The legal basis for each data processing activity.
4. Whether they are required to provide their personal data for any given purpose and of the consequences for not doing so.
5. How long you’ll keep their data.
6. How you keep personal data in your possession secure.
7. Whether you share or sell personal data to third parties.
8. What their data privacy rights are: The GDPR grants data subjects 11 rights.
9. If you process personal data for high-risk activities such as profiling or automated decision making, and possible risks said activities pose to their rights.

What does it mean to collect data for specified, explicit and legitimate purposes?

To be specified, explicit and legitimate, your purposes for data processing must be:

1. Clearly identified and documented before you begin processing (specified).
2. Clearly expressed and communicated to the data subject, not implied or ambiguous (explicit).
3. Based on at least one valid lawful basis (legitimate)

How do I implement data minimization for the GDPR?

To apply data minimization, collect only the data you truly need for your stated purposes. When you no longer need it, delete it or anonymize it.

For most businesses data minimization looks like:

• Only asking for necessary data via forms. A form for newsletter signups only requires an email address, skip the phone number and birthday.
• Regularly deleting old customer data from inactive accounts.
• Never collecting data because it might be useful later.

How do I ensure data is accurate and up to date for the GDPR?

Keeping data accurate and up to date looks different business to business, depending on the types of data they handle. This is because some types of data carry more inherent risk, and for these riskier data types, inaccuracies can lead to significant harm to their related data subjects. You’ll need to assess how risky the data you handle is, and implement measures that are commercially reasonable – proportionate to the risk posed by inaccurate data – to keep it accurate.

Here’s two examples demonstrating the spectrum of risk and the measures required to keep data accurate.

Example 1: Processing health data for medical diagnosis (accuracy is critical)

A pathology clinic stores patient health records (special category data) which are used for diagnosis or treatment. In this context, accuracy is essential as outdated or incorrect records can affect patient care and could result in the injuring or death of a patient.

In this case, the clinic’s team would be implementing measures to minimize inaccuracies, such as checking each client’s contact details are still current to prevent their information getting sent to the wrong home, and of course validating their clinics systems, tests and equipment to ensure the results they produce are as accurate as possible.

Example 2: Direct marketing for low-impact services (accuracy isn’t important)

A local bookstore sends a weekly newsletter about new releases. Customers who want to subscribe share their email address and, optionally, their name.

In this case, the risk to the customer is low. Worst case, someone misses out on page turner. Because of this, the marketing team can reasonably wait to correct any inaccuracies until the customer flags the issue themselves.

How long can I keep personal data under the GDPR?

There is no universal time limit for how long you can store personal data, but you are required to delete or anonymize it once you have fulfilled the purpose it was collected for.

How strong do my data protection measures have to be for GDPR compliance?

The level of security you implement should be appropriate and effective for the level of risk posed by your data processing activities. This is based on the potential physical, material, or non-material harm to your data subjects that could result if your business suffers a data breach.

Does the GDPR only require me to protect against data breaches?

No, you’re not just protecting against data breaches, you’re protecting the integrity and confidentiality of your data, which includes unauthorized or unlawful processing and accidental loss, destruction or damage to personal data in your possession.

What security measures should my business be implementing for the GDPR?

Your security measures should ensure that personal data controlled by your organization is:

• Protected from unauthorized access.
• Protected from accidental or unlawful destruction, alteration, or disclosure.
• Always accessible to data subjects should they request to see, remove, or update it.
• Never used for profiling or automated decision making unless the data subject has provided their explicit consent.

What does accountability mean under the GDPR?

Accountability means that as a data processor, you alone are responsible not only for maintaining your compliance with the other principles, but also for demonstrating your compliance should you be audited.

If you’d like to learn more about how to demonstrate your compliance, read our GDPR compliance checklist.

What do I need to process special category data under the GDPR?

If you’re processing special category data – such as a data subjects racial origin, political opinions, religious beliefs, genetic data, biometric data for identification, health status, or sexual orientation – the GDPR requirements are far stricter, in fact processing these specific categories of personal data is prohibited without additional conditions being met.

If you’re processing personal data, along with a lawful basis, you’ll need to ensure special category data is only processed by a professional who is legally bound by confidentiality (e.g. medical confidentiality).

In addition to this, you’ll need to have done the following:

1. Performed a Data Processing Impact Assessment (DPIA).
2. Designated a Data Protection Officer (DPO).
3. Consulted the Supervisory Authority (SA).

A checklist for reviewing your data processing practices.

Here’s 12 things you should make sure you’ve done for every type of data processing in your business.

1. You have reviewed the purposes of your processing activities.
2. You have selected the most appropriate lawful basis (or bases) for each activity.
3. You have confirmed the processing is necessary for the stated purpose.
4. You are satisfied there is no reasonable, less intrusive way to achieve that purpose.
5. You have documented which lawful basis applies.
6. You can use this documentation to demonstrate compliance.
7. You have included the purpose of processing in our privacy notice.
8. You have included the lawful basis for processing in your privacy policy.
9. If you process special category data, you have identified the correct condition.
10. You have documented this condition.
11. Where you process criminal offence data, you have identified the correct condition.
12. You have documented this condition.

Why are the GDPR’s requirements so complicated?

The truth is that while the GDPR is long and wordy, for most businesses the requirements aren’t that complicated. With a little common sense and precaution, you’re likely already close to compliance. Yes, there is a bit of work involved, such as adding a privacy policy and a cookie banner to your website, but if you need help with that, we’re right here.

On a day-to-day level, the key is simple – respect your users’ data privacy rights. That alone goes a long way.