The six principles of GDPR (General Data Protection Regulations) are similar in many ways to the eight principles of the Data Protection Act. While the six principles of GDPR do not include individuals’ rights or overseas transfers, these are included elsewhere in GDPR.
One key difference is that under GDPR, you must show how you comply with the principles, not just that you do. This is a separate requirement known as the accountability principle which is integrated across GDPR.
The six principles of data protection in GDPR are that data must be treated in a way that is:
1. Lawful, fair and transparent
There has to be legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.
2. Limited for its purpose
Data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.
3. Adequate and necessary
It must be clear why the data is being collected and what will be done with it. Unnecessary data or information without any purpose should not be collected.
Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.
5. Not kept longer than needed
Data should not be kept for longer than is needed, and it must be properly destroyed or deleted when it is no longer used or goes out of date.
6. Integrity and confidentiality
Data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, loss, damage or destruction, and kept safe and secure.
For example, a car dealership is running a competition in partnership with a local newspaper to win a test drive in a Ferrari. To enter, people have to put in their phone number, email address and their top three favourite cars. The dealership and the local newspaper plan to share the data between them. The dealership wants to directly market people’s favourite cars back to them, and the newspaper has plans to launch an auto-trading magazine.
The data protection principles that would be impacted include 1 – lawful, fair and transparent; 2 – limited for its purpose and 6 – integrity and confidentiality. Data that is collected for deceptive or misleading purposes is not fair and may not be lawful. When data is being collected the reasons for its collection must be stated, and people have a right not to be marketed to without their consent. In this case, those who entered the competition are not being made aware of the true purpose for collecting their information and are being tricked into a marketing ploy.
Remembering the 6 Principles of Data Protection
Data protection officers, risk managers and those involved in processing and distributing data should become familiar with these principles in order to ensure their organisation is compliant.
Infocredit Group’s business partner, Vinciworks, has prepared a complete guide for the GDPR. The guide is available for download via the link shown above.
Infocredit Group is actively working towards complying with the new GDPR that shall be applied from 25th May 2018.