Stats suggest that only 59% of companies believe they currently meet all GDPR requirements, highlighting a worrying gap in the safety of our personal information.
Understanding the data protection principles
- What are the seven principles of the DPA?
- What does each principle mean in practice?
- How can you comply with the data protection principles?
- Why are the data protection principles important?
By recognising, understanding and embedding the seven data protection principles, you can ensure best practice when it comes to satisfying GDPR.
What are the seven principles of the DPA?
Essentially, the UK GDPR (General Data Protection Regulations) and the Data Protection Act (DPA) work together to regulate data protection and privacy. GDPR sets out the core rules, while the DPA adds UK-specific details, exemptions, and provisions.
Breaching General Data Protection Regulations (GDPR) can be costly. The social media sharing company TikTok is the latest big business to be named and shamed, with a colossal £12.7m fine for misusing data.
But organisations of all sizes risk proportionate fines, other penalties and reputational damage if they fail to get to grips with GDPR’s requirements and the Data Protection Act 2018 principles.
So, what are the seven principles of the Data Protection Act? In a nutshell, they’re globally accepted guidelines designed to help you make sure personal data remains private and secure. According to the UK's Information Commissioner's Office (ICO), they lie at the heart of UK GDPR.
Set out at the very beginning of the legislation, they inform everything that follows. The seven are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What does each principle mean in practice?
So, what do these principles mean for you and your day-to-day operations?
1. Lawfulness, fairness, and transparency
ICO further explains that: “Personal data must be collected and processed lawfully, fairly, and transparently, and individuals must be told about its collection and use.”
Basically, this means you can only collect personal data legally, use it for reasons that people might reasonably expect while being open and honest about why and how you collect it. It also means you can’t discriminate against people based on their personal data.
2. Purpose limitation
“Personal data must be collected only for specified, explicit, and legitimate purposes, and not further processed or used in a way that’s incompatible with those purposes.”
Essentially, this means letting people know your reasons for collecting data and ensuring you only use it for those purposes. If you decide to use the data for another reason later on, you need the person’s explicit consent first.
3. Data minimisation
“Personal data must be adequate, relevant, and limited only to what’s necessary for the processing purpose.” In other words, only collect the data you need to carry out your goals and don’t ask for info you don’t need.
4. Accuracy
“Personal data must be accurate and, where necessary, kept up to date. Inaccurate or incomplete data must be corrected or deleted.” This speaks for itself.
You’re responsible for making sure the data you collect and store is accurate and current, and have procedures in place to check it is. The person also has the right to ask you to correct or delete wrong info.
5. Storage limitation
“Personal data must not be kept for longer than is necessary for the purposes for which it is processed.”
While GDPR has no set time limits for keeping data, you should delete it – using a secure process – as soon as it’s served its purpose.
6. Integrity & confidentiality
“Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.”
You need to make sure you have due diligence and operational and technical processes in place so data remains safe – both internally and externally. If there’s a breach, you must also let people know immediately.
7. Accountability
“The controller or processor is responsible for complying with these principles and must be able to demonstrate compliance.” Lip service isn’t enough.
GDPR sets out that whoever's responsible for deciding how and why personal data is collected – whether a person or a company – must ensure it meets these principles. You must also be able to show this to individuals or the regulators if asked.
How to comply with data protection principles?
There are a number of things you can do to help ensure you comply with the principles of data protection.
Stay on the right side of lawfulness, fairness, and transparency by developing a privacy policy that clearly explains how personal data will be collected, processed and used and ensure your data subjects can access the same info. And make sure you always get explicit consent from people before you process sensitive data.
Consider using a data protection impact assessment (DPIA) tool. A DPIA is a handy tool that helps you identify and minimise the data protection risks of a particular project.
Complying with each of the data protection principles
- For purpose limitation, your reasons for collecting and processing personal data should be crystal clear. You should also regularly review your data processing activities to ensure they're still necessary and relevant.
- To help you, data mapping tools can identify the personal data you collect and reinforce why you're doing it. They can also support data minimisation by enabling you to spot unnecessary data so you can delete it, helping you ensure you only collect the data you need.
- Creating a data minimisation policy that states how you collect relevant data only and sets out who has access can ensure you stay on track. Some organisations may collect data in bulk, hoping to use it later – without realising it goes against GDPR’s principles.
- Data validation and verification tools can support accuracy by checking a wide range of personal data, including email and postal addresses and phone numbers. There are also several data cleaning tools available that can scan for and remove duplicated or inaccurate info.
- Using a data management system can also help you monitor and manage your data effectively and efficiently. It’s also a good idea to allow people to update their info wherever possible, as long as access to their data is completely secure.
- A privacy policy, as mentioned above, should also drive storage limitation by outlining how long you keep data before deleting it. A data mapping tool – also referred to above – can help identify data that’s no longer required.
- Storing data in the cloud can let you take advantage of ready-made security while giving you access from anywhere worldwide for quick and easy management. Though check it’s right for you. Here are some pros and cons of cloud-based solutions.
- Always use up-to-date encryption to ensure integrity and confidentiality. Cybercriminals are increasingly sophisticated, so be sure to regularly check for the latest upgrades or patches to plug any security gaps. And restrict access to authorised people.
Hackers aside, unforeseen events can also disrupt your operations, so make sure you continually back up your files so you can recover your data if the worst happens.
Following the steps above, such as using DPIA tools and policies, will show your commitment to accountability. Keeping accurate records of your processing activities is also a good way of demonstrating your commitment to the principles.
If you don't have one already, think about appointing a dedicated Data Protection Officer to oversee everything. And, of course, providing your people with data protection training that covers the seven data protection principles can support best practice.
Why are the data protection principles important?
As a framework, the principles help you set clear parameters for collecting, processing and storing personal data. They ensure transparency and show your commitment to protecting people's data and privacy rights – building trust.
There are also clear legal reasons. Failing to comply with UK GDPR can result in financial penalties as high as £17.5 million, €20 million under EU GDPR, or 4% of a company's annual global turnover for infringing specific GDPR articles - whichever is higher.
People also have the option to sue you for damages. Awards vary depending on the distress caused but can range from hundreds for a minor breach to tens of thousands of pounds for one that causes physical or emotional distress.
On top of, or instead of, fines, regulators can order you to take remedial action or revoke or suspend your ability to process data. Regardless of the action taken, you can also guarantee it'll instantly destroy any hard-won reputation – affecting your clients and your bottom line.
In today's data-driven world, protecting personal data is critical. By implementing the proper procedures, policies and resources to help you embed the seven data protection principles, you can be confident your business is best placed to fulfil GDPR’s requirements.
Want to learn more about Information Security?
We’ve created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.
