For Part I of the notes, click here.
7 Key Principles of GDPR
All the compliance around GDPR revolve around 7 main principles[1]. Understanding these principles is essential to determine whether or not you have thoroughly complied with GDPR. These principles are:
1. Lawfulness, fairness and transparency: Personal data must be processed only on a ‘lawful basis’ as defined under GDPR. If no lawful basis applies and no exception to lawful basis applies, then your processing will be unlawful and in breach of this principle. There are 6 heads under ‘lawful basis’, which are briefly:
-
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
-
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
-
processing is necessary for compliance with a legal obligation to which the controller is subject;
-
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
-
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
-
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Click here, for guidance on lawful basis.
‘Fairness’ means you must not process the data in a way that is unduly detrimental or misleading to the individuals concerned, nor should you process it unreasonably. You must first think whether or not the processing is even required and consider if it affects the concerned individuals unfairly. For example, automated profiling of individuals using their personal data, that could be unfair to some or all individuals
‘Transparency’ means you must be clear, open and honest from the start about how you will use the personal data of the data subjects. This requirement ensures that the individuals are making informed decisions when it comes to giving consent to process their data. Providing clear and complete Privacy Policy in a website and making it easily visible to concerned individuals is an example of implementation of transparency.
2. Purpose limitation: This means that that you must be clear about your purpose for processing the personal data and not further process it in a manner that is incompatible with that purpose.
3. Data minimisation: This means only personal data should be adequate, relevant and limited to what is necessary for the purpose for which they are processed. No other unnecessary additional data should be processed.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage limitation: Personal data must not be kept for longer than it is needed.
Data must be periodically reviewed and erased or anonymised if it is no longer needed. Individuals have a right to erasure if the data is no longer needed.
6. Integrity and confidentiality (security): Personal Data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
7. Accountability: The accountability principle requires you to take responsibility for what you do with personal data and for complying with the above principles. It is not sufficient to simply comply, but you must also be able to demonstrate compliance by way of appropriate measures and records.
Rights of Data Subjects
It is pertinent to understand the rights of data subjects, as enlisted under GDPR. These most important rights are:
-
The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
-
The right of access: Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’. Individuals can make SARs verbally or in writing, including via social media. They must be given access/ copy of their personal data without delay and within one month of receiving the request.
-
The right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. This right is closely linked to the Accuracy Principle of GDPR.
-
The right to erasure: The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
-
The right to restrict processing: Individuals have the right to request the restriction or suppression of processing of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it.
-
The right to data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
-
The right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
-
Rights in relation to automated decision making and profiling: Data subjects have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her. For example, automatic refusal of an online credit application because of being automatically profiled into a certain category, without human intervention.
For Part III of the notes, click here.
[1] Article 5, GDPR
- Dhatri S
About the author: Dhatri is a tech entrpreneur and solicitor (England and Wales) specialising in Data Protection and Employment Law.
