Understanding the principles of the General Data Protection Regulation (GDPR) is vital to becoming compliant with it.
The principles of the GDPR expand on those of the Data Protection Directive of 1995 and introduce a new “accountability” requirement, which specifies that holders of personal information are responsible for compliance and must be able to demonstrate how they comply with the law.
Every organisation that holds or uses European personal data inside or outside Europe – no matter the nature of its business or the sector in which it operates – is affected by the new data protection law.
Organisations need to ensure that their data processing activities are consistent with the principles of the GDPR, and that these processes give transparency and minimisation the utmost importance.
The main intention of the new law is to protect the rights of individuals like you and me, and to ensure that we have much more control of our personal information than we currently do.
Here is a breakdown of the core principles:
1) Lawfulness, fairness and transparency
- personal information collected to deliver a good or service must be done so lawfully and fairly, and individuals must be told what their personal information will be used for;
- personal information can only be collected with the individual’s consent, and a record of this consent must be kept
2) Purpose limitation
- personal information may only be collected for a specific and legitimate purpose and not for a new, incompatible purpose (unless consent for this new purpose is gained)
3) Data minimisation
- the processing of personal information needs to be limited to what is necessary in order to achieve the processing purpose
- personal information must be collected accurately and kept up to date in order to avoid risk to the individual;
- inaccurate information must be erased or corrected without delay
5) Storage limitation
- personal information may be stored only for as long as necessary in relation to the processing purpose, with the exception that it be kept longer for scientific purposes and/or archiving purposes in the public interest
6) Data security
- holders of personal information are responsible for keeping it secure from internal threats such as unauthorised use, accidental loss and damage, as well as external threats such as cybercrime
- holders of personal information need to implement technical and organisational measures to ensure that processing activities are carried out according to the data protection regulation
The introduction of an “accountability” requirement to the new regulation is perhaps the most significant advance since the Data Protection Directive of 1995, and compels holders of personal information to be 100 percent answerable for the way they collect, process and store it.
Image credit: http://www.personneltoday.com/