UK GDPR Article 5 sets out seven key principles which lie at the heart of all personal data processing.
There are two paragraphs that stand out, the first maps out the data processing principles, and the second focuses on accountability. It states: ‘The [data] controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1’.
With that in mind the seven data processing principles need to lie at the heart of every organisations approach to protecting and safeguarding personal data.
Let’s look at the principles in more detail:
- Lawfulness, fairness, and transparency
Whenever you process personal data, you need to have a good reason for doing so. UK GDPR calls this ‘lawfulness’. Basically, you need to justify the processing under Article 6 of UK GDPR, and you may need to consider Article 9 and ‘Special Category Data’.
Fairness and transparency are two sides of the same coin. ‘Fairness’ suggests that you should not withhold information about why you are collecting data and only process it for the reasons originally stated in the organisation’s privacy notice for example. ‘Transparency’ deals with being clear, open, and honest with data subjects. They need to understand who you are and why you are processing their personal data.
Overall, it must make sense to the data subject why you need to process their personal data.
- Purpose limitation
This sets boundaries on how the personal data your business controls and processes is used. Personal data can be collected and used only for those purposes that have been communicated to the data subject. This needs to be explicit and specific. If you want to change the purposes that the personal information will be used for, then you will need to apply for explicit consent from the data subject.
- Data minimisation
You should only collect the minimal amount of personal data that you will need to complete your processing. Collecting large amounts of personal information that you do not need would be in contradiction to your accountability to the data subject. In addition, it provides greater challenges when complying with the requirements of UK GDPR and other data protection legislation.
You will need to be responsible for the accuracy of the personal data that you have collected. Having processes in place to check the quality of the data you hold is important. This also falls under the requirement to conduct regular data protection audits and data protection impact assessments, that we have discussed previously. Inaccurate personal data can be a high risk to your organisation.
- Storage limitation
Data retention periods are an essential part of compliance with UK GDPR. Ask yourself “why are we keeping the personal data?” and is it ‘necessary’ to keep it for processing against the lawful base identified from UK GDPR Article 6 and under the lawfulness processing principle.
Each organisation must have a data retention and deletion policy that is accessible to data subjects.
- Integrity and confidentiality (security)
UK GDPR requires that you hold the personal data of your data subjects in a secure manner. Protecting data from unauthorised or unlawful processing, accidental loss, destruction, or damage requires a proactive approach to ensure all eventualities are covered. CSRB suggest an annual data protection and online security audit for compliance with this principle.
Accountability is one of the key principles in UK data protection legislation – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance. It is a real opportunity to show that you set high standards for privacy and lead by example to promote a positive attitude to data protection across your organisation
In many ways these seven principles are a common-sense guide to managing personal data.
Personal data protection is a set of steps that if followed protect both the data subject as well as those controlling and processing the data. The outlined data processing principles are vital for building an information governance framework by design that supports organisational development and growth.
CSRB can help you implement the seven data processing principles. We will help you manage and protect personal data responsibly while removing the jargon from the process.
Please get in touch with us here or call 0117 325 0830 to learn more about how we can bring clarity to your organisation.