The Six Data Privacy Principles of the GDPR
Data privacy and personal data breaches have been in the news a lot recently. Over the past few years, companies have been collecting and processing ever-increasing…
March 22, 2018 at 03:09 PM
9 minute read
Data privacy and personal data breaches have been in the news a lot recently. Over the past few years, companies have been collecting and processing ever-increasing amounts of data about their customers, employees, and users. As personal data becomes more valuable, governments around the world have begun the debate surrounding whether this data collection should be limited in favor of individuals' fundamental right to privacy.
The General Data Protection Regulation (GDPR) is the European Union's answer to these debates. This new regulation strives to take the decisions regarding some uses of personal data out of the hands of companies and return control to the individuals that the data refer to—the data subjects. Any company that has a European presence or handles European residents' personal data is subject to the GDPR. These companies will likely need to upgrade their data security and privacy procedures to meet the personal data handling requirements of the GDPR.
The GDPR's data privacy goals can be summarized in six personal data processing principles: Lawfulness, Fairness and Transparency; Purpose Limitation; Data Minimization; Accuracy; Integrity and Confidentiality; and Storage Limitation.
|Lawfulness, Fairness and Transparency
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.” – GDPR Article 5(1)(a)
Under the GDPR, companies must ensure that personal data collection or processing is justified and permitted by law.
In some cases, companies may process personal data without asking for consent, such as when the processing is required by law or is necessary in order to conduct business. For example, companies with a European presence need to process their employees' tax ID numbers to file required employment and tax paperwork with governments.
Unless covered under another legal justification, companies must obtain informed, explicit consent from the data subject before their data can be collected or used. This consent has to be obtained on an opt-in basis using straightforward language, and individuals must separately consent to each use of their data. This ensures that individuals truly approve of a company's use of their personal information before processing occurs.
|Purpose Limitation
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes …” – GDPR Article 5(1)(b)
Any time a company collects or processes personal data, it must be limited to a specific, legitimate purpose. Companies can no longer conduct blanket personal data collection in the hopes that the data becomes useful someday; the reason for collecting the data must be explicit and determined at the time of collection. This also means that companies cannot collect more data than is required for the specified purpose.
Once companies collect the personal data, they cannot then process it in a way that is incompatible with the reason for which it was initially collected. For instance, a company that collects customers' contact information for invoicing purposes cannot then use this information for marketing campaigns. Exceptions to this limitation must be examined and approved by a company's data protection officer (DPO) before the data is reused to ensure there is a justifiable and legal basis for the new processing.
|Data Minimization
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” – GDPR Article 5(1)(c)
Once a company has collected a set of data for a specified purpose, its use must be limited to only the specific pieces of information required for the task. For example, if a company legitimately collects a list of names, email addresses, and phone numbers for marketing purposes, the phone numbers should be excluded from processing involved in an email marketing campaign.
Minimizing personal data often involves anonymizing or pseudonymizing the data before processing. Anonymizing data involves fully stripping any identifiers from the data, ensuring that it can never be retraced to individual persons even if combined with other information. This is ideal since anonymous data is no longer considered 'personal,' so it is not subject to the same level of privacy and security restrictions.
Pseudonymization involves substituting a 'key,' such as an ID number, for the personal identifiers in the data to minimize contact with the most sensitive personal elements of the data. However, since the data can still be linked back to the personal identifiers by using the 'key,' the data is still subject to the strict privacy and security restrictions of the GDPR.
|Accuracy
“Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” – GDPR Article 5(1)(d)
The GDPR requires companies to ensure that the personal data they process is accurate, especially in the case where it is used for building profiles of data subjects. Maintaining accurate data is of course a best practice for data handling or processing regardless of regulation. However, under the GDPR, if data inaccuracies are discovered, the company must quickly fix the inaccuracy or erase the data.
Companies also have to pass these change requests along to affiliates, partners, or vendors that handle the same data. This requirement to propagate data updates helps maintain accurate profiles and protects individuals from harm caused by inaccurate profiling due to data errors.
In an effort to meet this requirement, companies should consider building a comprehensive map of where personal data lives within their systems and with their business partners. If personal data must be updated or deleted, this map will help identify instances of that data and improve the company's ability to comply with the GDPR.
|Integrity and Confidentiality
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” – GDPR Article 5(1)(f)
Controllers of sensitive personal data have an obligation under the GDPR to prevent theft, leaks, breaches, or inappropriate alteration of that data. This generally involves establishing data-handling procedures that limit unnecessary access to and use of personal data, as well as technical security measures like encryption to reduce the chance of theft or breach. These measures also help companies uphold the principles of Purpose Limitation and Data Minimization by restricting access to personal data except when appropriate.
Companies should work to improve their data organization and consider building a comprehensive personal data map to ensure they place appropriate security measures and process controls around any systems containing personal data. Companies must also conduct regular training for employees who handle personal data so they know how to maintain the confidentiality and integrity of that data.
|Storage Limitation
“Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…” – GDPR Article 5(1)(e)
The principle of Storage Limitation is closely related to the principles of Data Minimization and Purpose Limitation. Once personal data has served its purpose, it must be removed to protect the rights of the individuals it concerns.
This does not mean companies are necessarily obligated to delete personal data once it has served its purpose; they may also uphold the Storage Limitation principle if they anonymize the data. Anonymization makes the data impossible to retrace to specific individuals, which means it is no longer considered personal data and is not subject to the same level of privacy and security restrictions. Anonymous data can be especially useful for future statistical analysis, but companies must take special care to ensure that anonymization is performed correctly to protect themselves as well as the individuals whose data they handle.
|What Does This Mean for Your Company?
“The [data] controller shall be responsible for, and be able to demonstrate compliance with” the above principles. – GDPR Article 5(2)
The GDPR is changing the way global companies collect, process, and handle personal data. If your company processes the personal data of European residents or has a European presence, you have a duty to protect the privacy rights of the individuals whose data you control or process, and to demonstrate compliance with data privacy regulations.
By striving to uphold these six principles of the GDPR, you will be doing your part to protect the rights and privileges of the individuals whose personal information you process in your efforts to provide better and more effective products and services.
Amy Lewis is a member of Berkeley Research Group's Information Governance and Technology practice. She helps clients' corporate legal and IT teams develop comprehensive data privacy and security compliance initiatives to mitigate information-related risk, with a particular focus on readiness programs for Europe's General Data Protection Regulation (GDPR). These programs emphasize strengthening the human element of information privacy and security, empowering the client's workforce with the tools, knowledge and motivation to assist in achieving compliance with personal data handling and privacy regulations.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1First California Zantac Jury Ends in Mistrial
- 2Democrats Give Up Circuit Court Picks for Trial Judges in Reported Deal with GOP
- 3Trump Taps Former Fla. Attorney General for AG
- 4Newsom Names Two Judges to Appellate Courts in San Francisco, Orange County
- 5Biden Has Few Ways to Protect His Environmental Legacy, Say Lawyers, Advocates
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250