The General Data Protection Regulation (GDPR) is a formidable piece of legislation from the EU that sets the bar for privacy laws around the world.
Even companies located outside of EU jurisdiction must comply with the legislation if they process the personal data of EU citizens, who are the primary beneficiaries of the law. (Note that there are some exemptions to the GDPR.)
If you think the GDPR is confusing, you're not alone.
The guidance handed down by the European Commission is often non-specific. It leaves latitude for companies to make their own decisions about handling data, but it also levies serious penalties for violating the law.
The best way to begin to tackle the GDPR is to understand the spirit of it.
The spirit of the GDPR comes to life in the six privacy principles underlying the law.
What are these highly-prized principles and how do they impact your business? Keep reading to find out.
The GDPR presents six privacy principles that help place the rules and repercussions in context.
According to Article 5(1) of the GDPR, the principles are:
- Lawfulness, Fairness, and Transparency
- Limitations on Purposes of Collection, Processing, and Storage
- Data Minimization
- Accuracy of Data
- Data Storage Limits
- Integrity and Confidentiality
Although these six principles are fundamental, they are supplemented with what some deem to be the seventh principle. Article 5(2) says:
You likely already abided by similar principles under the Data Protection Act 1998, the predecessor to the GDPR. But the principles changed with the new legislation in that they are now more specific.
What do these principles mean in the spirit of the GDPR and how do they impact your business?
Let's break them down one-by-one.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Principle 1: Lawfulness, Fairness, and Transparency
- 2. Principle 2: Limitations on Purposes of Collection, Processing and Storage
- 3. Principle 3: Data Minimization
- 4. Principle 4: Accuracy of Data
- 5. Principle 5: Data Storage Limits
- 6. Principle 6: Integrity and Confidentiality
- 7. Bonus Principle 7: Accountability
- 8. Summary
Principle 1: Lawfulness, Fairness, and Transparency
The GDPR gets straight to the point at the beginning of Article 5 when it lists each of the six principles.
The first principle says that data must be:
"processed lawfully, fairly, and in a transparent manner in relation to the data subject"
What does this mean in practice? Start with the three commands embedded in the rule: lawfully, fairly, and transparently.
Lawfulness refers to the six lawful bases that businesses have to process EU citizens data.
These six bases are found in Article 6(1):
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
What is your lawful basis?
Fairness is the second part of the principle. When the European Commission demands fairness, it means that you cannot mislead people about how you collect their data and how you use it.
Your data use must always be honest even if the way you use it falls under one of the six accepted legal bases described above.
The transparency principle ties together all the above principles. You'll see how the principle works by exploring Article 13 of the GDPR - the Right to Be Informed.
- What data you collect
- Why you need the data
- How you process the data
- Whether you share with third-parties
Transparency doesn't only relate to sharing your data practices with data owners. It also refers to using transparent language. You should share these practices in clear, concise language that makes sense to your average user or visitor.
In other words, transparency also requires you to skip the legalese.
It continues on to break down how some of this information is used. The list is easy to read and informative, which helps with transparency:
Medium uses the personal information it collects to provide users with a more personal experience on their own account as well as to make their time spent on the site better by eliminating nasty surprises like spam and abuse.
Principle 2: Limitations on Purposes of Collection, Processing and Storage
Article 5(1)(b) specifies the second principle. It places limits on how you collect, process and store data:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"
If you have a legal bases for collecting data and you share your data practices in a transparent way, then you need to be fair in your use of it. The limitation principle expands on the first principle by demanding that you only process the data in ways you disclose.
In other words, if you collect email addresses to send out order updates, custom marketing emails, and communicate important information, then you can only use those email addresses in this way.
- Sell the emails to third-parties
- Transfer their email list to their new company for the same purposes
- Use emails to automatically create accounts for users without their consent
Debenhams uses a three-column table that outlines what personal information it collects, how it uses the information, and why (the legal bases) it does it:
Debenhams goes further than Medium and includes every single use for each piece of information it collects. As long as Debenhams only uses data in the ways described, then it abides by the GDPR.
Principle 3: Data Minimization
The data minimization principle states that you can only use personal data in ways that are:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"
Think of this process as a reaction to the excesses of tech companies over the past ten years.
For example, the EU continually locks horns with Facebook about the amount of data collected and how it gets shared. The EU questions Facebook's ability to share data between Facebook and Whatsapp as well as the true scale of alleged data abuse that the company engaged in.
Principle #3 is the EU's way of saying stop collecting data you don't need.
The third principle complements the first two. If you are operating in a lawful, fair, and transparent way and only collecting and processing data in a way that meets Principle #2, then you should already be minimizing your data.
Why does it bear repeating?
Because if you don't need the data to complete your core data processing function, then the EU says you shouldn't collect it.
You must also go one step further: if you have data you don't need, then you need to either erase it or anonymize it.
British Airways provides a helpful example of how and why it uses data. The data minimization principle isn't often expressed in blunt terms: "We only take the data we need." Instead, it's more often demonstrated by clearly defining what data gets collected.
By outlining precisely what data it sweeps up, it allows the user to decide whether it's worth the risk.
British Airways collects both user and sensitive personal data, and it's careful in spelling out when and why it collects that data.
As an airline, British Airways collects very sensitive data like names, dates of birth, passport information, and even medical information. It needs to be very clear about when and how it collects data like biometric data.
This sentence says that British Airways must collect some data, but it follows a policy that includes avoiding overcollection. So while it may collect biometric information, it doesn't collect it indiscriminately.
Principle 4: Accuracy of Data
Do you have a database full of email addresses that bounce? Keeping inaccurate information violates the fourth principle of the GDPR that says personal data you store must be:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay"
How do you know if your data is accurate when you collect data submitted directly by users?
The GDPR doesn't offer a definition for "accurate." However, inaccurate can mean "incorrect or misleading as to any matter of fact."
Accuracy means following common sense guidelines. If you have a phone number on record that doesn't belong to the data owner, then the phone number is inaccurate. You need to reach out to the data owner to update the personal data whether or not you intend to use the phone number. You also need to do it upon discovery - not in two years.
The risk is that you have a phone number that could be used that does not belong to the name attached to it. The person who owns the phone number did not provide consent to collect it, and they are not a customer, so you have no business having it.
Even if you don't collect the information, it is up to you to ensure it's accurate through four steps:
- Taking reasonable steps to ensure the data is not factually incorrect or misleading
- Updating personal data (depending on use)
- Correcting or erasing data upon discovery of misleading/ incorrect data
- Considering challenges to data accuracy (requests from users, etc.)
To uphold the data accuracy principle, you'll need to:
- Commit to ensuring the accuracy of personal data
- Implement and follow appropriate processes for checking data accuracy and recording data sources
- Have processes in place to identify the need to update data
- Have processes for noting, identifying, and recording mistakes
- Comply with your users' right to change their data
Often, you'll cover most of these points in a clause that explains user rights.
It also provides a place for users to make this request by providing a link to HSE Consumer Affairs.
The right of rectification allows users to request that their data be updated for accuracy.
Principle 5: Data Storage Limits
The data storage principle is found in Article 5(1)(e) and states that personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed"
The principle expressly limits how long you can keep data you collect, but it also allows individual organizations to set the limit according to their needs for the data.
The words "longer than necessary" are the key to unlocking the principle. Guidance suggests writing a "retention schedule" based on your data practices and local, state, federal, and international guidance and industry regulations.
You data retention policy will cover data storage limits. It should include:
- Three subjects of the policy: legal, business, and personal
- Data types and systems covered
- Glossary of terms used
- Detailed requirements/results of a data audit
- Retention procedures
- Data destruction
- Responsibilities and accountability (including specific team duties)
Your data storage limit should make sense for your organization. The only real requirement that applies to all businesses is the need to write it down for your employees and your customers.
UK-based retailer John Lewis provides examples of its internal customer data retention periods in its Privacy Notice:
It doesn't highlight its entire internal policy. Instead, it gives customers an idea of what kind of information they can expect John Lewis to hold onto and how long they can expect the retailer to hold on it.
For example, John Lewis keeps personal data provided for orders for five years in most cases but ten years in cases of items with different consumer protections or warranties. In this way, John Lewis can make the argument that it only keeps personal data as long as statute requires it - and not longer than necessary.
Principle 6: Integrity and Confidentiality
The final principle - Article 5(1)(f) - states that any personal data should be:
"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"
Data security plays a huge role in the GDPR, and the sixth principle ties up the first five nicely.
Regardless of a company's attempts to secure its systems, the risk of data loss or theft always exists.
The perpetual security risk is in part why it is so important that organizations have a lawful basis for collecting data, only collect data they need and intend to use, and make sure they delete data they don't use. By minimizing data to only the necessary pieces, organizations lower the amount of damage done in the event of a security breach.
When transferring data outside of the EU, extra precautions must also be taken to promote security and minimize risks.
Of course, security on its own is important. You can read more about what security obligations your company faces under Articles 32 and 33. These two articles discuss issues like:
- Data security measures required (encryption, resilience, restoration processes)
- Handling data breaches and losses
- Steps taken to ensure any natural person processing data only follows directions from the controller
- Systems required for detecting and reporting breaches
First, you can take a similar route to what Aer Lingus, an Irish airline, has done. Aer Lingus added a note on security to its Privacy Notice:
It's simple and only notes that it uses "suitable" procedures to protect personal information. Although brief, the statement is enough to satisfy the GDPR as long as Aer Lingus follows through on its promise.
You can also use a more expanded description like that provided by bank ING:
Again, ING doesn't go into security policy details. Those are best left underwraps to avoid giving too much away. However, it does note that it periodically updates its security standards. Additionally, it adds a note about ING employees, which provides extra assurance for customers.
Bonus Principle 7: Accountability
As we mentioned earlier, there are six official principles. However, the GDPR added on what you can think of as a bonus principle: Article 5(2).
Known as the accountability principle, it says that you need to do more than say comply with the principles. You must be "able to demonstrate" compliance with the previous six principles.
Compliance starts at the top and trickles down. These principles aren't solely the responsibility of your IT security team or data processors. The accountability principles apply to your entire organization, and rely on every member of your team to uphold.
The price of non-compliance is high. Article 83(5)(a) states that infringements on these principles fall into the highest tier of fines.
Violations could lead to a fine of 4 percent of your global turnover or 20 million Euro - whichever is higher.
If you collect data ethically, then you likely find that you already collect, process, and store data legally under the GDPR.
To meet these requirements, your data processes need to include:
- A lawful basis for data processing
- A fair processing policy
- A transparent processing policy
- A complete list of the purposes for processing data
- A commitment to only processing the data you need
- A process for ensuring personal data is accurate
- A data storage policy
- A strong commitment to data security and confidentiality