As a result of public concern over privacy, the GDPR was adopted by the European Parliament to protect the privacy and regulate the exportation of personal data of EU Citizens. Collecting and processing data of European Union countries’ citizens, companies must comply with strict rules that protect customer data (Nadeau, 2020).
According to Data Protection Commission Ireland, General Data Protection Regulation (GDPR) is a standardized data protection law applied across European Union that came into effect in 2018. Article 5 of the regulation identifies the seven main principles of GDPR about how personal data should be gathered and processed by organizations. The seven principles can be explained as below (Kulakova, no date):
1. Lawfulness, fairness, and transparency mean all personal data should be processed, referring to these standards. Lawfulness requires a legal basis within the GDPR when a company wants to use personal data; fairness tells how the organization must be fair to data subject during the data processing by not being harmful or tricky. Transparency means the users should be informed clearly by the organizations with straightforward explanations about the purpose of asking for personal information before the collection and processing of data.
2. Purpose Limitation means all personal data should be gathered for significant and legal purposes and should be limited to any future processing which is irrelevant to current goals. On the other hand, personal data could be processed for public interest, such as creating statistics if it is related to the original purpose. This principle aims to let organizations explain their intentions from the beginning about why they will be processing the personal data and for which purposes they will use it for.
3. Data minimization principle allows organizations to gather only compatible and necessary information related to the specific purpose of the data processing. This principle and Purpose Limitation could be considered as complementary principles in terms of their aims. The nature of data minimization helps organizations collect up-to-date and recent personal data, and the principal protects the secrecy and entirety of data by avoiding any possible hijacking. As a result of this, it is recommended that companies should regularly check personal data by the criteria of compatibility and adequacy and should erase the unnecessary data.
4. According to the accuracy principle, all personal data collected and processed by organizations has to be precise, and they should be updated or deleted immediately if anything changes or turns into inaccurate information. In addition to this, companies should also be aware of their responsibilities considering individuals' rights, such as providing correction or completion of inaccurate and missing data.
5. Storage limitation means organizations are able to keep personal data only within the time limit of the required period, which also has to be related to the purpose of data processing. As mentioned before, personal data may be kept for later for public interest considering and ensuring the regulation rules as a whole. The unnecessary data has to be erased immediately if it doesn’t serve the initial purpose. GDPR leaves it to the organizations how they identify which data is no longer necessary or not and encourage companies to inform their data subject about any changes. Besides, companies may anonymize personal data if the data subject cannot be recognized anymore, considering the compatibility to be considered anonymous.
6. Integrity and confidentiality principles aim to secure all personal data processed by organizations and keep it confidential to avoid any serious harm or loss. Therefore, it is recommended that companies should benefit from security measures and control them regularly to ensure an entire security approach.
7. Lastly, the accountability principle, which is the newest one among others, means that organizations must take their responsibility to fulfill GDPR principles in coherence and prove them with appropriate data processing demonstrations. These demonstrations may include adopting internal policies, privacy policies, reporting any data issues, and updating the security measures for the organizations in the digital environment.
Buket Bostanci
Keywords: GDPR, GDPR principles, data protection, privacy, personal data
References & Sources
Nadeau, M.,2020. General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant.[online] CSO. Available at: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html [Accessed 13 March 2021].
Kulakova, G., No date. 7 Principles of the GDPR and What They Mean [online] Amara. Available at: https://www.amara-marketing.com/travel-blog/7-principles-of-the-gdpr-and-what-they-mean [Accessed 13 March 2021].
The key principles of GDPR include-fair and lawful processing; purpose limitation; data minimisation and data retention. The purpose is to provide a set of standard data protection laws across the EU. Which will make it easier for european citizens to understand how their data is being used, and also raise any complaints. The principles mentioned in the article 5 can serve as a reference for organisations data collection and retention. The article also stresses on transparency, fair use, data integrity and confidentiality. Misuse and unnecessary collection of personal data though is not an alien thing today, is a serious threat, the GDPR best owes essential rights to the citizens to know and manage how their data should be used.
ReplyDeleteDamanvir Kaushal
It is important to highlight that the GDPR is not only for people living in EU member countries, but also for non-EU members who reside in these countries as EU citizens or institutions that have commercial relations with EU member countries. Another important point which organisations should pay attention to is that the GDPR also includes historical data. Even if the relevant data were collected before May 2018, they should be handled within the framework of the rules specified in the regulation. Therefore, the personal data must be obtained with the consent of the person in accordance with the rules specified in the regulation, and also processed and stored as specified.
ReplyDeleteIlgin Damla Omay
There are going tobe lot of changes happening after the brexit occurred in regardance with GDPR laws.
ReplyDeleteData agreement secures individual information stream among UK and EU for a half year till June 2021 with the expectations that required decisions will be reached.
The general information protection system in UK information law has been altered to oblige the vanishing of the EU GDPR's policies, including new local data protection laws, for example, the new UK-GDPR law. But EU's GDPR still apply for UK websites which operates in EU currently.
- Spoorthi Joshi