As a result of public concern over privacy, the GDPR was adopted by the European Parliament to protect the privacy and regulate the exportation of personal data of EU Citizens. Collecting and processing data of European Union countries’ citizens, companies must comply with strict rules that protect customer data (Nadeau, 2020).
According to Data Protection Commission Ireland, General Data Protection Regulation (GDPR) is a standardized data protection law applied across European Union that came into effect in 2018. Article 5 of the regulation identifies the seven main principles of GDPR about how personal data should be gathered and processed by organizations. The seven principles can be explained as below (Kulakova, no date):
1. Lawfulness, fairness, and transparency mean all personal data should be processed, referring to these standards. Lawfulness requires a legal basis within the GDPR when a company wants to use personal data; fairness tells how the organization must be fair to data subject during the data processing by not being harmful or tricky. Transparency means the users should be informed clearly by the organizations with straightforward explanations about the purpose of asking for personal information before the collection and processing of data.
2. Purpose Limitation means all personal data should be gathered for significant and legal purposes and should be limited to any future processing which is irrelevant to current goals. On the other hand, personal data could be processed for public interest, such as creating statistics if it is related to the original purpose. This principle aims to let organizations explain their intentions from the beginning about why they will be processing the personal data and for which purposes they will use it for.
3. Data minimization principle allows organizations to gather only compatible and necessary information related to the specific purpose of the data processing. This principle and Purpose Limitation could be considered as complementary principles in terms of their aims. The nature of data minimization helps organizations collect up-to-date and recent personal data, and the principal protects the secrecy and entirety of data by avoiding any possible hijacking. As a result of this, it is recommended that companies should regularly check personal data by the criteria of compatibility and adequacy and should erase the unnecessary data.
4. According to the accuracy principle, all personal data collected and processed by organizations has to be precise, and they should be updated or deleted immediately if anything changes or turns into inaccurate information. In addition to this, companies should also be aware of their responsibilities considering individuals' rights, such as providing correction or completion of inaccurate and missing data.
5. Storage limitation means organizations are able to keep personal data only within the time limit of the required period, which also has to be related to the purpose of data processing. As mentioned before, personal data may be kept for later for public interest considering and ensuring the regulation rules as a whole. The unnecessary data has to be erased immediately if it doesn’t serve the initial purpose. GDPR leaves it to the organizations how they identify which data is no longer necessary or not and encourage companies to inform their data subject about any changes. Besides, companies may anonymize personal data if the data subject cannot be recognized anymore, considering the compatibility to be considered anonymous.
6. Integrity and confidentiality principles aim to secure all personal data processed by organizations and keep it confidential to avoid any serious harm or loss. Therefore, it is recommended that companies should benefit from security measures and control them regularly to ensure an entire security approach.
7. Lastly, the accountability principle, which is the newest one among others, means that organizations must take their responsibility to fulfill GDPR principles in coherence and prove them with appropriate data processing demonstrations. These demonstrations may include adopting internal policies, privacy policies, reporting any data issues, and updating the security measures for the organizations in the digital environment.
Buket Bostanci
Keywords: GDPR, GDPR principles, data protection, privacy, personal data
References & Sources
Nadeau, M.,2020. General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant.[online] CSO. Available at: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html [Accessed 13 March 2021].
Kulakova, G., No date. 7 Principles of the GDPR and What They Mean [online] Amara. Available at: https://www.amara-marketing.com/travel-blog/7-principles-of-the-gdpr-and-what-they-mean [Accessed 13 March 2021].