The Principles of GDPR

The General Data Protection Regulation (GDPR) is the data privacy and protection law for the European Union (EU) and European Economic Area (EEA). It has been in effect since 2018.

The General Data Protection Regulation (GDPR) protects and strengthens the privacy rights of individuals and regulates access to and processing of their personal data. It establishes rules and requirements for organizations that collect, process, store, sell, or share personal data. The GDPR imposes penalties for violations and prohibits organizations from denying consumers rights or discriminating against them for exercising their rights.

How many principles of GDPR are there? Seven, which are core to the GDPR’s regulation of processing of personal data and found in Art. 5 GDPR.

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitations
6. Integrity and confidentiality
7. Accountability

Data privacy compliance is more than just a legal requirement with regulations like the GDPR. It is a way to build trust with customers and increase engagement. It secures brand reputation and can be a competitive advantage.

Lawfulness means that an organization (the data controller) collecting and using individuals’ personal data has a valid legal reason to do so. There are six legal bases for data processing under the GDPR (Art. 6 GDPR):

• the data subject has given consent
• performance of a contract with the data subject
• compliance with a legal obligation to which the data controller is subject
• protecting the vital interests of the data subject or of another natural person
• in the public interest, or the data controller is exercising official authority
• legitimate interests pursued by the controller or by a third party

Obtaining user consent is one of the most common legal bases. Data protection authorities may challenge an organization on its choice of legal basis, e.g. legitimate interest, and require them to prove the validity of its use.

Fairness means that the organization is transparent with users when requesting access to or processing their personal data. They can’t claim an invalid legal basis, process the data for purposes other than what they have communicated, or continue processing data after the individual has opted out.

Transparency means that the organization clearly communicates what they want to do, how, and why. What data will be processed, for what purpose(s), who may have access to it, how will it be kept secure, and how can individuals exercise their rights.

This information is generally communicated in a privacy policy or notice on an organization’s website or in app settings. A consent management banner can also be used to provide information and request consent for the use of cookies and other trackers on websites and apps.

Organizations can only collect and use personal data for the purpose(s) that they have stated. Under the GDPR, if a controller wants to change or add a purpose for data processing, they must notify data subjects, and, if using consent as a legal basis, get consent again for the new purposes.

Individuals must be able to provide or revoke consent at a granular level, so they can consent to some purposes for data processing (e.g. personalized advertising) but not others (statistics). They must also be able to change or revoke their consent at any time, even if they previously granted consent.

Organizations benefit from access to as much data as possible. It helps them know their customers better, improve targeted advertising, send more communications, and make more money. However, under the GDPR organizations can’t just collect and process as much data as they can manage to get, or just start using data they collected for one purpose for a new purpose.

Organizations can only process the amount of data they really need for their stated purpose. So, for example, if you want to sign up someone for an email newsletter, you don’t need their phone number or credit card information.

Organizations have a responsibility to ensure that the data they have collected is accurate and remains up to date. That could be via their own inquiries and efforts, or by responding to and making changes based on a data subject’s request.

If a company has your old email address or old home address in their database, they have a responsibility to get it updated if you are still a customer of theirs or if they have another reason to retain your data.

Organizations can’t just keep data they have collected forever. They can’t store data longer than they actually need it for their processing purposes.

Secure return or destruction of data must be conducted once it’s no longer required, or when requested by the data subject who provided it. Data processors, those third parties data controllers work with to process data, must also contractually securely return or destroy personal data they have and have been working with.

If you are no longer a customer of a company and don’t want any communications from them, aside from legal requirements for retaining data (e.g. financial records), they have no reason to keep your personal information in their systems.

This principle ties in closely with cybersecurity. Integrity means that organizations ensure data is correct, used properly, kept securely, and is not accessible to or able to be stolen, damaged, destroyed, or manipulated by anyone who is not authorized (like when a data breach happens).

Confidentiality means that all personal data that an organization has collected is accessible only to those who absolutely need access to it for the stated purpose of processing. This includes ensuring hackers or other external people can’t access it, but also limiting access by vendors or other third parties an organization works with, as well as internal staff access. Marketing may only need access to some customers’ data for communications or advertising, and finance may need access to different data for payment processing.

This principle “binds them all”, so to speak. It means that organizations are responsible to the law and to individuals for the data they collect and use. They have to collect only what they need, for a specific purpose, limit who can access it, and keep it protected. They must clearly communicate to consumers about the use of their data and ensure individuals can exercise their rights (and receive a response in a timely manner).

Being accountable is a legal requirement under the GDPR, with the risk of hefty fines for violations. But it is also a best practice for data privacy more broadly, good user experience, and brand reputation. The majority of consumers today will not do business with a company that they don’t trust or that they don’t think protects their personal information and uses it judiciously.

Data controllers and processors all have responsibilities for accountability, but the data controller has ultimate responsibility for actions of processors they do business with. This is why contracts, data audits, clear instructions, and regular communications are important.

The GDPR is strict, but that’s a good thing for consumers and organizations alike. It sets strong standards for how data is collected and used, and encourages organizations to implement a privacy by design approach to their business operations and data protection. It helps ensure that individuals know their rights and the value of their personal data, and are proactive about who they share it with and why.

Training and communication are key for organizations to not only achieve and maintain GDPR compliance, but to make data privacy a part of every day operations and company culture. Like compliance efforts themselves, training and policy updates should be regular and ongoing. Under the GDPR, regular updates to privacy policies and other relevant documentation, and communication of changes, are required.

GDPR compliance isn’t just for IT departments or Data Protection Officers. It’s important to legal departments, marketing teams, customer support agents, vendors, and partners. Not to mention an organization’s valued customers, app users, website visitors, and others.

Do you have questions about GDPR compliance? Would you like to learn more about implementing a consent management platform? Usercentrics Website Consent Management or Apps Consent Management solution can help your business with achieving privacy compliance and building user trust, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.