General Data Protection Regulation (GDPR) has been around long enough for us all to understand it's basic data protection principles. While the regulation itself may not be new to businesses anymore, there are still new businesses, processes and situations appearing every day across the world. These new businesses, processes and situations must still comply with GDPR.
This blog looks at the 7 key principles of GDPR, what they are and what businesses are expected to do to comply with them, and how to ensure GDPR compliance in 2022.
What are the 7 Key Principles of GDPR?
There are 7 principles of the General Data Protection Regulation which all businesses should be aware of. By creating a culture of compliance around these principles, organisations can rest assured they are well on their way to GDPR compliance.
Setting the scene
To practically demonstrate how the 7 key principles of GDPR can affect business practices, we will follow a newly created company, NeltaDet, as they begin their journey to be GDPR compliant. NeltaDet is building a mailing list to receive a monthly compliance newsletter. They aim to capture website visitors' details through their online newsletter sign up form or an opt-in tick box on their product enquiry form.
Lawful, fair and transparent
The first GDPR principle consists of 3 components:
1. Lawful - this refers to the gathering of people's data. There must be a lawful reason for you to process personal data. There are 6 legal reasons deemed as lawful, these are:
- Legal Obligation
- Vital Interests
- Public task
- Legitimate interest
More information on these can be found here.
2. Fair - this refers to the scope of personal data processing. This should be limited to what is expected by the person whose personal data is being processed.
3. Transparent - when dealing with an individual's personal data, GDPR guidelines require you to communicate clearly and simply about how that person's personal data is intended to be used.
Purpose limitation ensures that businesses only process data for it's original purpose. Personal data should not be used for purposes that it wasn't originally intended for - if it is used for another purpose then the individual, and business, responsible could be fined or have criminal charges pursued.
NeltaDet's newsletter signup process automatically stores the IP address of the individual on sign up. At the time, this was so NeltaDet could keep a record of how and when NeltaDet gained consent to send the newsletter to this individual. However, someone in the marketing team now wants to repurpose this personal data and use it to send out geographically targeted email campaigns based on their IP addresses. This breaches GDPR and could result in a fine and or criminal charges against individuals and the business. Information should only be used for the purposes originally stated when collecting the data.
When collecting customer information, it can be tempting to collect as much data as possible to maximise the information you have on your customer database. However, the GDPR principle of data minimisation requires businesses to only collect the information they need. Long gone are the days of long sign up forms and endless questions. GDPR ensures that the collection of personal data collection is minimised to what is needed, not what is wanted.
For NeltaDet's compliance newsletter sign up form they should only be asking for two pieces of information - the individual's name and email address. This is the only information required to send their newsletter and no other information should be requested.
Any businesses data should – at the very minimum – be accurate regardless of GDPR. However, under GDPR guidelines, personal data should be maintained and kept up to date. The data controller and/or data processor should take reasonable measures to ensure personal data remains up to date.
The ICO states that where a business uses it's own sources to compile personal data, then it should ensure that the information is accurate. Despite this, sometimes, you may not be able to check the accuracy of the information that comes from a third party. In this case, you should:
- accurately record the information provided;
- accurately record the source of the information;
- take reasonable steps in the circumstances to ensure the accuracy of the information;
- and carefully consider any challenges to the accuracy of the information.
Regarding NeltaDet's situation, they should ensure that their data controller/processor regularly cleans their data and ensures it is accurate. It would also be good practice to give all subscribers a preferences portal where they can manually edit their own personal data and unsubscribe if they want to, helping to ease the workload for NeltaDet and improve the quality of their data.
Under GDPR, businesses should not store data for longer than they need it. They should also be able to justify why any data is stored. It is good practice to develop a data retention policy that stipulates how long personal data will stay on file - this helps to satisfy GDPR documentation requirements.
Much like the principle of data accuracy, businesses should review the personal data they hold regularly. Any data that is no longer needed should be erased regularly to meet storage limitation guidelines, and business data is kept clean.
Individuals also have the 'right to erasure' which allows them to request their data gets deleted. However, there are scenarios where businesses can still store personal data even if an individual has submitted an erasure request. To better understand the right to erasure, check out our Right to Erasure online training course.
For NeltaDet's compliance newsletter, storage limitations are straightforward. The individual provided consent to use their data to receive newsletters, and NeltaDet has implemented a preferences management portal to help subscribers make their data more accurate. When an individual unsubscribes from the compliance mailing list, their data must be deleted from the system, if they are not subscribed to anything else and are not a customer. This is because their only purpose to hold their data was to provide them with the compliance newsletter. Once they unsubscribe, they no longer have a reason to store this data.
However, if the individual unsubscribing from the compliance newsletter is an existing customer with active subscriptions to their other newsletters, then NeltaDet can continue holding their data on the system, without sending the compliance newsletter to them.
Integrity and confidentiality
GDPR's integrity and confidentiality principle derives from two sides of the CIA triad. This principle ensures any business dealing with personal data has appropriate security measures in place to protect it from both internal and external threats.
Integrity - refers to protecting personal data from manipulation, ensuring information stays correct.
Confidentiality - refers to protecting personal data from unauthorised access. Ensuring cyber criminals and other unauthorised people cannot access a business' stored data, keeping it confidential.
NeltaDet needs to ensure it has proper systems in place to ensure its data is secure. Deploying a password-protected system like a CRM is a great place to start, but this is just a basic level to protect the personal data a company holds. Discover our range of data protection courses here.
This is the final principle of GDPR, and it is concerned with taking accountability for GDPR compliance in a business. Accountability should involve more than just tick-box exercises. It requires organisations to take responsibility for their actions, and how they comply with the other GDPR principles. Organisations must demonstrate that they have appropriate measures and records in place to highlight their accountability.
Looking at NeltaDet's compliance newsletter, NeltaDet must highlight the lawfulness principle/consent given by the individual, as well as documenting how they initially proposed to handle this data. Then ensuring they complied with the rest of the GDPR principles, documenting their compliance procedures and any potential risks or breaches of GDPR.
How to ensure GDPR compliance in 2022
Training. High quality, comprehensive training for all staff is the only way to ensure GDPR compliance in 2022. GDPR is a vast landscape that affects every person and every department within an organisation. High quality, thorough and regular training is essential to ensure GDPR compliance. Non-compliance can be significantly financially and reputationally damaging. Employees can also face potential personal liability in a court of law. Every individual in a business should understand their role to play in assuring GDPR compliance.
eLearning has evolved, and 2022 is looking to be the real post-Covid test businesses will face. Production is due to rise and employees are reluctant to return to the workplace full-time, bringing a new set of challenges. Traditional in-house training and compliance procedures no longer work, and a switch to digital training has already begun. Organisations must ensure they switch to online GDPR training or face potential compliance issues in the future. An organisation's GDPR compliance is only as good as its weakest link.
We provide a comprehensive collection of online data protection courses which your business can use on our Astute eLearning platform (optional). Our courses are CPD accredited and have been developed alongside GDPR and Data Protection experts to ensure their content is accurate and engaging. By utilising our Astute platform you easily identify and close any skills or knowledge gaps, learn on the go with a tablet or smartphone with our cloud based support, easily report on GDPR training to assist GDPR compliance and much more.