GDPR Basics: Six Privacy Principles of GDPR
In the more than two years since the General Data Protection Regulation (GDPR) went into effect, personal privacy continues to be headline news. We are going to cover some basics of privacy in this and future posts. This post looks at the principles at the core of GDPR and the privacy protection philosophy.
Six Privacy Principles
The data collected on EU citizens should be:
1. Processed lawfully fairly and in a transparent manner: fully transparent disclosure by entities collecting and processing personal privacy data as to the reasons for collection and processing is absolutely required, before the data can be collected.
2. Collected for specified, explicit and legitimate purposes: again, transparent disclosure of business purposes is required before the data is collected, and data subjects must consent to the collection and processing in such a way the entities can report on that consent by date and time should a supervisory authority request it. Data subjects have to be allowed to change their minds about consent, even to the extent of the “Right to be Forgotten”.
3. Adequate, relevant and limited to what is necessary: commonly referred to as “Data Minimization”, make sure you collect ONLY the data you need to perform your transparently disclosed reasons.
4. Accurate and kept up to date: “Data Rectification” must be part of the policy and process, so that if incorrect data appears for a data subject, it can be quickly corrected, even if by Data Subject Request.
5. Kept for no longer than is necessary: one of the more common findings that Cipher encounters in our GDPR engagements is the lack of a retention policy for personal privacy data. Sometimes that is warranted, as with a large global architectural firm building resorts and hotels around the world – they consider that they must keep all records, especially contact and personal information, forever, considering that a catastrophic failure 20 years down the road will lead to investigations that require it. Items like that are the perfect reason you should involve your legal team: make sure they’re ready with a legal justification should scrutiny and questions arise.
6. Kept secure to prevent unauthorized or unlawful processing: this is among the most broadly written GDPR articles of all. There are 99 GDPR Articles, and only one, Article 32, is specific to security – and it boils down to “don’t get breached”. Interpretation of this by applying cyber security best practices is in order.