INTRODUCTION
It can be difficult to wrap your head around everything regarding data protection. There’s a lot of jargon involved, which can feel overwhelming, especially considering how crucial it is to understand. The amount of data created and stored these days continues to rise rapidly, especially in a world as increasingly digital as ours, making it more important than ever to comprehend what data protection is and how it’s done properly.
It’s also essential to be aware of the laws surrounding data protection, so that your organisation can adhere to them and follow the correct procedures to stay compliant and maintain the trust of your clients.
We understand how confusing this can all appear at first glance, so this guide is here to help you understand the fundamental principles of data protection and what the UK General Data Protection Regulation (GDPR) expects of you, so that you have the beginners’ knowledge that you need to make sure you’re doing it right.
THE KEY PRINCIPLES OF DATA PROTECTION
Data protection as a whole is all about ensuring the confidentiality, integrity, and availability (CIA) of personal data. It applies to all organisations who process personal data, and they therefore must comply with data protection law.
But that only just scratches the surface. There’s a lot more to consider, which is plainly laid out in the UK-GDPR. Article 5 introduces seven key principles of data protection, which lie at the heart of the effective and lawful processing of personal data.
These principles are:
LAWFULNESS, FAIRNESS AND TRANSPARENCY
PURPOSE LIMITATION
DATA MINIMISATION
ACCURACY
STORAGE LIMITATION
INTEGRITY AND CONFIDENTIALITY (SECURITY)
ACCOUNTABILITY
WHAT DO THESE PRINCIPLES MEAN?
Lawfulness, fairness and transparency
In relation to individuals, personal data must be processed in a manner that’s completely transparent, fair, and of course, lawful. It’s extremely important to be open and honest about the kinds of information your organisation is keeping and how it’s being used.
With regards to transparency, the UK-GDPR requires that the controller – the person/s who determines the means of processing data and the purposes for doing so – provide certain information to those whose personal data they process. One effective way of doing this is with a privacy notice, which identifies who the controller is, the purposes for processing the data, how long it’s kept for, and the lawful basis for processing it, amongst other things.
Purpose limitation
You can’t simply collect people’s personal data for any old reason. Your purposes for using this information must be explicit, specified and legitimate, and the data processing cannot extend further than these initial purposes (although there are exceptions for some purposes).
Data minimisation
Similarly to purpose limitation, restrictions are also placed on how much data is being processed. It’s vital that all data being used by your organisation is adequate, relevant, and limited to what is absolutely necessary for your purposes. Don’t collect it if you don’t need it!
Accuracy
All personal data being processed must be accurate and up to date wherever necessary. Inaccurate or outdated data must be erased or rectified promptly, so that your organisation avoids holding incorrect information about any given individual.
Storage limitation
Another principle placed by the GDPR is on how long personal data is kept for. It’s prohibited to retain it (in a form that allows the data subjects to be identified) for no longer than necessary for the initial purpose. (Again, there are exceptions to this.)
To help with this, it is useful to have a retention schedule, and policy, to provide guidelines for how long you can keep information for before it needs to be erased.
Integrity and confidentiality
The processing of personal data must be secure, protecting it against accidental loss, damage, and unauthorised access. This is done by implementing reasonable and proportionate technical and organisational measures, which the law suggests should be risk based, depending on your organisation’s specific situation. This means that your organisation should ensure that the policies, procedures, training, and technical security measures in place are all appropriate and effective.
For example, good password protocols could be sufficient, but more advanced measures (such as privacy-enhancing technologies, or PETs) are sometimes necessary in proportion to the type of data, the nature of the processing, and the risks involved. Whatever security measures work for your organisation, you’ll still need to ensure that they’re supported by proper organisational measures – such as suitable training and procedures – to be certain that the data is handled as responsibly as possible.
Accountability
The controller is accountable for ensuring and demonstrating compliance with the UK-GDPR. They’re responsible for taking the appropriate technical and organisational measures to make sure all data processing carried out by their organisation is in line with the legislation.
To demonstrate accountability and compliance, the controller can, and usually, must, take a number of measures. These include maintaining records of your processing activities (ROPAs), carrying out data protection impact assessments (DPIAs) for personal data uses that may pose a high risk to the interest of individuals, implementing appropriate data protection policies, and more.
WHY DO THEY MATTER?
First and foremost, these principles inform how data protection is carried out properly, and lay the foundation for how personal data should be processed. Privacy is a fundamental human right, and everybody deserves to have their personal information collected and used responsibly.
These principles are to be considered the base foundations for proper personal data processing. The legislation provides in-depth guidance on proper, lawful data protection, but these seven principles are a good starting point to understand the spirit of how it should be done.
Failure to comply with these principles can be detrimental to your organisation, as potential consequences include damage to your reputation, loss of trust, and of course, on the legal side, hefty administrative fines. These fines can be up to £17.5 million, or 4% of your total annual turnover (whichever is higher).
So, it’s safe to say that it’s not exactly ideal for your organisation to be caught being non-compliant and suffer these pitfalls.
WHERE DPAS COMES IN
Need a bit of help with this? We don’t blame you. It’s quite a lot to take into consideration. So why not let us give you a hand?
DPAS can perform data protection compliance audits, assist your organisation with compliance documentation, or even provide you with an outsourced Data Protection Officer (DPO) who can help your business stay compliant and lawful.
Why not get in touch to see what we can do for you? After all, your data is our business.
