The Data Protection Principles

The new GDPR’s require data controllers to adhere to all 6 Data Protection Principles.

These are:

  • Lawfulness, fairness and transparency
  • Purpose Limitation
  • Data minimization
  • Accuracy
  • Storage Limitation &
  • Integrity and Confidentiality.

A gap assessment should be performed to check that the processing activities meet all six data protection principles. The principles are fairly self-explanatory and the overriding message is that the data activity must have a defined purpose which is specified in a Privacy Notice and must not overreach this purpose. Only the minimum amount of data must be collected necessary to meet that purpose, and the data mustn’t be held for any longer than is necessary and be kept up-to-date.
It is advisable to have a Retention Policy which details the types of data held and identifies how long it must necessarily be retained, given the purpose for which it was collected for.

The data must be kept securely and that the level of this security is commensurate with the level of risk to the data subject should a breach occur. Accordingly, if you have identified that you hold special categories of data, then there is a greater obligation on you to take measures to ensure the data is held securely to and minimize any risk of a breach.

Examples of such measures are encryption of documents, regularly re-setting passwords, off-site back up, disaster recovery in event of fire, flood or theft and ensuring the network has robust firewalls, malware and anti-virus protection in place.

The data must also be held confidentially and access limited only to those using it for its intended purpose. Those who are granted access should be subject to security measures which, if not followed, may constitute a failure to comply with internal policies and practices. This, in turn, could lead to disciplinary action.

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Data Protection Principles Checklist

  • Do you have a Privacy Policy and/or Privacy Notice? Is the Privacy Notice given to the data subject at the time the data is collected?
  • Have you identified a purpose for the data activities you carry out?
  • Is the data adequate, relevant and limited in line with the purpose?
  • Is the data held kept up to date?  Have you a mechanism for rectifying errors without undue delay?
  • How long is the data stored for?  Is this longer than necessary?
  • Do you archive data and does this comply with the storage limitation principle?
  • Do you dispose of data securely?
  • What security measures have you implemented to protect the data you hold?