The GDPR sets out obligations for organisations that process personal data, and provides a set of core principles to govern the way in which those obligations are to be interpreted.
The principles are found in Article 5 of the GDPR and companies can incur massive financial consequences for disregarding them.
The Data Protection Principles are:
the principle of lawfulness, fairness, and transparency
the principle of purpose limitation
the principle of data minimisation
the principle of accuracy
the principle of storage limitation
the principle of integrity & confidentiality
the principle of accountability
Today’s insight will provide you with a snapshot of each of the principles and some examples that illustrate how they apply in practice.
Lawfulness, fairness, transparency
The first principle consists of three core parts: lawfulness, fairness, and transparency of a processing activity.
Lawfulness refers to the requirement that there be a legal basis for the processing activity. The different kinds of legal bases available under the GDPR are listed under Article 6 and will be discussed in the next part of this series. Besides Article 6 legal bases, lawfulness also requires the processing to adhere to other laws and regulations that are present in the country. Simply speaking, the processing must not be unlawful under any applicable legal framework.
Fairness relates to an individual’s reasonable expectations over how their personal data will be handled, ensures its use avoids causing unduly detrimental, unexpected, misleading, or deceptive consequences on the individual, and seeks to protect the individual where there is an obvious power dynamic. The power dynamics between data controllers/processors on the one side, and data subjects on the other side is an example of this. It demands that there shouldn’t be an imbalance between the two sides. For example, as an employee, your employer acts as a data controller for the personal data they process with regard to your job. To be able to work at the company, you must accept that there will be lots of job-related personal data collected about you. However, this does not mean that you must agree to giving away any data that they ask for. If an employer requires you to reveal personal data unrelated to your role at the company, e.g., sensitive health data, and makes your employment contingent on you revealing this data, this could be deemed as unfair as they’d be using their power over you as an employer to make you give away your personal data. As a recent example, during the Covid-19 pandemic, some employers opted to collect health data (such as Covid-19 test results or vaccination certificates) of their employees as part of their Covid-19 responses and/or safety measures. It was accepted that these measures, albeit intrusive to the employee, may be necessary to protect public health and can be conducted in a way which is lawful under both the GDPR and other laws and regulations. However, in other cases, it could be considered ‘unfair’ of employers to require their employees to provide their data, especially sensitive data like health data, and (indirectly) threaten them with dismissal if they refuse to comply – particularly where there is no obvious explanation for why the personal data is required.
The final element of this provision is transparency, which plays a vital role throughout the GDPR. In a future insight, we’ll discuss how this manifests itself in some of the data rights you have under the GDPR. As a principle, transparency means that data controllers must provide information to individuals about the types of personal data it collects, the reasons for which it processes the data, and where, geographically, the data is sent to (amongst other things). This is typically made available through a Privacy Notice and is necessary for individuals to make informed decisions about whether they do, in fact, want to give away that data and how much of it if so. Transparency is also crucial for individuals to be able to judge whether the disclosed processing activities comply with the GDPR and the rights under the GDPR.
Upon closer observation, the latter two requirements – fairness and transparency - are closely linked. The more transparent processing becomes, the easier it is for you to make sense of what’s going on and how you can retain or regain some control over your data. As this helps with balancing out the power that controllers hold over your data, better transparency may also bring about more fairness.
Purpose limitation
Another principle that controllers and processors must adhere to concerns the purpose of the processing activity in question. As we explained in our “GDPR’s Objectives & Scope” insight, controllers determine the purpose of data processing. It is something that must be communicated to us if our personal data is affected, as seen in “the following insight”. The principle of purpose limitation, then, requires the controllers and processors to not process your data for purposes other than those you would anticipate – and a processor, in particular, is under a contractual obligation to the controller to only process the personal data in line with the controller’s instructions. This is not to say that the controller cannot process your data for any other purpose, but that purpose would have to be compatible with the initial purpose. For example, when you sign up with your e-mail address to receive weekly newsletters of one brand, you wouldn’t expect that brand to use your e-mail address to sign you up for their regular prize draws. You would, however, expect them to send you specific newsletters, which may be sent out occasionally and in addition to the regular ones. While the former example isn’t in line with the initial purpose and what you’d anticipate with your data to happen, the latter appears to be within reasonable boundaries of the initial purpose and most likely wouldn’t bother you either.
Purpose limitation also means that controllers cannot collect data in anticipation that it might become useful one day, without a specific purpose at the time of collection. We live in the age of Big Data, with current technology allowing for unforeseen insights to be derived from sufficiently big databases. This incentivises the collection and aggregation of large amounts of data into big databases, so that it can one day be analysed to extract useful information. The problem is that companies collecting the data can’t know what the information will be useful for – what will be its purpose – until they have analysed the data; and collecting and analysing the data without already knowing the purpose of doing so runs contrary to the principle of purpose limitation. The principle, therefore, is at odds with the current business model of many companies, and it will be interesting to see the outcomes as cases make their way through EU courts and we get a better picture of the enforcement landscape.
Data minimisation
The principle of data minimisation requires the controller and/or processor to process the minimum amount of data needed for the purpose of the processing activity. In other words, an organisation shouldn’t be collecting more data about you than they actually need for whatever they’re doing. For example, when you want to get in touch with a company through the contact form on their website, arguably, all that company needs from you is your e-mail address, the message, and maybe your name. And while lots of brands nowadays only ask for those few things, some make you fill out a much more elaborate form, including questions about your gender, address, or other personal details. They do it because collecting more data on you might mean gaining better insights or chances to make money with that data. However, the principle of data minimisation here interplays with the principle of purpose limitation. The purpose of the contact form is to allow you to contact the company, not to allow them additional insights, so they may only collect the data they need for that purpose. If they want to obtain additional insights into your person or habits, they need to specify that as a separate purpose, and again collect the least amount of data that they need to satisfy it. Neither of the principles would make sense in practice without the other, and it’s important to keep them both in mind when dealing with purposes of data processing.
Accuracy
Ensuring the accuracy of your personal data is another principle that controllers and processors must follow. Here, accuracy refers to the stored data not containing any errors or misrepresentations, as well as that data not becoming outdated. This is important to you as a consumer, because incorrect or inaccurate data about you could lead to flawed outcomes, which can have a negative effect on you and your interests. For example, if your delivery service account contained a mistake in the address bar, your parcels might get delivered to your neighbour, or someone in an entirely different city. An outdated identity document at your bank might prevent you from identifying yourself as the owner of the account and create an administrative nightmare where you can’t access your funds until you can resolve the issue, potentially through an in-person appearance. Data accuracy is also important to the data collector, as they benefit most from their data collection if the insights gained from, and decisions made based on that data are of high quality. If a data subject becomes aware of inaccurate data, they can exercise their right to rectification under Article 16.
Storage limitation
The principle of storage limitation requires that your data be stored only for as long as is necessary to satisfy the purpose of the processing activity. Once this period has lapsed, controllers may only retain data if it’s not identifiable anymore, meaning that we can directly or indirectly be identified by reference to additional pieces of information that someone could obtain about us from elsewhere. Information can be made to no longer be identifiable through anonymisation, and at that point it ceases to be personal data and is not regulated under the GDPR. You can find out more on identifiability in our “GDPR’s Objectives and Scope” insight.
Integrity & Confidentiality
The principle of integrity and confidentiality requires data controllers and processors to put in place certain technical and organisational measures to protect against unauthorised or unlawful access to, loss, destruction, or damage of your data. These are two of the three fundamental principles of information security, with the last one being availability.
Accountability
Finally, Article 5 of the GDPR provides that a controller is responsible for compliance with the abovementioned principles, and that they must also be able to demonstrate such compliance. It means that failure to demonstrate compliance with any of the above principles and other provisions contained in the GDPR is an infringement in itself and can cause the controller to incur fines proportionate to the severity of the infringement. Hence, there is a burden on the controller to prove that they adhere to the principles if a regulatory body knocks on their door to ask for proof. The Controller will ensure accountability by defining, running and monitoring a privacy program within the organisation. These can include, but are not limited to implementing policies, running assessments, maintaining a record of processing activities and running training to educate the company on data privacy matters.
What happens if principles are not observed?
The data protection principles contained in Article 5 exist to ensure your right to data protection is safeguarded when someone processes your data. They must be adhered to during each processing activity for a controller or processor to be GDPR-compliant. Failure to ensure or to be able to demonstrate compliance with these principles can result in substantial fines of up to £17.5 million or 4% of the company’s annual turnover globally (depending on which of the two is higher). There is therefore a high financial incentive, not to mention a public image incentive for companies to adhere to the GDPR, and it is good to see them focusing more on developing and implementing their privacy programs in response.