The GDPR has seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawfulness, fairness and transparency
Data must be processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’).
What does this mean?
Lawfully means that you are collecting, using and sharing personal data in a way that complies with all civil and criminal laws. It also means that you have a legal basis for the processing. Processing without a legal basis is unlawful.
Fairly means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
Transparent means that you must be clear, open and honest with people from the start about who you are, and how and why you use their personal data.
Purpose limitation means that you must be clear from the outset why you are collecting personal data and what you intend to do with it.
If you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use must fair, lawful and transparent.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Essentially, this means that you only collect the amount of data that you need and no more.
This means that you should take all reasonable steps to ensure that the personal data you hold is not incorrect.
You may need to keep the personal data updated, although this will depend on what you are using it for.
Basically, you must not keep personal data for longer than you need it.
All personal data must have a retention period. And ‘just because I might need it later’ is not one them!
Integrity and confidentiality’
This means that you have appropriate security measures in place to protect the personal data that you hold.
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
You must have appropriate measures and records in place to be able to demonstrate your compliance.