Introduction to seven privacy principles of the GDPR

This post mainly focus on seven major privacy principles of the GDPR, article-5 outlines following major principles related to processing of personal data.

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality
  7. Accountability

Lawfulness, fairness and transparency

Processing organizations must have legitimate grounds for collecting and using the personal data and in order to become “lawful” all kind of processing on personal data must be according to the common law which includes criminal and civil. For example if the processing of data involves committing a criminal offence, that is a clear case for unlawful processing, here some of the more cases that can be considered as unlawful.

  • A breach of confidence — Some data such as medical and banking data expect higher confidentiality during processing, a breach of such data also consider as unlawful.
  • Processing exceeding scope of the power assigned to the organization.
  • An infringement of copyright laws.
  • A breach of contractual agreements.
  • A breach of industry-specific legislation or regulations

Specially Article 6 defines six legitimate means and few other articles also further clarify about lawful processing, according to those, to be a lawful a data processing should use one of the following means.

  1. A consent from an individual — An individual has given a consent on personal data processing for one or more purposes.
  2. A contract with the individual — Processing is necessary to execute a contract with an individual. For example, to supply goods or services they have requested, or to fulfill your obligations under an employment agreement.
  3. Compliance with a legal obligation — Processing is necessary for compliance with a legal obligations to which the processing organization (controller) is subject.
  4. Vital interests — Processing is necessary in order to protect someone’s life.
  5. A public task — Processing is necessary to carry out your official functions or a task in the public interest and you have a legal basis for the processing under the law
  6. Legitimate interests — To provide legitimate consent an individual should be at least 16 years old, if case an individual is less than 16 years old the consent need to be authorized by the holder of parental responsibility ( It is possible for member state to reduce this age limit up to 13 years )

Processing of personal data should be fair and should consider following points.

  • Organizations should be open and honest about their identity and should clearly introduce themselves to individuals during the data collection.
  • Processing organizations should communicate to individuals about how the organization intend to use any personal data collected.
  • Not use their information in ways that unjustifiably have a negative effect on them.
  • Data processing should provide very high degree of transparency.

Each individual should be informed concise, transparent and intelligible manner about what kind of data directly collecting and what kind of data derived from further processing and list of data storing within the business with their intended purpose before collecting any data.

One of the widely used approach is provide a privacy notice such as “how we use your information”, it’s important to understand this notice should be written in simple language without expecting any law or technical jargon from readers. You can refer few good examples for privacy notices from Facebook, Google and Amazon. Following are the list of items you can include into the private notice.

  1. The identity and contact details of the organization.
  2. The purpose of processing the personal data and intentions for it.
  3. How long the personal data will be stored for.
  4. The rights to request personal data, erase it or object to its collection.
  5. The contact details for a regulatory authority in the event of a complaint.
  6. Who the recipients of the personal data are.
  7. If there are intentions to transfer your personal details to countries outside the EU and what level of data protection safeguards are offered.
  8. Whether supplying personal data is obligatory or voluntary, along with any consequences for failing to provide it

Purpose limitation

Processing of personal data is permissible if and to the extent that it is compliant with the original purpose for which data was collected and as far as the organization can demonstrate the individual has consented to use own data for above purposes. It’s not sufficient to keep just the fact that the individual has consented but it’s required to track time and approach that the individual used to prove the consent.

It’s not possible to use personal data collected for a specific purpose for any other different purpose. In case the processing organization want to process existing data for a purpose other than the original purpose, then the organization is required to get further legal permission or consent from individuals. As an example phone-no or E-mail address you collected from online shopping application for the purpose of updating the order details can not be used for your marketing campaign on clearance sale unless you have get clear consent from customers to use his/her contact details for such marketing activity at the time of collecting those data.

However public interest, scientific or historical research purposes or statistical purposes are excluded from purpose limitations principle.

Data minimization

Data processing organizations should ensure that they collect and process personal data which are necessary for each specific purpose (in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility). According to the GDPR, data must be

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

It’s not allow to collect personal data which may require for your future business expansions, processing organizations should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, but no more.

Accuracy

Data processing organizations should ensure that the personal data collected are accurate. If the data are not accurate the organization should take all possible measures to rectify those data. If the rectification not a viable options then affected data should be anonymised or deleted without any delays.

Provide an easy to use tools for individuals to update their own profile data by themselves is one of the best options to support this principle, self-care-portals available with some IAM product is a good example for such tools. Also enabling different channels to update personal data also increase the chance of accuracy of the data, as an example a processing organization can enable to update personal data through self-care web portal, mobile application, sending an E-mail or calling an agent over the phone.

Storage limitations

Data processing organizations can only store personal data to the extend of the original purpose is valid, once original purpose become invalid personal data should be deleted from the storage or uniquely identifiable data need to be removed.

This principle also indicate that you should have some kind of a periodical job to clean your databases as per the compliance requirements. In case if you have to track historical record for auditing purposes etc. then you can keep those data by removing uniquely identifiable data this is know as Syndomination.

Integrity and confidentiality

Data processing organizations should make sure that only authorized people have access to the data, additionally strong passwords should be used. Further proper policies should be in place to review the security of the data in a regular basis and make security updates whenever required. This also implies measures from organizations to eliminate accidental loss, destruction or damage and inappropriate usage during personal data processing.

Accountability

According to this principle data processing organizations should demonstrate that the organization is comply with the privacy principles and states explicitly that this is the organization’s responsibility. What measures will be appropriate in each case, will depend on the nature, scope, context and purposes of the relevant processing as well as the risks for rights and freedoms of individuals.

Processing organizations can use following steps to be in compliance with the accountability principle.

Implement appropriate technical and organizational measures that ensure and demonstrate that you comply with followings.

  • Establishing internal data protection policies and process.
  • Conduct required level of staff trainings
  • Process to have proper internal audits on processing activities
  • Periodically reviews of internal HR policies.

Maintain relevant documentation on processing activities.

As per the GDPR regulations if your organization is exceeding 250 employees it’s required to keep records of processing activities. Also organization which process special categories of data or criminal convictions and offences also need to keep records of processing activities regardless of the organization size. These records should be accessible for relevant supervisory authorities. For each processing activity following data need to be recorded.

  1. Names and details of the organizations involved in data processing activity (Controllers and Processors )
  2. Purposes of the data processing.
  3. Description of the categories of individuals
  4. Categories of personal data.
  5. Categories of recipients of personal data.
  6. Details of transfers to third countries
  7. Retention schedules.
  8. Description of technical and organisztional security measures.

Data protection officer (DPO).

Where appropriate, appoint a data protection officer (DPO), we will discuss about DPO in a separate post.

Data protection by design and data protection by default

Implement measures that meet the principles of data protection by design and data protection by default, this may include principles.

  • Data minimisation
  • Pseudonymisation
  • Transparency;
  • Allowing individuals to monitor processing
  • Creating and improving security features on an ongoing basis.
  • Use data protection impact assessments.

Conditions for consent

Considerations for user consent is a broad topic and require a separate discusion, but following brief summary is given for the completeness of this post.

  1. When the data processing is based on consent, processing organization (Processor) should should able to demonstrate that the particular individual has given explicit consent to process own personal data for the specific purpose. Capturing and recording the time and method used to provide the consent is also required.
  2. When the const is given as written declaration such as web page or pop-up etc. it should satisfy following requirements.
  3. Consent should be clearly distinguishable from other matters, basically an individual should able to understand that he/she is giving an consent of processing of his/her personal data.
  4. Should use easily accessible format.
  5. Should use clear and plain language.
  6. An individual should have right to revoke any consent that he/she previously approved.
  7. When prompting for consents, the written declaration should mention that the individual reserve rights to withdraw this consent at any time freely.
  8. Related to a consent given by an individual less than 16 years old the processing organizations should take reasonable efforts to verify that the consent is given or authorized by the holder of parental responsibility over the child.

Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2