In June 2021 the European Union (EU) granted adequacy to the UK in relation to data protection. This means the European Commission is confident that the UK has adequate policies and procedures in place to protect EU citizens’ data. For businesses trading in the EU, this will be a welcome relief as it means they will not have to implement additional and costly safeguarding procedures when processing EU customer data. Now that adequacy has been granted and given that the GDPR is over three years old, it is an ideal time to update you on the six principles of the GDPR. These principles, plus the accountability requirement are at the centre of the GDPR and represent the spirit of the EU/UK data protection regime.
The importance of understanding and complying with GDPR principles was highlighted in early September when Ireland’s Data Protection Commission (DPC) fined WhatsApp €225 million for failings of transparency. The messaging service, owned by Facebook was severely rebuked by Ireland’s Data Protection Commissioner, Helen Dixon, who told the Irish Times:
“All four infringements are in my view very serious in nature.
“They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”
WhatsApp is appealing the fine, stating.
“We disagree with the decision regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”
Facebook has the resources and capital to mount a strong defence. But for many companies, a fine in the hundreds of thousands or even tens of thousands of pounds could be calamitous. And the reputational damage and loss of consumer trust could bring down the business. Therefore, it is imperative to know, comply with, and communicate the six GDPR principles throughout your organisation regularly.
The six principles of the GDPR are set out in art.5(1).
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitations
- Integrity and confidentiality
Art.5(2) then states:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There is considerable debate regarding whether or not Art 5(2) is a ‘principle’ or a statement about who is ultimately accountable for complying with the six principles listed in art.5(1). We will examine the differing views at the end of this article.
A breakdown of the six GDPR principles
The meaning of the principles under art.5(1) are as follows:
Lawfulness, fairness, and transparency
Before processing data, you must identify that you have a lawful basis for doing so under art.6 of the UK GDPR.
To ensure your customers understand the lawful basis for data processing, your privacy statement should define the situations in which you will collect data, how data is accumulated, and why and how it will be used.
You must consider how your processing will affect the data subject, especially when processing special categories of data. Art 9 (1) of the GDPR states:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
There are several exceptions to Art 9 (1), and these are listed in Art 9 (2). The exceptions include:
- The data subject provides consent.
- Where processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally unable to provide consent.
Purpose limitation
It is important that you honour what is set out in your privacy statement, you need to ensure that the purpose of any data collection is “specified, explicit and legitimate”.
Although not every business needs to record the reasons for collecting personal data it is good practice to do so. It will provide a written statement to give to the ICO should a data breach occur, and the Regulator requires evidence that you have complied with the purpose limitation principle.
Data minimisation
The collection of personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In practice, this means only gathering data that is required to carry out a particular processing task at the time the task needs completing. If you need further information you should only collect it from the data subject at the relevant time. For compliance purposes, put in place a written policy that sets out how and when data can be collected and communicate this to all staff who process personal data.
Accuracy
All the data you hold must be complete and precise. To comply with the accuracy principle, the Information Commissioner’s Office (ICO) provides the following guidance:
- take reasonable steps to ensure the accuracy of any personal data;
- ensure that the source and status of personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to periodically update the information.
‘Accurate’ is not defined in the GDPR; however, the Data Protection Act 2018 defines ‘inaccurate’ as “incorrect or misleading as to any matter of fact”.
Storage limitations
Personal data should be stored only for as long as required. It is for you to conclude how long data should be kept. Certain laws will provide timelines, for example, HMRC states that tax self-assessments must be kept for five years, and a Will will be stored until you die, and it is retrieved by your appointed Executor.
If you are storing customer details it makes sense to retain their data until they cease purchasing from you. Your privacy policy should set out how long you will keep people’s personal data. What is important is you document your retention policy and communicate it throughout your organisation.
To further comply with the storage limitation principle, you need to keep personal data in a form that permits identification for no longer than is necessary before it is stored in a secure format.
Integrity and confidentiality
You must handle personal data “in a manner [ensuring] appropriate security”, which includes “protection against unlawful processing or accidental loss, destruction or damage”. This principle requires that alongside physical security you have robust cyber and data security procedures in place, including the ability to encrypt and/or pseudonymise personal data wherever possible and update cybersecurity methods regularly.
The seventh principle – accountability?
Is accountability a GDPR principle? Consider this comment from the ICO.
“Taking responsibility for what you do with personal data, and demonstrating the steps you have taken to protect people’s rights not only results in better legal compliance, it also offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect people’s privacy. This can help you to develop and sustain people’s trust.
Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to fines and reputational damage.”
Although some writers have not included accountability as one of the GDPR principles, the ICO’s position is that the provisions of art.5(2) do constitute a principle. And given that the ICO is the UK’s regulatory body for all data protection matters, it is sensible to follow its guidance. Furthermore, art.24 of the GDPR codifies the responsibilities of the Controller and supports the proposition that accountability is a principle.
Whether there are six or seven GDPR principles is debatable. What is important is that Controllers and Processors understand they have a legal obligation to abide by the principles and provide evidence of compliance.