From customer services and marketing through to HR, organisations use “personal data” in many different ways.
Against this backdrop, the General Data Protection Regulation (GDPR) provides a framework for the privacy and protection of personal data. It’s impossible for European lawmakers to give us a blow-by-blow ‘how to’ guide covering each and every instance of data processing. So instead, much of the new regulation focuses on broad privacy principles.
Your mission? To become familiar with these principles and recognise when and how to implement them. Read on to find out what these core GDPR principles mean and how you should put them to work in real life…
What are the GDPR privacy principles?
There are seven in total – and here’s each of them in outline:
1. Lawfulness, fairness & transparency
Data must be processed in a lawful, fair and transparent way. The GDPR seeks to give individuals better control over their personal data, including who processes it, how and why it’s used. The principle of lawful, fair and transparent processing supports this.
You need to be upfront and transparent with the people whose personal data you process, making it easier for them to exercise their rights rather than putting up obstacles. Examples of this might include re-wording your privacy notices using clearer, plain language – and perhaps setting up a portal to make it easier for customers to access their personal data via self-service.
2. Purpose limitation
Data must only be collected and used for a specific purpose. This states that personal data is only to be collected for “specified, explicit and legitimate purposes”. And once you have an individual’s personal data, you must only use it in ways which are compatible with those purposes.
This means that “data fishing exercises” are unlawful under GDPR. As an example, you shouldn’t be asking for lots of unnecessary info from your customers solely on the basis that it might “come in handy” later on!
3. Data minimisation
Organisations should only collect the data they need. The personal data an organisation processes should be adequate, relevant and restricted to what is necessary to achieve the purposes for which it is processed, a policy known as data minimisation. In other words, if it isn’t needed, don’t collect it. And if it is no longer needed, get rid of it.
Reasonable steps must be taken to ensure accuracy. “Bad” data is bad news, both for you and for data subjects. Orders aren’t fulfilled, staff don’t get paid on time, credit scores are affected – to name just a few of the headaches it can cause.
The GDPR requires organisations to take “reasonable steps” to ensure that personal data is accurate and kept up to date. So let’s say both your customer base and your workforce are getting bigger. Here, “reasonable steps” might include replacing your maze of standalone Excel spreadsheets with CRM and HR systems. With these, it becomes so much easier to keep those records up to date.
5. Storage limitation
Organisations should limit the amount of data they store. Don’t keep personal data for longer than you need it. As well as being a requirement under GDPR, this is good business sense. A time stop gap on data storage helps to prevent your data estate growing needlessly large.
6. Integrity & confidentiality (Security)
Data must be handled with integrity and confidentiality. You must ensure “appropriate” steps are taken to protect personal data. This includes measures to prevent unlawful use, loss, theft and damage.
What’s appropriate depends on the nature of that personal data. For instance, credit card information and medical records will demand tougher protection than Web browsing data. You should also take into account the wider threat landscape. As an example, let’s say your sector is being targeted by a specific hacking risk. You should keep an eye on industry best practice to establish the most appropriate way to minimise that risk.
Organisations must be able to prove they are sticking to the rules. This overarching principle guides you on how you should approach all of the other GDPR principles. It is also a new principle, is very important and sets the GDPR apart from its predecessor.
It states that being compliant is only part of the story; it’s just as important to be able to show that you are following the rules and meeting your obligations. For this, having the right paperwork in place is crucial. From the network security tests you carry out, right through to customer consents, you need to be able not just to tell the ICO that you are sticking to the rules, but be able to prove it.
Data mapping: how it helps you apply the GDPR principles
A data map is a complete overview of all the personal data your organisation uses. Get it right, and your data map will give you the following info…
- What personal data you control or process
- What category it falls into (special rules apply to, for example, health data, criminal records and data relating to children)
- What it is used for
- The formats in which it is stored and accessed
- Who has access to it
- Locations – i.e. where it flows to and from. This might include Cloud storage services or third party processors.
- Accountability. Who is responsible for the data? This can sometimes change as data flows from one part of the organisation to another in its lifecycle.
It’s only once you have mapped your data that you can apply the GDPR principles outlined above in a thorough and meaningful way. It’s vital for compliance. But beyond this, it can also give you a new perspective on your entire business. Data is an asset – and this is exactly the type of exercise that can show you if you’re putting it to work in the right way.
Data mapping pitfalls: how to overcome them with the Privacy Compliance Hub
From a technical perspective, data mapping demands a full inventory and assessment of all platforms, repositories and endpoints – from your filing cabinets through to cloud servers. At the same time, and for all areas of your business, you need to isolate each and every situation where personal data is being used.
So data mapping isn’t something that should be left for your all-purpose IT guy to get on with in isolation. It requires you to get into forensics mode; to get a thorough understanding of what’s going on in each of your organisation’s departments.
Approach this in an ad-hoc or haphazard way and important areas can easily be missed. The Privacy Compliance Hub is designed to ensure you avoid this pitfall. Providing you with a structure, complete methodology and step-by-step process for formulating a privacy plan, it helps you ensure that all areas are covered and enables you to demonstrate that you have all areas covered.
Hidden or overlooked personal data – or data that’s being used for unintended purposes can result in you sleepwalking toward non-compliance. With the right tools to collaborate with what we call ‘Privacy Champions’ from each department, you have everything you need to ensure all privacy principles are embedded in your organisation.
For further info on all aspects of GDPR, explore the rest of our Hub. Ready to get your data mapping project on the right track? Contact us today for a free demo.