From customer services and marketing through to HR, organisations use “personal data” in many different ways.
Against this backdrop, the General Data Protection Regulation (GDPR) provides a framework for the privacy and protection of personal data. It’s impossible for European lawmakers to give us a blow-by-blow ‘how to’ guide covering each and every instance of data processing. So instead, much of the new regulation focuses on broad privacy principles.
Your mission? To become familiar with these principles and recognise when and how to implement them. Read on to find out what these core GDPR principles mean and how you should put them to work in real life…
What are the GDPR privacy principles?
There are seven in total – and here’s each of them in outline:
1. Lawfulness, fairness & transparency
Data must be processed in a lawful, fair and transparent way. The GDPR seeks to give individuals better control over their personal data, including who processes it, how and why it’s used. The principle of lawful, fair and transparent processing supports this.
You need to be upfront and transparent with the people whose personal data you process, making it easier for them to exercise their rights rather than putting up obstacles. Examples of this might include re-wording your privacy notices using clearer, plain language – and perhaps setting up a portal to make it easier for customers to access their personal data via self-service.
2. Purpose limitation
Data must only be collected and used for a specific purpose. This states that personal data is only to be collected for “specified, explicit and legitimate purposes”. And once you have an individual’s personal data, you must only use it in ways which are compatible with those purposes.
This means that “data fishing exercises” are unlawful under GDPR. As an example, you shouldn’t be asking for lots of unnecessary info from your customers solely on the basis that it might “come in handy” later on!
3. Data minimisation
Organisations should only collect the data they need. The personal data an organisation processes should be adequate, relevant and restricted to what is necessary to achieve the purposes for which it is processed, a policy known as data minimisation. In other words, if it isn’t needed, don’t collect it. And if it is no longer needed, get rid of it.