GDPR Principles

GDPR Storage Limitation Principle

Defined in Article 5(1)(e) of the General Data Protection Regulation (GDPR), accuracy is the fifth principle related to the processing of personal data.

Storage Limitation Summary

• Organizations should not keep personal data for longer than needed
• Storage limitation is a form of data standardization, similar to data minimization and accuracy principles
• Organizations should perform periodic reviews to identify, and address, data stored beyond intended use
• Storing personal data beyond initially stated purpose is allowed if keeping for public interest archiving, scientific or historical research, or statistical purposes
• If storing personal data beyond initial purpose, for compatible purposes or other, measures, such as anonymization or pseudonymization, should be applied to safeguard data subject rights

<h”>What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)? The GDPR accuracy principle is similar to that the 1998 Data Protection Act.

Business Considerations for Organizations to Understand

What is a retention policy?

Retention policies, also referred to as retention schedules, list the types of record or information held by an organization, what organizations will use them for, and how long the organization intends on keeping it. Retention policies help to establish and document standard retention periods for different categories of personal data. A retention schedule may form part of a broader ‘information asset register’ (IAR), or your general processing documentation.

Why employ a retention policy?

Data retention is not merely a matter for IT and administration, but a business consideration with potentially significant financial impact if you don’t get it right.

• Minimizing data retention and having clear procedures in place to determine how and when to dispose of personal data is, therefore, are crucial to complying with the GDPR. Not only that, but a well-managed data retention plan can help businesses avoid information overload and high storage costs resulting from retention of unnecessary (and often redundant) data.
• Retention policies provide a brief overview of data subjects’ key rights under the GDPR, as well as a summarized overview of various technical and organizational data protection measures an organization has in use

How do you handle personal data that is no longer needed?

When personal data exceeds its retention period, organizations can either erase, anonymize, or pseudonymize the data. First, a clear understanding must be made to differentiate between permanently deleting data (erasing) and taking it offline. Personal data stored offline reduces its availability, while also reducing its risk for exposure to breach threats. However, personal data should only be stored offline, rather than deleting or masking, if justification is available for not only keeping the data but keeping it within its original format, too. Offline data must also comply with requests for the data subject rights. Alternatively, data masking techniques can be employed to reduce the risk to breach exposure, while still allowing business owners to utilize elements of the data for analysis. Data masking alters in a way that is no longer permits identification of the data subject. The two most common forms of data masking are anonymization and pseudonymization. Anonymization is the more extreme masking technique of the two, rendering the data such so any association to the original state is impossible. However, pseudonymization (i.e., key-coded) will usually still permit identification. Pseudonymization can be a useful tool for compliance with other principles such as data minimization and security, and yet the storage limitation principle still applies.

GDPR Purpose Limitation Principle

Defined in Article 5(1)(b) of the General Data Protection Regulation (GDPR), purpose limitation is the second principle related to the processing of personal data. Purpose limitation relates closely to the first principle of lawfulness, fairness and transparency.

Purpose Limitation Summary

• A specific and legitimate reason is needed for any personal data that is collected
• Personal data can only be used for the specified reasons
• Exceptions could be made if further processing is for any of the following purposes:
  • archiving in the public interest
  • scientific or historical research
  • statistical reasons

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR purpose limitation principle is very similar to the second principle of the 1998 DPA, having only minor differences. Similarly, both principles require the purpose for personal data be made before collecting the data. However, under the 1998 DPA, this is performed through registration with the ICO, whereas the GDPR handles this by complying with documentation and transparency obligations. In both cases, using personal data for new purposes outside of originally stated purposes are deemed ‘incompatible’; however, GDPR provides further exemptions than the 1998 Data Protection Act. In addition to further processing for research purposes, the GDPR includes archiving in the public interest, historical research, and statistical purposes.

Business Considerations for Organizations to Understand

How you properly address the purpose limitation principle?

Data Discovery

• define what personal data needs to be investigated
• ocate all places your organization is storing the data
• create an inventory of who is using or has access to the data

Evaluation

• understand the current purpose(s) employees are using the data
• determine whether the current purpose(s) comply with GDPR
• identify any purposes not currently utilized which may be needed

Preparation

• restrict access to users with invalid purposes for using the data
• apply safeguards, including encryption or masking, for data that the organization may use for further processing or which the organization can use without the use of sensitive elements
• notate and communicate all valid purposes for internal and GDPR documentation

Where do you specify your purpose for processing?

All organizations need to disclose their purpose for processing personal data within the privacy policy documentation they provide individuals. The documentation should clearly state the type(s) and intended use(s) of personal data being collected. Additionally, larger organizations keeping ‘records of processing,’ per Article 30 of the GDPR, are likely further complying as part of their documentation and transparency obligations. Although smaller organizations may be exempt from the requirements of Article 30, it is best practice to still document all purposes, as a safeguard and for internal reference.

Can personal data be used for reasons outside of the purposes specified?

Can personal data be used for reasons outside of the purposes specified? As a general rule of thumb, it is best to seek further consent from individuals when considering using personal data for purposes differing from the ones initially specified. However, there may be some exceptions:

• the explicit legal provision requires or allows new processing
• data security measures, such as pseudonymization or encryption, are present
• compatible, based upon any of the the (3) criteria, stated within the GDPR:
  • archiving in the public interest
  • scientific or historical reasons
  • statistical purposes

GDPR Lawfulness, Fairness, and Transparency Principle

Defined in Article 5(1)(a) of the General Data Protection Regulation (GDPR); lawfulness, fairness, and transparency is the first principle related to the processing of personal data. Further details for provisions related to this principle are found throughout the GDPR. Details on lawfulness are discussed in Articles 6 – 10. Transparency, as described in the differences between the 1998 Act, is captured in Articles 13 & 14, as part of the data subject’s rights.

Lawfulness, Fairness, and Transparency Summary

• An organization must demonstrate a lawful basis for obtaining personal data to process it
• Must meet criteria for at least one (1) of six (6) conditions for processing, referred to as ‘lawful bases’
• Collection of personal data must be conducted in a fair manner, ensuring it was not obtained under false pretense
• Processing personal data must be done with fairness to the individual, satisfying reasonable expectations as to how the data will be used
• An organization must be clear and honest with individuals regarding the reasons why they are collecting personal data and how they intend to process it
• Transparency, aside from its inclusion as a principle for processing, is further extended into data subjects’ ‘right to be informed’
• To satisfy this principle an organization must meet expectations for all three (3) criteria: lawfulness, fairness and transparency

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR lawfulness, fairness and transparency principle remain fundamentally similar to the first principle of the 1998 Data Protection Act, with only minor differences regarding transparency. Regarding lawfulness & fairness, both GDPR & the 1998 Act, the central concepts remain, with minor verbiage changes being the only main difference. The GDPR omits the idea of ‘fair processing information’ found in the 1998 Act; however, the concepts of the two remain fundamentally the same. Similarly, the GDPR introduces the term ‘lawful basis’ when referring to the ‘conditions for processing’ found in the 1998 Data Protection Act. The most significant of the minor differences between both principles is transparency. While incorporated within both constructs, the GDPR breaks out details of transparency into the newly introduced ‘right to be informed’ provision.

Business Considerations for Organizations to Understand

What are the lawful bases for processing in the GDPR?

Adapted from the 1998 Data Protection Act’s ‘conditions for processing,’ the six (6) lawful bases for processing are as follows:

• Consent: clear permission obtained from an individual to process their personal data for a specific purpose
• Contract: processing is necessary to satisfy a contract with an individual or is negotiated before entering into a contract
• Legal Obligation: is in compliance with the law, cannot include contractual obligations, supports the necessity to process the personal data
• Vital Interests: processing is necessary to protect the vital interests of the data subject or someone else
• Public Task: processing of personal data is necessary to satisfy tasks in the interest of the public or in the exercise of official authority
• Legitimate Interests: processing is necessary for the organization’s legitimate interests, or the legitimate interests of a third party, unless protection of the data subject’s personal data overrides those interests, for example, the data subject is a minor

How do you determine fairness?

Unlike lawfulness and transparency, compliance for fairness is much more subjective. Consideration of how fair processing of personal data affects the interests of the data subject(s) must be taken into account by any organization processing or controlling that data. In general, an organization should only process personal data in such a way that would unquestionably support reasonable expectations of the data subject(s) without unjustified adverse effects. However, personal data may sometimes be used in ways which negatively affect an individual yet complies with the principles of fairness. The importance here is determining whether or not such detriment, caused by processing, is justifiable. For example, if personal data collected from a data subject is processed to access outstanding fines, for say property taxes, the handling of the data, although detrimental to the individual, could still be considered fair.

How is transparency affected by personal data collected from third parties?

Transparency is essential even if an organization does not have a direct relationship with the data subject, for example, if the personal data was collected from a third party. In this type of situations, transparency can be even more critical because the data subject(s) may be unaware the organization is in possession of their personal data, limiting their ability to exercise their data subject rights properly. When obtaining personal data from a third party, organizations should familiarize themselves with Article 14 in the GDPR, which discusses data indirectly obtained from data subjects.

GDPR Data Accuracy Principle

Defined in Article 5(1)(f) of the General Data Protection Regulation (GDPR), integrity and confidentiality is the sixth principle related to the processing of personal data.

Data Accuracy Summary

• Organizations must take necessary and reasonable steps to ensure the accuracy of personal data collected from data subjects
• Organizations must identify essential steps, depending on the purpose of processing, to erase or rectify inaccurate data without delay
• Closely related to data subjects’ rights to rectification
• Data standard principle, similar to standard principles of data minimization and storage limitation
• Highlights clear differences between personal data and historical data. Personal data may change, but should not adversely affect historical data in use

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR accuracy principle is similar to the fourth principle of the 1998 Data Protection Act, with only a few differences between the two. The GDPR explicitly specifies that erasure or rectification of inaccurate personal data is to be processed without delay; this is implied within the 1998 Data Protection Act. The 1998 Act explicitly mentions incomplete data when discussing steps to ensure accuracy which is not included in the GDPR but is implied by its current language. The only main difference between the two is the inclusion within the 1998 Data Protection Act defining what ‘inaccurate’ means. The 1998 Act defines ‘inaccurate’ data as “incorrect or misleading as to any matter of fact”; availability of such definition is not present in the GDPR.

Business Considerations for Organizations to Understand

How do you handle records caused by your organization’s mistake?

Sometimes records are created by mistake, causing inaccuracies in the data. However, there are certain cases, in which such mistakes may be kept, without rectification, often to track a trail of events. An example of such a scenario could involve the ordering of goods, resulting in the organization delivering the wrong product. Although the seller would likely resolve the problem, it may be necessary to keep a record of the wrong item shipped without rectifying the data, so that, if needed in case data subjects make subsequent inquiries, business owners can go back and analyze the chain of events.

What to do if a data subject challenges the accuracy of their personal data?

If a data subject challenges the accuracy of their personal data, the organization should first verify the accuracy of the claim. If valid, the organization should either delete or correct an inaccuracy. Following the GDPR, individual data subjects pose the right to have incorrect data rectified. However, individuals do not have the right to erasure for reasons of inaccuracy. Under the accuracy principle, organizations are required to take all reasonable steps to ensure the accuracy of personal data without delay. So, although not required, organizations should consider the option of erasure when complying with this principle, especially if it presents the more reasonable option for rectifying promptly.

GDPR Integrity and Confidentiality Principle

Defined in Article 5(1)(f) of the General Data Protection Regulation (GDPR), integrity and confidentiality is the sixth principle related to the processing of personal data.

Integrity and Confidentiality Summary

• Organizations (data controllers) are responsible for the security of personal data they collect and store
• Either technology or organizational measures should be utilized to ensure the security of personal data
• Security measures need to protect against:
  • Unauthorized or unlawful processing
  • Accidental loss
  • Destruction or damage

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR integrity and confidentiality principles are mostly unchanged compared to the 1998 Data Protection Act, other than placement related to other legal principles. Article 17(1) of the 1998 Act describes responsibilities of data security. The GDPR moves this obligation into the Data Protection Principles, reinforcing the idea of data security as a fundamental obligation for data controllers.

Business Considerations for Organizations to Understand

What measures should you take to comply?

The first and essential step is to run an information risk assessment using data discovery tools to interrogate personal data across all data repositories within an organization. Data Discovery

• define what personal data the organization needs to investigate
• locate all the places your organization is storing the data
• create an inventory of who is using or has access to the data

After data discovery is complete, the organization should carefully evaluate results to address business vulnerabilities to sensitive personal data. Remediation

• enforce user access controls based upon data discovery results
• either apply encryption or data masking to sensitive personal data

After remediating existing personal data, the organization should apply continuous monitoring tools to ensure that the security measures the organization applies to the data continue to remain intact. Continuous Monitoring

• apply monitoring tools to ensure the organization is protecting new and existing data
• enable breach detection tools to alert suspicious activity

What organizational measures should you adopt?

Organizations should start with an information risk assessment, using data discovery tools to identify and remediate personal data vulnerabilities. Assign a point person within the organization (a DPO, for example) to manage day-to-day information security. Ensure the assigned team members have the appropriate resources and authority to enforce data security measures. Lastly, work toward adopting an overall culture of security awareness within the organization.

What factors should you consider when determining the level of data security needed?

The type of risks each data has associated with it must comply with the kind of security measures which should be dealing with it. You should also take account of factors such as:

• the nature and extent of your organization’s premises and computer systems
• the number of staff you have and the extent of access provided them to personal data
• any personal data held or used by a data processor acting on your behalf