Personal data has become one of the most valuable assets, often exchanged in the blink of an eye, leading to its misuse. However, the storyline has changed, thanks to data privacy laws like the General Data Protection Regulation. These laws are built on eight data protection principles discussed in this blog.
What are the 8 data protection principles to be aware of?
Data protection principles are like the foundation on which most privacy laws including Canada’s PIPEDA, EU GDPR and UK GDPR are built. They represent the ethical compass that guides businesses in handling personal data. Mastering these data protection principles is the first step towards becoming a data steward and shaping a privacy-first approach.
#1 Fair, lawful, and transparent data practices
Organisations must have a valid reason for collecting personal data. According to GDPR, you are allowed to use personal data for commercial or professional purposes if you have a legal basis for it. This means that you should identify at least one of the following legal bases as a ground for processing:
- Consent of the data subject
- Processing is necessary for the performance of a contract or to enter into one
- To fulfil a legal obligation
- To protect vital interests
- For the performance of a public task
- Legitimate interest
On the other hand, India’s DPDP Act only accepts two legal bases of processing- consent and legitimate uses. Therefore, the lawfulness of data processing activities mostly depends on the laws applicable to your business. It also means complying with other applicable laws like national or state laws.
Businesses must also act fair and transparent to individuals. This means that personal data use should not go beyond the reasonable expectations of the data subject.
Example
When a user agrees to share their location in a delivery app, they may not anticipate that their location data will be sold to third-party companies. In this situation, the processing becomes unfair.
You can integrate transparency in your business by being open about your data practices. Transparency is a fundamental aspect of most data protection regulations.
Simply put, businesses have an obligation to be transparent, and data subjects have the right to transparency. The privacy policies or notices we encounter online are a direct result of this principle.
When you collect personal information of individuals, you should also inform them about such collection and handling. Give adequate details like what data you collect, why you collect them, how long you will keep them, with whom you will share them, and more.
Not just that, the information you provide should be easy to understand and in layman’s language. Expecting common people to understand difficult jargon is not a privacy-friendly approach.
Create a privacy policy with CookieYes
No sign-up required
#2 Purpose limitation
This data protection principle restricts businesses from processing unnecessary personal data of customers. For example, if you collect the name and email address of a customer for sending them newsletters, you should limit its use to such purpose only.
Ideally, you must decide upon the explicit, specific and legitimate purpose of data collection and tell the users about it. Speaking about purpose limitation, the general rule is that personal data can only be used for the specific purpose that was assigned to it at the time of collection.
If you ever need to change the intended use for any reason, it’s important to do so fairly and transparently. The ideal approach is to seek the individual’s consent after assessing its compatibility with the original purpose and informing them of the changes.
Under GDPR, consent may not be necessary if the initial legal basis for processing was legitimate interest, contract, or vital interest and the new purpose aligns/is compatible with the original one, provided the changes are communicated with the data subject.
#3 Data minimisation
The data minimisation principle controls the unnecessary collection of personal data. Organisations should restrain the data collection to what is adequate, necessary, and directly relevant to the purpose of collection.
The best approach is to collect only the minimum information and limit its retention to a reasonable period. Review the information collected periodically and remove unused data from your database.
It is important to exercise caution when it comes to collecting personal data that may not be immediately necessary. While it’s crucial to gather information that is essential for current and foreseeable needs, unnecessary data should be avoided, as it may pose privacy and security risks.
For example, companies collecting emergency contact information of friends and family can be justified as a foreseeable event.
#4 Accuracy
The accuracy principle is all about ensuring that the personal data kept by data controllers/businesses are correct and up-to-date. This data protection principle is an important one under GDPR and compliments the right to rectification.
Businesses should take adequate measures to keep the data accurate. It is best to review the stored data regularly and make any updates if necessary. This includes timely corrections or erasures wherever required.
However, this does not mean that you cannot maintain records of any corrections.
Examples
- You mistakenly charged one of your customers too much, but you quickly resolved the issue. In this case, you should consider documenting the initial error with a note that provides a complete overview of the events.
- A client has signed up for a monthly medication subscription. They have notified you of their relocation. You need to modify the address while retaining the record of the previous address.
You must also keep a channelled and convenient system for users to request any correction in their personal data. This is only mandatory if the applicable privacy laws provide a right to correction. Europeans and Californians have this right. Also, make sure to fulfil these requests without delay.
#5 Consent
Consent is a fundamental principle in data protection laws. GDPR discusses this within the legal basis of processing, whereas PIPEDA enshrines this as a standalone data protection principle. In short, an individual’s consent is a valid reason to process their personal data. This applies to all kinds of personal data including email IDs, names, precise geo-location, race, ethnicity, biometric information and online identifiers.
For example, internet cookies collect personal data, which brings it under privacy laws’ scope. Some regulations like the cookie law and GDPR prevent businesses from deploying non-essential cookies unless you have consent as legal basis. This is commonly known as opt-in consent.
On the other hand, most US privacy laws expect an opt-out model from businesses. That is, businesses can collect and use personal data until an individual opt out of it. You might also need to recognise global opt-out signals. Now you know why you see cookie banners on websites. It is an indicator of privacy efforts.
Creating and deploying cookie banners is not a difficult task now. Thanks to cookie consent solutions like CookieYes that can do A to Z of cookie consent management.
Achieve global privacy law compliance with CookieYes
- Customisable consent banner
- Granular consent options
- Auto-block third-party cookies
- Convenient consent withdrawal
- Consent logs for compliance
- Recognise global opt-out signals
- Google-certified CMP and IAB TCF v2.2 compliant
#6 Storage limitation
This principle emphasises the need to be mindful of how long you keep personal data. It should only be kept for as long as necessary to fulfil the purpose of collection.
EU and UK GDPR allow businesses to store data for a longer period for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes.
Keeping within storage limits not only avoids hefty fines but also allows businesses to manage data more efficiently by eliminating unnecessary and unused data and reducing risks.
One practical approach would be to maintain a data retention schedule that determines how long each data will be stored. Regularly review the data, check it against the retention period and delete or anonymise as needed. For example, if an individual withdraws their consent to process personal data, you should not keep their data any longer unless you have a legal basis for it.
Remember that, this data protection principle is linked to an individual’s right to be forgotten. Therefore, you must take steps to fulfil such requests in a timely and efficient manner.
#7 Integrity and confidentiality
This principle is also known as the safeguards or security principle under laws like Canada PIPEDA. It requires businesses to elevate their data security measures to protect personal data by implementing appropriate security safeguards. Make sure to avoid any possibility of a data breach, unauthorised access or use. For this, you should have a detailed data protection plan.
You can consider implementing the following technical and organisational measures in your data management plan:
- Conduct regular data audits and identify what categories of data you hold
- The security safeguards must be proportionate to the nature and categories of data
- Implement encryption methods to protect data against unauthorised access
- Establish role-based access controls to prevent misuse and unauthorised access
- Set up multi-factor authentication
- Conduct regular back-ups to prevent data loss
- Conduct risk assessments and identify mitigation measures
- Update software and apply the latest security patches to prevent technical vulnerabilities
- Have an incident response plan to take quick action in the event of a personal data breach
#8 Accountability
Privacy laws like EU GDPR, UK GDPR and California CCPA resonate this principle as a record-keeping obligation on businesses. Simply said, you are responsible for the personal data that you collect and keep.
This concept elevates data protection beyond implementation to showcasing compliance. To achieve this, you must record your compliance endeavours to demonstrate your conformity with privacy standards.
Demonstrating compliance means documenting your data processing activities including what and why you collect, data management policies, security measures, data retention policies, etc. This also includes Data Protection Impact Assessments (DPIAs) and the appointment of a Data Protection Officer (DPO) for enhanced protection.
The accountability principle can be viewed as a glue ensuring that all other data protection principles are not only followed but also demonstrated. From having a legal basis for processing to ensuring adequate and appropriate security safeguards, accountability plays a key role.
The same principle applies to websites catering to individuals bound by privacy laws like European GDPR. As the law requires consent banners for obtaining explicit consent for the use of non-essential cookies you should also be able to demonstrate compliance by keeping a consent log. Cookie Consent solutions like CookieYes can automate this for effortless compliance.
Best practices for implementing data protection principles (checklist)
Here are some best practices that you can adopt for smooth compliance with data protection principles.
- Determine a legal basis for processing before you collect personal data
- Only collect the personal data that is reasonably necessary for the purpose of collection
- Limit the use of personal data to the specific purpose
- Inform data subjects about the data collection and use
- Avoid secondary use of personal data for uninformed purposes
- Decide on a data retention policy
- Appoint a DPO mandatorily if you have 250+ employees, otherwise try to appoint one
- Regularly review and update the accuracy of the personal data you handle
- Implement security safeguards that are proportional to the nature and amount of data you keep
- Provide a cookie banner and display a privacy policy for your website
- Obtain granular cookie consent based on the applicable privacy laws
- Do not keep data indefinitely
- Document and keep records of your compliance practices
- Provide mechanisms for data subjects to exercise their rights
FAQ on data protection principles
The following are the principles of data protection:
-Lawfulness, fairness, and transparency
-Purpose limitation
-Data minimisation
-Accuracy
-Consent
-Storage limitation
-Integrity and confidentiality
-Accountability
The three main players in data protection are:
-Data subject/consumer/data principal: Person to whom the personal data belongs.
-Data controller/business/data fiduciary: An entity that decides the purpose and means of processing. They are the key decision-makers.
-Data processor/processor: An Entity processing personal data on behalf of controller.
Spiros Simitis, born on October 19, 1934, is known as the father of data protection. He was a Greek-German jurist who also served as the Chief Data Protection Commissioner of Hessen. He passed away on 18 March 2023.