We are here to discuss as well as understand the primary data protection principles of the data protection act 2018 in detail.
If not for the recent changes in the act we would still be completely clueless about the EU data protection principles and would not even bother to understand these data protection principles.
The data protection definition states that every individual has the privacy rights that are to be heard and not exploited. It also states that as an organization and an individual collecting on processing data the security and confidentiality become the organization’s or individual’s responsibility. So how many data protection principles are there?
Consider these 6 principles as the data protection act summary, the personal data act, and the data protection act promise to a better future where data rights will not be further neglected or the data be misused.
First Principle: Lawfulness, Fairness, and Transparency.
Data is to be processed lawfully, fairly and there should be complete transparency between the organization and the individuals whose personal data is being processed.
Here are things that the individual should be made aware of before your process the data and gain consent.
- Name of your organization
- The purpose of the personal data collection and processing.
- The exact data required.
- Duration of data storage.
- Legal justification of why it’s necessary to collect and process the data.
- Whether the data will be transferred or handled by a third party.
- The individual should be told about his/her data protection rights.
- The person should also know that they can file a complaint with Data protection authority.
- They can take back their consent at any time.
- They should be informed about automated-decision making strategies and how they work.
Second Principle: Purpose Limitation.
Hammering in the points made by the first principle this one makes it clear that the purpose for the data collection should be transparent. An individual should not be misinformed about why the data is being collected.
Just informing the individual about the data collection and processing doesn’t cut it anymore, in fact, it never did. You have to inform the people about the purpose.
The data can only be used for another purpose if and only if the purpose for which the data was originally collected is compatible with another purpose. How to decide if your purpose is legitimate and compatible? Follow the below points.
- Is there a legitimate connection between the original purpose and the new purpose?
- By considering the relationship between the organization or individual with the persons whose personal data was collected.
- Is the data sensitive?
- Would the person whose personal data is in question suffer any harm or face any consequences by any further processing of data?
- Measures are taken to secure the data.
Third Principle: Data Minimisation.
Personal data is of a sensitive nature and should only be collected when and only if it’s extremely required. The data collected should be the exact, relevant to the purpose and nothing much than what is required.
A controller has the responsibility to hire a data protection officer as well as evaluate how much data is required and ensure that only that amount of data is collected.
Fourth Principle: Accuracy.
Data accuracy also comes into play when data collection and data processing is involved. If the purpose requires fresh data then get an update and then use it, not doing so is an injustice to the purpose as well as an offense towards the individual whose personal data is being processed.
Fifth Principle: Storage Limitation.
For the shortest possible time. That’s how long an organization should store the collected data. Before you collect the data there should be a time frame or limit for which the organization can store data and it should also ensure that the data is purged after that time frame expires.
There are exceptions such as when the data is required for scientific purpose or is being stored on behalf of public interest.
Sixth Principle: Integrity and Confidentiality.
There is no need to be stringy with your data security measures. IT security is an important aspect of data protection. Like we have said time and again, their data is your responsibility. How you handle it speaks about your and your organization’s reputation.
So, put in technical measures in order to avoid any data breaches which would lead to the misuse of data and turn into a big headache for the individual. Also, make provision against accidental loss of data, use of inappropriate technology and any damage caused.
This post is about data protection principles made easy. We want you to understand how personal data should be handled. This is because people will feel secure and would have no doubts about consenting to provide their personal data. No one is going to complain when you take good care of their data.
We hope this helps you to understand what GDPR requires from you and implement it. This is in no manner a complete guide but just a detailed summary of what data protection principles GDPR expect from you.