The Seven Data Protection Principles of the GDPR
There are seven data protection principles of the GDPR. The principles are summarized below.
Summary of the seven data protection principles of the GDPR
All processing of personal data must take place in accordance with the seven basic data protection principles according to the GDPR. The principles must be taken into account in all processing of personal data. For example, in connection to collection and storage of personal data. Below you can read more about the different principles.
The seven data protection principles of the GDPR
There are seven data protection principles according to GDPR that must be followed. And they are briefly described below.
Lawfulness, fairness and transparency
The personal data controller must ensure that the processing of personal data takes place in a legal and correct manner. Also, that the processing is made in accordance with the GDPR.
The principle of purpose limitation means that personal data may only be used for specific purposes. The principle also means that the Controller must state the purpose of each individual processing of personal data. Also, the duration for which the processing is necessary.
This principle means that it is not permitted to collect personal data without a certain specifically stated purpose. All processing must therefore have a purpose.
This principle means that the Controller shall only process the personal data that is necessary for the specific chosen purpose of the processing. This means that it is not permitted to process more personal data than what is necessary. The principle of data minimization means that the number of personal data that is processed must be minimized to the most necessary. This is positive, as it is easier to handle fewer personal data. And it is also easier to keep them up to date.
The Controller is responsible for ensuring that the processing of personal data takes place with accuracy. This means that any personal information that is incorrect, must be corrected or deleted.
The GDPR requires accuracy regarding all personal data. And every reasonable step must be taken to correct incorrect information, or to erase personal data that is incorrect.
The principle of storage limitation means that personal data must be erased (deleted), when they are no longer necessary for the purpose for which they were collected. The Controller must, for example, keep a logbook and note performed erasures in the logbook. Such logbook proves that the company complies with the GDPR. For example, erasure can take place from different types of storage spaces, where personal data can be found. For instance, from internal registers and systems, computers, e-mail, telephone directory, physical documents, etc.
Integrity and confidentiality
This principle means that the Controller must ensure that the processing of personal data takes place in a way that ensures appropriate security. Also, including protection against illegal or unauthorized processing. In addition, the Controller must ensure protection against unintentional loss, damage or destruction of personal data. This will be done by the Controller in charge implementing various technical and organizational security measures. For example, this can be done by introducing safety routines that the staff in the company must follow. Also, such internal routines must be documented in writing.
An organizational security measure can be, for example, to carry out password changes in all internal systems and registers as well as work computers, telephones, etc.
A technical security measure can be, for example, to install different types of digital antivirus software, backup systems etc.
The principle of liability means that the Controller is obliged to comply with all the above data protection principles. This must be fulfilled in each individual case and in all processing of personal data.
An important part of this principle is about being able to prove that all data protection principles according to the GDPR are followed. This can be done by writing and documenting the internal routines that apply during data erasure, collection, storage, etc.
Ensure that the company follows the principles
Use a checklist to ensure that your company follows the seven GDPR principles.
Create a checklist for your company
It is important to ensure that the company and its employees comply with the above data protection principles in accordance with the GDPR. This applies to all processing of personal data and it is important that all employees have knowledge of the data protection principles and the GDPR. One tip is to establish routines that the company can use to check that the employees and the company follow the principles when processing personal data. For example, creating a checklist can make it easier.
The checklist should include information on the following:
– The purpose of the processing.
– What legal basis that the process is based on.
– Whether the data subject has been informed of the processing or not.
– If the accuracy of the information has been checked.
– Results of security analysis regarding the protection of personal data.
– The routine for deleting personal data.
– The documents and agreements that prove that the company complies with the terms of the GDPR.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.