You may have seen in the media recently that the UK government is thinking about overhauling GDPR and replacing it with more UK-specific legislation.
What that actually means in practice for businesses we don’t yet know and it wouldn’t be right to second guess what could be in those new laws. However, it does give us a good opportunity to re-explore GDPR and important things to understand about it as a small business.
We’ve previously explored steps to ensure that you remain GDPR compliant (read more about that here.) Today we’re going to review the seven principles of GDPR, what they are and why they are important. Let’s dive in.
1 – Lawfulness, fairness and transparency
This is a nice straightforward one to get us started. You (as a business or controller of the data) need to ensure that any data that you use or process is done lawfully, fairly and in a transparent manner.
2 – Purpose limitation
This one is very important. You need to be clear and explicit about the reason why you are collecting the data and why you need it (eg – you are collecting a name and email address because you would like to send someone an email newsletter). You should never use that data in a way that has not been explicitly agreed to by the person that data relates to (eg – sharing that email address with a third party).
3 – Data minimisation
This basically means not collecting more information than is absolutely necessary. For example, when collecting information to invoice a customer you will need a name, an address or email address to send the invoice to, but you wouldn’t need to collect the customer’s date of birth.
4 – Accuracy
You should ensure that you are taking every reasonable step to ensure that the data you keep is accurate and kept up to date.
5 – Storage limitation
This means that you shouldn’t be keeping personal data that identifies an individual longer than is strictly necessary. There are certain exceptions such as when data will be processed solely for archiving purposes in the public interest (eg – a census).
6 – Integrity and confidentiality
This is could be simplified by saying that the data you keep should be safe and secure.
7 – Accountability
You as a business or as the data controller in a business are responsible for the data that you collect, store and process. You should be able to clearly demonstrate how you are complying with principles 1-6 to prove that you are accountable for the data you hold.
All of these principles relate to Article 5 of UK GDPR. Further information and detail can be found on the website of the ICO (Information Commissioners Office), it is a really helpful resource – so do refer to it if needed.
So, why are the principles important?
These principles are the central part of UK GDPR and set out clearly at the start of the legislation the spirit and intention with which the law has been drafted. These seven principles essentially inform and underpin all requirements set out in UK GDPR.
Therefore, to ensure that you are building good data protection practices for your business you should always be thinking about these principles and how they inform your data protection policy.
It would be remiss not to mention that failure to comply with GDPR comes at a hefty price tag. This means a fine of up to £17.5 million or 4% of global annual turnover – whichever is the higher.
If you are looking to learn more about GDPR and how WebbyTech can help – including implementing DLP (Data Loss Prevention) solutions to help prevent data breaches, don’t hesitate to get in touch today.
