Would you move into a house with transparent walls? Would you allow everyone to listen into all your conversations, including the ones you have with your best friend or your therapist? Probably not. However, chances are you already do something similar.
In today’s world, more and more people are moving into the digital space, and as they move around, they leave breadcrumbs of information in their wake. Data-driven industries thrive on those breadcrumbs. They snoop into what information you look up on the internet, what articles you read, they try to figure out your interests, your religion, your sexuality, your health condition, your income bracket. Then, based on this data, they try to sell you something. Or they try to sell you to someone (aka selling your information to companies or organizations).
In order to protect your rights and interests, the EU implemented the GDPR (General Data Protection Regulation). Built on 7 principles, the GDPR aims to protect modern internet wanderers on their online expeditions, and puts limitations on the websites gobbling up the personal data they leave in their wake.
What are the 7 principles of GDPR?
Article 5 of the GDPR maps out 7 principles on how our data should be collected, organized, structured and stored. They should be understood as the fundamental overarching principles that give data controllers and processors a guide to understanding their obligations regarding the data they process. In the next step, let's take a closer look at the principles and what they mean:
1. Lawfulness, fairness, transparency
The first principle is relatively self-evident: people or organizations dealing with personal data need to make sure their data collection practices don’t break the law, they aren’t doing anything with it that you would not reasonably be expected, and that they aren’t hiding anything relevant from you.Lawfulness means two things for data processors; identifying a proper lawful basis for dealing with your data and avoiding illegal activities when doing so. This may seem fairly easy, but is not always the case. Data processors have six alternative legal bases to choose from: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. Each of these have their own rules, benefits and drawbacks for the processor.
Fairness means that processors should not intentionally mislead people on how their data will be handled, and if their processing adversely impacts the data subject, they can justify it.
The concept of transparency requires a clear notice, meaning when collecting data it must be clearly laid out why the data is being collected and how the data will be used.
2. Purpose limitation
In a word: be specific. Organizations must have a specific and legitimate reason for processing your personal information. Data processors need to record their purposes in their documentation, and if they choose consent as its legal basis, they need to communicate their intentions clearly. If they realize in the meantime that the data would be useful for other purposes, too bad. To give you an example, suppose that Joe the baker asks his customers consent for storing their email addresses and sending them email newsletters on his weekly sales. He may then want to inform them also about the opening of his new steakhouse, but he doesn’t have consent for this. The customers have not agreed to get all sorts of emails from Joe, they only agreed to receive emails about sales in his bakery.
3. Data minimisation
Under GDPR, data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Consequently, the GDPR is designed to bring data collection to the necessary minimum. This means that organizations and their data controllers should only store the minimum amount of data required for their purpose. Joe, for example, is not supposed to collect information on whether they keep their savings in cash or in a bank, as this information is simply not needed in order to inform them about his weekly sales. This makes sense, first, because the way his customers store their money is not really Joe’s business. Second, because the less information that gets out if someone hacks Joe’s computer, the better.
The accuracy of personal data is integral to data protection. Personal data shall be: “accurate and, where necessary, kept up to date”. This implies that according to the GDPR “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete. Data collectors need to do the systematic work of checks and balances to correct, update or delete outdated or old contacts and other inaccurate or incomplete personal data. To illustrate, if one of Joe’s customers was on his list with her former business address, but she changed jobs and asks Joe to change her address in his list, by law he is required to do so.
5. Storage limitation
The principle storage limitation is closely related to data minimisation and aims to prevent data controllers from keeping personal data for longer than needed. It states that personal data must be retained only for as long as necessary and afterwards it must be erased. For example, if you give your telephone number to a pub so that they can notify you if someone finds your lost keys, they shouldn’t keep your number on file after the keys have been found. Or, to give another example, if Joe closes his bakery to concentrate fully on his new steakhouse, he cannot keep his former customers’ email addresses for ‘old times' sake’.
Of course, many cases are not this straightforward. Firms may need to keep some personal data of their former customers to be able to handle customer complaints. Banks cannot delete all your data when you close your accounts, for they are legally obliged to keep some records and share it with authorities upon (justified) request. The point is here that data controllers and processors may need to keep some data for a longer time, but they should always have a very good justification for each crumb of data they keep at any given time.
6. Integrity and confidentiality
The core essence of this principle is: keep it secure, because the security of our data is paramount. Why? As discussed above, Joe for example, is not to collect irrelevant and unnecessary data about you, so if someone hacks his computer, the potential harm to you will be relatively small. This is the point of data minimisation. But even with data minimisation many companies will process data that, in case it gets out, can harm or distress you. Just think about your credit card data. Or imagine that you are very active politically, and your home address falls into the wrong hands. In order to avoid such harms, data controllers need to put significant efforts to protect your data. The more dangerous that data can be to you, the more effort they are required to demonstrate.
The final principle of accountability can be seen as an overarching set of requirements related to the other six. It makes it clear that the responsibility for compliance with the GDPR lies with those who deal with the data. Organizations need to have the necessary documentation in place to prove that they are meeting their compliance requirements. Therefore a good documentation record is key to prove compliance when requested by authorities and insurance policies. This is typically done through a combination of measures such as all the tiny privacy notices popping up when you surf the internet, by having internal policies on data handling, by asking offline customers to read and sign privacy notices and so on.
GDPR breaches and finesOne of the biggest, and most talked about, elements of the GDPR has been the ability for regulators to hit businesses who don't comply with huge fines. Breaching the above-described principles can turn out to be quite costly. Violations of the later articles of the GDPR could result in hefty fines (up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher), but when the infringements go against the basic principles, a company can be fined to up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
For more on human rights and democracy issues in Europe, listen to Speechbag, our monthly podcast: