The 6 Privacy Principles of the GDPR

Last updated on 03 September 2019 by Nicole Olsen
The 6 Privacy Principles of the GDPR

You might think of the GDPR as long list of dos and dont's published by the EU, but it's better described as a tribute to a commitment to privacy.

Wrapped up in every article of the GPDR are the six privacy principles. These principles arrive early in the legislation at Article 5(1) and include:

  1. Lawfulness, Fairness, and Transparency
  2. Limitations on Purposes of Collection, Processing, and Storage
  3. Data Minimization
  4. Accuracy of Data
  5. Data Storage Limits
  6. Integrity and Confidentiality

Even though the rest of the legislation is broad in nature, these privacy principles underline the spirit of the GDPR. Article 5(1) offers something to return to if you wonder whether your data privacy practices meet the standards laid out in subsequent articles.

The six privacy principles are neither new nor novel. Previous EU legislation, the Data Protection Act 1998, encompassed much of the same desire to regulate data controllers in this way.

But since the GDPR not only replaced the Data Protection Act and comes with fines never before seen in privacy legislation, getting to know these principles are worth your time.

Accountability and transparency are the two concepts best associated with the GDPR. Both of these are upheld and maintained by the six privacy principles.

To see how these privacy principles make a difference for your data practices as a data controller or processor, let's break down each principly one-by-one.

Principle 1: Lawfulness, Fairness, and Transparency

Principle 1: Lawfulness, Fairness, and Transparency

The first principle listed in Article 5(1) says that data controllers must ensure their data is:

"Processed lawfully, fairly, and in a transparent manner in relation to the data subject."

The words lawfully, fairly, and transparency are all outlined in detail elsewhere in the bill. So let's break them down here.

Lawfulness

When the GDPR refers to lawfulness, it refers to your lawful basis for processing data.

Under the GDPR, controllers can't authorize the processing of data simply because the data is available. You must be able to demonstrate that your data processing falls under one of the six lawful bases outlined in Article 6(1):

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

You need to identify and state the lawful basis that applies to each data category you process.

Fairness

Fairness pops up throughout the GDPR, but it's an ambiguous term. From a legal perspective, it is useful to consider fairness in the context of good faith. Processing data in good faith refers to using data in a way that you believe to be honest and legal.

In essence, good faith means acting with integrity - and fairly.

Transparency

What does the final part, transparency, mean?

Transparency requires you to be not only lawful and fair in your data processing activities but you need to let data subjects know what your processes include.

One of the critical ways the GDPR legislates transparency is through the requirement to have a Privacy Policy. Your Privacy Policy needs to share core details about your data practices including:

  • Categories of data collected
  • Your lawful basis for data collection
  • How you intend to use the data
  • How long you'll keep the data
  • Details of third-party relationships
  • Whether the data leaves the EU

Your Privacy Policy needs to match the reading ability of your target data subjects. So, if your site targets teenagers, it must be written at a high school reading level.

Costa Coffee provides an overview of its Privacy Policy that's well-organized and shares what information it collects, how and why it can use it, whether it shares it, and user rights under the GDPR:

Screenshot of Costa Coffee Privacy Policy intro section

The GDPR also requires accurate recordkeeping as part of its transparency requirement. Article 30 covers what records controllers and processors must keep of their activities.

Those records are for your use, but you also use them to demonstrate compliance, perform DPIAs, and share accurate information with data subjects.

Principle 2: Limitations on Purposes of Collection, Processing and Storage

Principle 2: Limitations on Purposes of Collection, Processing and Storage

Moving on to Article 5(1)(b), you'll notice that the legislation begins to place stricter limits on the data than what previously existed. The principle states your data must be:

"Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."

Principle 2 builds on the first principle and assumes that you already followed the lawfulness, fairness, and transparency rules.

In Principle 1, you learned you need to determine a legal basis for processing your data and process it in a way that is fair (or in good faith), and share the details of your data processing plan in a Privacy Policy and through strong record keeping.

Principle 2 builds on the fairness component of Principle 1.

Fairness in Collection, Processing, and Storage

Assuming you have a legal basis for data collection, you then need to process it fairly. By fair, the law broadly means only processing data in a way that you disclosed in your Privacy Policy or in a way that a data subject may reasonably expect.

For example, if you collect birth dates from a data subject, then you must have a good reason such as using it to send them birthday coupons.

Similarly, you can't collect emails for marketing purposes and then sell them to third parties.

Although there's a significant emphasis on the way you use the data, the principle also encompasses the way you collect and store data. You cannot collect more data than you need and you cannot store more data than you need for indefinite periods of time.

What does this look like in practice?

It means breaking down what you use the data for and sticking to it in your processing.

Sainsbury's Privacy Policy shows how it uses personal information and why each piece of information is integral to its processing. For example, it describes that it requires personal information - like names and email addresses - to process and ship orders.

Without personal information, the company has no way of operating the e-commerce section of its business:

Sainsbury's Privacy Policy: Excerpt of How do we use your personal information clause

Therefore, Sainsbury's has a specific, explicit, and legitimate reason for processing the data and upholds the principle.

Principle 3: Data Minimization

Principle 3: Data Minimization

Data minimization is a huge priority for the European Commission. The EC has come realize that when data controllers have the latitude to collect whatever data they want for any reason, they will do just that even at the peril of data subjects. Allowing it has had huge repercussions for data subjects and their rights.

The era of collecting massive amounts unnecessary data is over - at least in the EEA.

To address the issue of catch-all data processing tactics, Article 5 contains a principle on data minimization. Article 5(1)(c) says that data controllers may process data strictly using methods that are:

"Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

It follows Principle 2's limitations on data processing, but it differs slightly in its scope.

Essentially, if you can complete your core processing activities without the data, then you should never even go as far to collect it - much less process the data.

Data minimization also requires you to look at your current data cache. Do you have data that you collected but don't need in the near future? The GDPR requires you to destroy it or anonymize it.

Why the EU Targets Mass Data Collection

Why has the EU taken such a hard line on data minimization? Look no further than scandals like the unending drama surrounding Facebook.

Facebook has received the ire of European courts across the continent. In 2018, a Belgian court ordered Facebook to stop collecting data on users or face a fine of up to 100 million Euro (or 250,000 Euro a day). Why? The court said Facebook tracked people on third-party sites, which violated privacy law.

At the end of 2018, the Irish Data Protection Commission announced it was considering the potential of a formal investigation into potential GDPR violations committed by Facebook. It estimated that the company could receive a $1.63 billion USD in fines if found guilty.

Collecting all this data is bad enough in the eyes of the law. The situation grows worse when Facebook announces security bugs that put the personal information of its users in jeopardy.

Not only is Facebook accused of illegally collection far more data than it needs (or has the authority to collect), but in doing so, it puts Europeans at risk.

What Facebook's Blunders Mean for You

Thanks to scandals in Silicon Valley, you need to be clear about what data you process both in your own records and in what you share with customers in your Privacy Policy.

If you follow Principle 2 and process only the data you need to perform key activities, then you should already be following the data minimization principle by default.

Are you unsure of what data you need? Ask yourself these questions:

  • Do you need the data to complete a specific purpose?
  • Do you already have enough data to complete the purpose?
  • Do you review the data you have and delete/anonymize any data that you no longer need?

Iberia Airlines provides a helpful way of describing the process within its Privacy Policy.

In the section describing what data it collects and retains, the policy goes granular and clearly describes what role the data plays in processing.

For example, Iberia cannot provide passengers a ticket without all the personal data provided by the subject. The data is required for completing records, upholding the law, and for successfully providing a service:

Iberia Airlines Personal Data Protection Policy: Excerpt of What types of personal information do we collect and retain clause

Iberia Airlines doesn't require a link to your Facebook page to complete and manage a booking. If it did, the issue would be a case of data overreach and a violation of the data minimization principle because Iberia does not need social media details to sell a plane ticket.

Principle 4: Accuracy of Data

Principle 4: Accuracy of Data

By now, you know that the GDPR wants you to:

  • Demonstrate a lawful basis for collecting and processing data
  • Process data in a way that is fair and transparent
  • Collect, process, and store only the data you need

Principle 4 departs from the complementary style of the first three data principles and refocuses on data accuracy.

Why is data accuracy so important? It plays an essential role in privacy by impacting transparency and accountability. If you have a phone number on record that doesn't match the data subject, then you risk contacting someone who hasn't given you permission. Contacting a European data subject without consent is a GDPR violation.

Article 5(1)(d) is clear when it says your personal data should, to the best of your ability, be:

"Accurate, and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay."

As a result, Principle 4 is a call to action for every data controller. You need to set-up a mechanism to safeguard the integrity of your data. Indeed, this principle also harkens back to two data subject rights: the right to rectification and the right to erasure.

The mechanism can be as simple as sending out an email to your database with a link for data subjects to update their profile. If you send marketing emails, you should send out an email with a link asking data subjects to confirm their address.

You don't need to hound data subjects for updates, but you do need to follow common sense rules including:

  • Updating or deleting inaccurate data upon discovery
  • Providing mechanisms for data correction
  • Implementing processes for dealing with mistakes, challenges to data accuracy, etc.
  • Creating processes for keep records of identifying, notifying, and updating data mistakes
  • Offering a mechanism for upholding user rights

Keeping Data Accurate

Beyond building data accuracy into your processing mechanisms, you can also encourage data accuracy by sharing the right to rectification within your Privacy Policy under the header of data subject rights.

By sharing the right to rectification, you also share a process for data subjects to update inaccurate or outdated details.

Ryanair does this well in its Privacy Policy by mentioning the issue twice.

First, it provides instructions for updating and rectifying data within the myRyanair customer account:

Ryanair Privacy Policy: myRyanair section clause

The company also offers a mechanism for the right to erasure when the data is no longer useful for processing, such as if it is inaccurate:

Ryanair Privacy Policy: Data Protection Rights clause - Request erasure section

Although right to erasure isn't entirely covered by data accuracy, it does provide a way for users to request data changes if all other options are unavailable or there's an technical issue preventing them from updating it on their own.

Principle 5: Data Storage Limits

Principle 5: Data Storage Limits

How long do you store your data? The answer can no longer be "indefinitely."

Principle 5, the data storage principle, places legal limits on how long data can remain in your database. It says all personal data must be:

"Kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which personal data are processed."

There are two parts to this principle: a form that allows for the identification of data subjects and no longer than is necessary for processing purposes.

If you have data that you don't need for processing, then you need to either anonymize it or anonymize and erase it as soon as you know that you have it.

"No longer than is necessary" is vague so that data controllers can create data retention plan that meets their needs. However, it definitively rules out any "indefinite" data storage practices.

What does a timeline look like? It could range from upon discovery to 30 days after your system flags the data.

Data Retention Policies

How do you comply with Article 5(1)(e)? You create and implement a Data Retention Policy.

A Data Retention Policy (or Records Retention Policy) is your organization's established procedure for retaining and deleting data. To be GDPR-compliant, it must provide dates for the retention and erasure of data.

You can't simply say that you'll delete the data. You need to provide a date that meets reasonable and fair expectations of data subjects.

Your data subjects will know whether it's fair because you are encouraged to publish your data retention policy.

The University of Limerick publishes a complete Records Management and Data Retention Policy which covers all the data it stores.

The complete schedule includes each type of data the university collects and stores. It then includes a default retention period and then identifies how it deletes the data when required (See page 6 of the PDF linked above):

University of Limerick Records Management and Retention Policy: Screenshot of Records Retention Schedule

As public body, the University of Limerick is held to higher standards, but the way it breaks down the data retention policy provides a useful example of how to design your own policy. It is useful because it encompasses the two pronged approach: anonymization and erasure.

Additionally, you should reference your commitment to data storage limits and your Data Retention Policy within your Privacy Policy or Data Protection Policy so users know it exists.

Principle 6: Integrity and Confidentiality

Principle 6: Integrity and Confidentiality

Article 5(1)(f) says that your data should be:

"Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."

The first few principles also related to security, but each did so indirectly. For example, data minimization practices lower data subjects' risk of exposure in the event of a data breach.

To understand the principle, you must look at additional sections of the GDPR, namely Article 32.

Designing GDPR-Compliant Security Mechanisms

Principle 6 wants you to prevent data breaches to the best of your technological ability.

Before looking at the minimum requirements, you must first understand that the GDPR believes in the principles of data protection by design and data protection by default.

Data protection by design refers to a design structure that builds privacy features and technologies into your project from inception (or the initial design). An example of data protection by design is adding sufficient encryption to your data from the beginning.

Data protection by default refers to adding the appropriate measures to ensure that you only process the data required for each purposes of processing. In other words, you should build in the privacy protection features as a standard. That means following the data minimization principle (Principle 3) as well as adding the appropriate technical data protection procedures like encryption and anonymization.

What does the GDPR expect within these standards?

Article 32 provides an overview of what's required for the security of processing. It notes the following measures specifically:

  • Encryption
  • Pseudonymization
  • Methods for ensuring the "ongoing confidentiality, integrity, availability and resilience" of systems
  • Methods for restoring access to data in the event of a breach of incident
  • Methods for testing, assessing, and evaluating measures to ensure security

You also need to share your commitment to security with your European data subjects.

There's no need to give the game away and provide a step-by-step guide to your security processes. Mentioning that you comply (in addition to following the steps in practice) is often enough.

It's also a good idea to note that there's always a risk of a breach even when you use the appropriate security measures. The statement reduces your liability in the event of an issue.

Caffe Nero provides a short and sweet example of a security statement within its Privacy Policy:

Caffe Nero Privacy Policy: Our Security Measures and Information About When We Delete Data clause

Note how it ends with a statement that there's no guarantee to security.

Surprise: Principle #7

Surprise: Principle #7

Officially, there are six principles listed under Article 5(1). Article 5(2) works as a bonus principle and refers to accountability.

It says, "The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (accountability)."

Following the accountability principle is simple if you comply with six official principles, particularly because Principle 1 requires accurate record keeping for compliance.

Ultimately, the principle reiterates that the data controller is the party most responsible for GDPR compliance. That means that if you hire data processors, you are responsible for ensuring they process the data you provide within the limits of the law.

It also means that if something goes wrong, you - the data controller - are on the hook.

Remember that a confirmed GDPR violation comes with previously unprecedented fines. If you knowingly and willingingly infringe upon the law, you could face the highest tier of fines.

Summary

The GDPR is both vague and complicated, but what it expects from you is fairness, transparency, and accountability.

If you process data in a way that embraces using only the minimum amount of accurate data for processes that your customers would expect, then you should remain on the right side of the law.

For many, complying with the privacy principles will mean creating, testing, and implementing new measures to ensure that you only collect and store the data you need right now. However, doing so will not only keep you clear from devastating GDPR fines, but it will improve your relationship with customers who are increasingly wary of the threat of data privacy infractions.

Don't forget to document your privacy initiatives both for reporting to regulatory bodies and the government but also for sharing within your Privacy Policy and other legal documents.

Article categories
Nicole Olsen

Legal writer.