Under the new data protection regulation (GDPR), six privacy principles are applicable to all kind of data processing activities, each of them being the basis of the privacy rules. Indeed, when it comes to assessing the compliance of data processing with the GDPR, it is necessary to check if each principle is applied correctly.
Being familiar with the privacy principle also helps better understand the other requirements under the GDPR such as the implementation of policies, the obligation to perform data protection impact assessment or to provide an information notice to individuals etc.
Below a description of each privacy principle and how they should be applied in practice.
Principle 1: Lawfulness, fairness and transparency
“Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
In practice, processing data lawfully means that the collection of personal data is based on a legal ground (e.g. consent, legitimate interest, performance of a contract etc.)
To be lawful, a data processing must also be fair and transparent. To this end, data subjects must be informed about the processing of their data beforehand regardless of the applicable legal ground.
Hence why drafting of a privacy notice is one of the data controller’s obligation under the GDPR (see article here for more details).
Principle 2: Purpose limitation
“Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Prior to collecting data, a minimum of one purpose of the processing activities should be identified. This means answering the question “what do wee need the data for? And/or what are we going to do with it?”
Each reason why the data must be collected is a purpose of processing and each of them must be included in the privacy notice provided to the data subject prior to collecting his/her data.
It must also be checked if these purposes are legitimate. There is not much information about what legitimate purpose means exactly. However, “legitimate” means conforming to the law. Therefore we can construe “legitimate purpose” as purposes being in accordance with applicable law.
In the case where controllers would like to use subject’s data for a new purpose not intended at the time of the data collection, it must check if this new purpose is compatible with the previous ones. If not, it should not process the data for this new purpose.
There is no guideline as to what is an incompatible purposes but one’s could think that data subject’s expectations should be taken into account when working out whether or not a new purpose is compatible with the initial ones.
In practice, the legal ground of the new purpose of processing may help answer the question of incompatibility.
If consent is required and obtained, it seems very unlikely the new purpose would be considered as incompatible with the initial ones as it is performed with the data subject’s additional consent.
In the other cases and more particularly where the data controller intends to rely on its legitimate interest, the incompatibility question should be answered very carefully, as the likelihood of incompatibility in this case is higher and more risk is taken.
Scientific and historical research, archiving in the public interest, or statistic are the only new purposes that do not need to pass the incompatibility test.
Principle 3: Data minimisation
“data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Once the purposes are defined, only data necessary to fulfill these purposes should be collected (e.g. payment card data is not necessary to provide a free service and therefore should not be collected).
However the boundaries between what business wants and what is necessary is sometimes unclear and conflict may arise.
For example, most businesses want to collect as much data as possible to perform profiling so that they can better target their customers and sell more of their products or services. Security services want as much information as they can get about an individual in order to prevent and/or detect any security issue.
Distinguishing necessary data from the unnecessary one may prove very difficult in some cases and conflict between each stakeholder’s interests may raise difficulties to get the correct information and assess what is actually necessary.
However, specific law, cases and authority guidance may help and deep understanding of the processing, current technologies and business requirement is necessary. For example, technical reason is not considered as a good reason to collect more data than it should be necessary to fulfill the purpose(s) of processing.
Principle 4 : Accuracy
“personal data must be accurate and where necessary kept up-to date”
This principle is quite straightforward but not always easy to implement properly.
From a data controller perspective, “accurate” should be construed as data accurately entered into the system on the basis of the information provided by the data subject.
If a user makes a mistake or lie, it should not be the controller’s responsibility unless otherwise required by law or depending on the kind of services provided.
In any case, if the controller is made aware that a data is not accurate, it should not continue using it any more and delete or update it. (e.g. if a mail is returned because of a change of address, the address should not be used any more to send mail or anything else).
Data subjects also have a right to ask for the deletion and correction of inaccurate data (see individual’s right overview here)
If it is necessary to update the information because of the purpose of the data processing or where required by a specific law, personal data should be kept up-to-date.
In practice, it could mean asking data subject whether the data is still accurate before using it where this is necessary (e.g. asking if the address provided in the account is still accurate before sending a parcel)
However and unless otherwise required by law for specific kind of processing, keeping data up-to-date where necessary should not be construed as an obligation for the data controller to perform research and collect data anywhere in order to ensure its database is up-to-date.
For example, a recruitment company is not supposed to update its candidates’ profile by browsing Linkedin or any equivalent professional network in order to keep its own candidate database up-to-date. Prior information and candidate’s consent would be strongly recommended in this case (FYI, personal data, even made publicly available remains personal data and is still subject to the GDPR).
Principle 5: storage limitation
“data should not be kept longer than necessary”
Before starting any data processing and once all the purposes defined, a data retention period should be worked out in order to retain data no longer than it is necessary to fulfill each purpose.
This point may be difficult to answer as working out a data retention period may be subjective and may vary from one person’s need to another. However, law and authorities’ guidelines help define data retention period for various purposes.
Furthermore, when working out a data retention period, a difference should be made between active database and archive.
For example if a customer decided to close an online account he had with an online retailer to purchase its products or services, the online account should be deleted from the retailer’s customers database.
However, most of the information should be kept in an archive by the retailer as long as it is necessary to comply with any legal obligation or as long as any limitation period is running.
Princple 6 : Security
Security is the easiest principle to define but the hardest principle to comply with.
Indeed, personal data must be considered as confidential data and sometimes as sensitive data (e.g. payment card information, special categories of data (sexual orientation, race etc.) given the risk taken if it were lost.
Depending on the amount of data, their sensitivity etc. appropiate security measure should be implemented in order to keep the data secure.
If data were lost, controller must be able to demonstrate it had taken appropriate security measures ortherwise it may be subject to very high fine (up to 4% of the annual global turnover).
Security attack being one of the biggest threat today, it is more and more difficult to ensure data will be kept confidential. Therefore it is at least expected the controller has made the right things. Unfortunately no security measure is perfect.
The privacy principles have not changed with the new data protection regulation but any data controller must now be able to demonstrate it complies with each of them. This is a new principle brought by the GDPR, accountability principle, which may be complied with thanks to adequate policies and procedure.
This post is also available in fr_FR.