Stay Legal UK

The Principles of Data Protection

talking about personal data

The General Data Protection Regulation (GDPR) which was implemented into United Kingdom (UK) law with the Data Protection Act 2018, sets out data protection principles that data controllers must comply with. They are as follows:

  • The lawfulness, fairness, and transparency principle – Lawfulness: there are six lawful bases for the processing of data as set out by the GDPR. Fairness: you should handle data in a way that people would reasonably expect and not use it in a way that has an unjustified adverse effect on the individual. If you deceive or mislead the individual when you collect the data, then it is likely to be unfair. Transparency: is fundamentally linked to fairness. You need to be clear, open, and honest with the individual as to who you are, and how and why you use their data. Fairness and transparency can be achieved with your privacy policy which should also include the lawful basis for processing.
  • The purpose limitation principle – You must be clear about what your purpose is for the processing. Your purposes should be recorded to comply with your documentation obligation, they should also be included in a privacy policy to comply with the transparency principle.
  • The data minimisation principle – The data you process should be adequate and sufficient to fulfil your stated purpose. It should also be relevant to that purpose and limited to only what is necessary.
  • The accuracy principle – You should make sure that the data you hold is correct and not misleading. You may need to update the data you hold. If you discover that any of the data is incorrect or misleading, you should then correct or erase the data as early as possible. The accuracy principle is clearly linked to an individual’s right to rectification.
  • The storage limitation principle – You should not keep data for longer than you need it. You should be able to justify the length of time you keep the data which will depend on your purpose. You should state the retention periods in a policy and regularly review the data you hold to anonymise or erase it when it is no longer needed. Data subjects have a right to erasure. Personal data can be kept for longer if it is for scientific/historical research, archiving, public interest, or statistical purposes.
  • The integrity and confidentiality principle – You need to make sure you have appropriate and adequate security measures to protect the data you hold. Failure to comply with this principle can result in substantial financial penalties. It is often in the news when a larger company faces a fine for a data breach as a result of inadequate security.
  • The accountability principle – You must take responsibility for what you do with data and how you comply with the other principles. You must have appropriate measures and records to be able to show your compliance.

Stay legal logo large

More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp