The General Data Protection Regulation (GDPR) which was implemented into United Kingdom (UK) law with the Data Protection Act 2018, sets out data protection principles that data controllers must comply with. They are as follows:
- The data minimisation principle – The data you process should be adequate and sufficient to fulfil your stated purpose. It should also be relevant to that purpose and limited to only what is necessary.
- The accuracy principle – You should make sure that the data you hold is correct and not misleading. You may need to update the data you hold. If you discover that any of the data is incorrect or misleading, you should then correct or erase the data as early as possible. The accuracy principle is clearly linked to an individual’s right to rectification.
- The storage limitation principle – You should not keep data for longer than you need it. You should be able to justify the length of time you keep the data which will depend on your purpose. You should state the retention periods in a policy and regularly review the data you hold to anonymise or erase it when it is no longer needed. Data subjects have a right to erasure. Personal data can be kept for longer if it is for scientific/historical research, archiving, public interest, or statistical purposes.
- The integrity and confidentiality principle – You need to make sure you have appropriate and adequate security measures to protect the data you hold. Failure to comply with this principle can result in substantial financial penalties. It is often in the news when a larger company faces a fine for a data breach as a result of inadequate security.
- The accountability principle – You must take responsibility for what you do with data and how you comply with the other principles. You must have appropriate measures and records to be able to show your compliance.