The 6 principles of GDPR that will affect your business
In our last article, we gave you a short intro to the General Data Protection Regulation. This time we’re going to delve a bit deeper, finding out exactly what the principles of the regulation mean to your business. We’ll also give you some handy tips along the way to help you comply with the new law.
Principle 1 – Lawfulness, fairness, and transparency
The first principle in the regulation is all about handling your customer’s personal data in a fair and honest way. There should be something on your website that a person can read explaining what type of data you collect, why you collect it and how you plan to use it. This information would usually be included in your privacy policy.
Here’s a list of information that you should include in your privacy policy:
- Your business’s contact details
- Reasons for collecting and using personal data
- Any 3rd parties that you work with
- Details of your retention periods
- Your customers rights (including right to withdraw consent and right to lodge a complaint)
But we know most people don’t read the terms & conditions or the privacy policy when they’re signing up to a service or buying a product. This could be because it’s too long and they don’t understand what it actually means. The GDPR looks to tackle this problem once and for all by requiring companies write their policies in a clear and understandable way… This means no more lawyer jargon!
Principle 2 – Purpose limitation
The second principle talks about only using someone’s personal data for reasons that they have agreed to. This is pretty simple in theory but can be a little complicated in practice. There’s a few additional rules surrounding this, but the main way to guarantee that you’re using their data properly is to have them provide you with consent. This usually means having them read and agree to your policies before they provide you with their data. We’ll go into the specifics of consent in the next article.
Not only must you obtain their consent, you must also store the date, time and wording that they consented to!
Principle 3 – Data minimisation
The third principle is similar to the second and talks about only gathering the data that you really need in order to carry out the task at hand. E.g. There’s no reason to collect the person’s previous 5 addresses if 1 is all you need to carry out the job.
That may be a bit of an extreme example, but you should look at the data you collect from people and decide if you’re recording anything that isn’t actually necessary, or that could be left out and wouldn’t cause any problems.
Keeping the amount of data that you hold to a minimum means that in the case of a breach of your systems, the unauthorised individual will only have access a small amount of data rather than a full profile of a person.
Are you aware that Sponge also offer GDPR compliance training for your employees?
Principle 4 – Accuracy
The fourth principle is very straightforward. Data must be accurate. If it’s not accurate you must try to update it. If that’s not possible then it should be anonymised/deleted.
There’s a chance that you won’t know if data is accurate or not, but this can be partly addressed by your retention policy, mentioned in principle 5.
Principle 5 – Storage limitation
The fifth principle talks about only storing personal data for as long as you need it and deleting it after that point. It makes sense to get rid of someone’s personal data if you don’t require it anymore. The GDPR requires that businesses create a retention policy that explains which types of data will be removed and the criteria for deletion.
You should include the details of your retention policy and deletion schedules on your website’s privacy policy.
Look at the type of data you store. You’re running a subscription service and a customer chooses to unsubscribe. You now need to decide what to do with their data. It’s fair to say that deleting their data straight after they unsubscribe might be an overreaction as they may decide to re-subscribe in a few months, and it’s handy to have all of their details stored to save them time in the future. However, if they’ve been inactive for a year, they’re unlikely to subscribe any time soon. This could be a reasonable time to delete their data.
You don’t always have to delete their data. Imagine that in the scenario above, you’re holding financial records of payments the customer made when they were a subscriber. Deleting them means that you’d lose these too… but you may be required to keep the financial records for accounting purposes. Instead, you could anonymise their data. As long as the data doesn’t identify an individual, this should satisfy the criteria of the GDPR.
Principle 6 – Integrity and confidentiality
The sixth principle is all about security of the personal data that you hold. Security is more than just getting hacked, it covers loss and unauthorised use of data as well. Technical security is important, making sure that only authorised people have access to the data and strong passwords are used. There should also be policies in place to review the security of the data on a regular basis and make updates if required.
Failing to secure the data that you hold can incur massive fines for your company. If the data is stolen and someone suffers damage to their freedoms or rights (such as identity theft), you could be looking at penalties of €20,000,000 or 4% of your global turnover!
Summary
These 6 principles make up the backbone of the GDPR and its vital for your company to understand them in order to comply with the regulation. The next article in this series will be focused around the concept of consent, explaining why it’s required and the best techniques to obtain it from your customers.