The 7 Principles of Data Protection-GDPR

1) Lawfulness, fairness, and transparency

This principle requires organizations to process personal data lawfully, fairly, and in a transparent manner.

1. Lawfulness: This refers to the quality or state of being in accordance with the law. It involves adhering to the rules, regulations, and statutes that govern a particular jurisdiction. Actions or behaviors that are lawful are those that do not violate established laws and regulations.
2. Fairness: Fairness pertains to the quality of being just, equitable, and impartial. It involves treating individuals or groups without bias, discrimination, or favouritism. Fairness is often considered a fundamental principle in various aspects of life, including legal proceedings, business transactions, and interpersonal relationships.
3. Transparency: Transparency refers to the openness, accessibility, and clarity of information, processes, and actions. It involves providing accurate and easily understandable information to stakeholders so that they can make informed decisions and understand how decisions are reached. Transparent practices help build trust and accountability in various contexts, such as government, business, and organizations.

2) Purpose limitation:

This principle requires organizations to process personal data only for specified, explicit, and legitimate purposes.

Purpose limitation entails that personal data should be collected and processed only for specific, explicit, and legitimate purposes. These purposes must be determined before the data is collected, and data controllers must ensure that the collected data is not used for any other purposes that are incompatible with the original intent.

In practical terms, this means that organizations must clearly communicate the reasons for collecting personal data to individuals and obtain their consent for each specific purpose. If an organization wishes to use the data for a new purpose, they may need to seek additional consent or ensure that the new purpose is compatible with the original one.

3) Data minimization:

This principle requires organizations to collect the data adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and.
• limited to what is necessary – you do not hold more than you need for that purpose.

4) Accuracy:

This principle requires organizations to keep the data accurate and take reasonable steps to ensure that inaccurate personal data has been erased or rectified.

Accuracy of data security under GDPR, organizations are required to implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. Accuracy is an important aspect of data protection, as inaccurate or outdated personal data can lead to privacy breaches and other issues.

5) Storage limitations:

This principle requires organizations to keep the data in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

1. Storage Limitation Principle: The GDPR's Article 5(1)(e) outlines the principle of "storage limitation," which states that personal data should be kept in a form that allows identification of individuals for no longer than is necessary for the purposes for which the personal data is processed.
2. Data Minimization: This principle emphasizes that organizations should only collect and retain personal data that is necessary for the specific purpose for which it was collected. Once that purpose is fulfilled, the data should be deleted or anonymized.
3. Retention Periods: Organizations should establish clear retention periods for different types of data they process. These retention periods should be based on the purpose of data processing, legal requirements, and any other relevant factors.
4. Lawful Basis: Organizations must have a lawful basis for processing personal data, and this lawful basis should also apply to the duration for which the data is stored.
5. Individual Rights: Under GDPR, individuals have the right to request the erasure of their personal data (the "right to be forgotten") if the data is no longer necessary for the purpose it was collected.
6. Data Security: While not directly related to storage limitation, data security is closely tied to GDPR compliance. Organizations are required to implement appropriate technical and organizational measures to ensure the security of personal data.

6) Integrity and confidentiality:

This principle requires organizations to ensure the appropriate security of personal data and protect it against unauthorized or unlawful processing, security incidents, or personal data breaches.

• Principle (f):
• Integrity
• confidentiality (security)

7) Accountability:

This principle holds organizations responsible for the protection of personal data. Organizations must be able to demonstrate compliance with the applicable legal requirements.

Key aspects of accountability under GDPR include:

1. Data Protection Policies and Procedures: Organizations must establish and maintain clear data protection policies and procedures that outline how they handle personal data, including data processing activities, data retention, and data subject rights.
2. Data Protection Impact Assessments (DPIAs): Organizations are required to conduct DPIAs for high-risk processing activities. A DPIA assesses the potential impact of data processing on individuals' privacy and helps organizations identify and mitigate risks.
3. Appointing a Data Protection Officer (DPO): Some organizations are required to appoint a Data Protection Officer who oversees data protection efforts and acts as a point of contact for data subjects and supervisory authorities.
4. Record-Keeping: Organizations must maintain records of their data processing activities, which include details about the purpose of processing, categories of data, recipients, and safeguards.
5. Data Breach Notification: Organizations must have processes in place to detect, report, and investigate data breaches. In the event of a breach, they are required to notify the supervisory authority and, in some cases, affected individuals.
6. Cross-Border Data Transfers: When transferring personal data outside the European Economic Area (EEA), organizations must ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other approved mechanisms.
7. Vendor Management: Organizations are accountable for the data processing activities of their third-party vendors or processors. Contracts with these vendors should outline data protection responsibilities.
8. Training and Awareness: Organizations should provide training to employees on data protection and privacy matters to ensure that staff members are aware of their responsibilities.
9. Privacy by Design and Default: Organizations are encouraged to integrate data protection measures into their products, services, and business processes from the outset ("privacy by design") and to ensure that only necessary personal data is processed ("privacy by default").
10. Cooperation with Supervisory Authorities: Organizations must cooperate with supervisory authorities and provide them with the necessary information to demonstrate compliance.

Chan Bath eAge Technologies India Pvt Ltd