The Six Data Protection Principles
The principles help us to think properly about the data that we are collecting and then take action in the right direction. They force us to think proactively about the data we are collecting, storing and using.
- Lawfulness, fairness and transparency
Data is processed in a lawful, transparent and fair manner. The identity of controllers and purposes of the processing is disclosed. You have the individual consent of the data subject and the data you collect is necessary for the purpose.
- Purpose limitation
- Data minimisation
Data is not used for unnecessary or unrelated means. It is collected for a specific purpose and only as long as it is needed.
Data is kept up to date and corrected or deleted if inaccurate. Have a process for checking data and collecting it only when you need it and not beforehand.
- Storage limitation
- Integrity and confidentiality
Data is protected against unauthorised or unlawful storage, processing, destruction and damage. This requires secure storage of data and training staff to securely maintain and share data. This will include areas like encryption and regular checking that the data is secure.
- New principle: International Transfer
If the data is being stored outside of the EEA, you need to check that the data is securely stored and encrypted.
- New principle: Accountability
The Data Controller is responsible for compliance and accountability with the principles of GDPR and must be able to demonstrate its compliance with them.
By complying with the six (well, eight actually) principles above, you will be sure to put proper thought and due diligence into your data collection, storage and processing. This, in turn, will mean you are managing data that is truthful, correct, current and secure.
Data Subject rights
What is a data subject? A natural person, i.e you! You have rights. Each data subject has the following rights:
- Right of access
Allows you access to personal data being stored about you and also to know if that data is being processed.
- Right to rectification
Allows you to rectify without any undue delay your inaccurate personal data.
- Right to object
Allows you to prevent controllers from the further processing their personal data (as long as there are no compelling legitimate grounds for continuing it.)
- Right to the restriction of processing
Allows you to prevent controllers from processing your personal data while either correcting or updating information about you.
- Right to erasure
Simply put, this is the right to be forgotten. You can request your data to be removed immediately. There are exceptions to this covered under Article 17 GDPR.
- Right to data portability
Allows you to directly transmit your personal data from one controller to another. There are exceptions to this covered under Article 20 GDPR.
Every natural person has the right to lodge a complaint with a Supervisory Authority and seek compensation against a Data Controller or Processor (only if the Processor has acted outside or contrary to the lawful instructions of a Controller). Compensation is considered if you have suffered material or non- material damage as a result of an infringement of the GDPR.
What if your business is pickle in the middle?
Trainers, VAs, Sub-contractors, OBMs, Project Managers, Associates, Consultants – the list is endless really.
Chances are that if you work with a client, they will be the Data Controller and you will be the Data Processor. from May 25th, there must be a contract in place. If you work with associates and sub-contractors, they will also be Data Processors, but the onus will be on you that they comply with GDPR.
First things first, you need to ensure your contracts are effective in both directions – that with your clients and that with any associates or sub-contractors you hire who will have access to your clients’ data. Then you need to educate yourself on Supervisory Authorities and the European Data Protection Board and how they apply to you. Further guidance on both is provided in my comprehensive Guide to GDPR.
If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.
Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.