The GDPR Processing Principles

Underpinning the General Data Protection Regulation (GDPR) are a set of governing principles. These processing principles are designed to guide organisations, helping them to understand the right way to protect individuals rights.

Data protection law has traditionally established core principles that govern all processing of personal data. Think of these as the fundamental building blocks upon which the regulation is built.

If you are familiar with the UK Data Protection Act you are likely to already be familiar with most of these concepts as the GDPR principles are broadly the same.

The principles govern how data should be processed. For processing of personal data to be compliant, organisations must demonstrate that they are following the principles.

The accountability principle is the exception, relating to the behaviour of processing organisations instead of the processing activities themselves.

The GDPR core principles are as follows;

Lawful, fair and transparent - Data must be processed lawfully, fairly and in a transparent manner. Organisations must be open and honest about what data they collect, why they process it and how that relates to the law. Organisations must communicate their lawful basis for processing to people whose data is being processed.

Purpose limitation - Personal data must be used for the purpose it was gathered and not then processed for other undeclared purposes.

Data minimisation - Personal data collected must be relevant to the processing and limited to that necessary for the processing.

Accuracy - Personal data must be kept up to date and maintained. Inaccurate data must be corrected, put beyond use or deleted.

Storage limitation - Personal data must not be kept for longer than necessary.

Integrity and confidentiality - Personal data must be processed in a manner that ensures that data is kept confidential, protected from unlawful access and is safeguarded against loss or corruption by malicious or accidental means.

These principles apply to all data processing activities within the scope of the regulations.

In addition to the core principles, there is an entirely new accountability principle which means that organisations that process personal data must be able to demonstrate that they are in compliance with the regulations. This means that the emphasis is on all data users to understand their processes and have adequate policies, procedures and supporting documentation to show that they understand and are following the regulations. This applies equally to data processors as well as data controllers.

If you found this article useful and want to know more, you should consider our course "GDPR - The Basic Facts" which introduces the key features of the GDPR.