The six principles are found in article 5 of the GDPR regulation and aim to drive compliance. Businesses should use them as a guide to best manage personal data. Through adhering to these principles, businesses are positioned to handle personal data in a more compliant manner.
They succeed the principles outlined in the EU Data Protection Directive 95/46/EC (DPD), so may look familiar to those who already comply with this directive. However, the scope of the DPD and the GDPR differ greatly, so more is needed to be compliant.
They look at how to process personal data within the law, fairly, transparently and for a specific purpose. How to limit the use of personal data and how to securely store, process and remove personal data. Additionally, the necessity to keep personal data that you process accurate at all times. Finally, the requirement to demonstrate your compliance with all of the above.
When considering these 6 privacy principles it becomes clear that encryption has a primary role to play to achieve them, to be compliant with the regulation as well as to show accountability.
The 6 GDPR privacy principles
- Lawfulness, fairness and transparency
The GDPR emphasises this principle as a core principle whereas the DPD, instead, touches on it as a consideration.
Personal data must be processed lawfully, fairly and transparently with regards to the data subject (the person who the data belongs to).
- To do this lawfully, the processing must meet the criteria for lawful processing as laid out in the GDPR.
- To achieve this fairly, the data processed must correlate with how it has been described.
- To be transparent, the data subject must be informed of what, how and why their data will be processed
Small print will no longer do! But rather, targeted techniques ensuring the issues and risks are highlighted. This gives genuine control and choice to the data subject and equates, to be transparent and fair.
- Purpose limitations
Personal data can only be collected for specified, explicit and legitimate purposes. This data can only be used for those described purposes and no other purposes without further consent first received.
The DPD reflects this principle in a similar way. However, the GDPR widens the scope by allowing processing of other categories such as: processing for public interest and scientific purposes.
- Data minimisation
Only collect the personal data that is necessary for the purpose of the business function. If you don’t need it, don’t collect it-ever! The data needs to be adequate, relevant and limited to what is necessary for the processing purposes. This plays an adjacent role with purpose limitation too (principle number 2).
Personal data must be kept accurate and current. The necessary steps must be taken to achieve this. No inaccurate data should be kept and any errors in data should be rectified as soon as they become known.
The DPD requires the same criteria, though the GDPR develops on this to include that the erasure or rectification of inaccurate personal data must be done without delay.
- Storage limitation
Do not retain the data if you no longer require it for the purposes defined and agreed for processing. Securely remove the data when it is no longer necessary. Do not store personal data that you no longer use!
- Integrity and confidentiality
Integrity, confidentiality and availability are fundamental to security! The confidentiality and integrity of the personal data must always be maintained. Access must also be controlled to achieve this.
The necessary organisational and technical measures must be used to achieve principle number 6. The personal data must be appropriately protected (encryption is a technical measure to achieve this).
Additionally, measures must be taken to protect against unlawful processing, accidental loss as well as the destruction or damage of personal data.
These are core values in the DPD as well.
Accountability and compliance
This is one of the areas that make the GDPR stand out from the present DPD and causes serious implication (and headaches!) if it is not achieved. Not only do you need to ensure compliance with the above 6 principles, you must be able to demonstrate this compliance too.
With the GDPR it needs to be shown that you are complying. Accountability must be fed from the top down and embedded in the organisation. This means that data needs to be protected and compliance maintained wherever the data goes and at each stage of processing (external, internal, across borders and jurisdiction, with third parties). Additionally, all decisions taken must be documented to prove accountability.
This requires organisations to have processes in place to achieve accountability which will be different for each organisation.
The accountability principle also complements the transparency requirements of the GDPR.
Encryptions role in addressing the privacy challenge
Firstly, encryption is a technical measure to achieve the integrity and confidentiality of personal information (principle 6). If the data is encrypted it remains confidential and keeps its integrity, even if it falls into the wrong hands.
The GDPR demands securing of personal information. Technical measures must be taken to ensure personal data is always protected. This means that it should be processed pseudonymously or in an encrypted form wherever possible. All forms of data and processing must be considered and they all need to be protected, whenever personal data is processed, communicated or shared.
This emphasises the importance of data-centric technical measures, where the data itself is protected, not the systems or devices. The data needs to stay secure irrespective of where it travels or who receives it. Data movement could be local (within your network) but it could also involve movement across geographical borders and into other jurisdictions. This is now commonplace as cloud computing is more utilised and businesses work in a mobile manner and have global reach. The data must still be protected-no matter what! If the data is accidentally shared with the wrong individual (or team of individuals!) or stolen with malicious intent. In all instances, the data should be secure so that there is no risk of harm to the data subject.
To protect against unlawful processing, accidental loss, as well as the destruction or damage of personal data, encryption is key. If data is encrypted and it is breached, through loss, theft or destruction, there is no risk to the data subject as the data is unusable in the encrypted form.
When data needs to be transferred to a data subject or to another provider on request from the data subject, this needs to be done in a secure manner. Thus, once again, encryption is essential! Additionally, when data needs to be removed (principle 5) it must be done in a secure manner-again encryption is required.
Another fundamental area is access control. The security of data also depends on the ability to control the access to it.
So, encryption keeps data confidential and private. It ensures its integrity. It protects against the unlawful processing, accidental loss and damage to personal data. It ensures secure communication, transfer, sharing, storage and collaboration. Encryption combined with authentication and proper access control enables businesses to protect their data appropriately and address the privacy and security challenges.
The GDPR aims to protect the rights of the data subject and if their personal data is encrypted the impact of a breach is drastically reduced for those individuals (and the organisation). The risk of harm to the individual is minimised and even removed.
With appropriate solutions, businesses can implement the guidelines and meet their compliance requirements
Businesses should revise their internal policies and procedures to ensure compliance. Adaptations to the to the regulation means that the organisation will need to update their current compliance procedures as current practices will not cover the new scope completely. Do not make the mistake and think that if you are compliant with the DPD that you will automatically be compliant with the GDPR. The likelihood is that you won’t, adjustments will need to be made.
The six principles are further refined to correlate with advancements in technology that were not around when the DPD was enacted. Privacy requirements are better protected under the GDPR. Additionally, the principles take into account data processing methods that have changed over time or did not exist when the DPD was devised.
Encryption, access control and authentication have a primary role to play in protecting the privacy rights of the data subjects, also your organisations brand and reputation. It is an essential technical measure to help achieve GDPR compliance.