GDPR can appear to be somewhat of a mine field. However there are 6 principles of GDPR that if you follow, you won’t be going far wrong. What are the 6 principles of GDPR?
The six core principles of GDPR
- Data collected must be for “SPECIFIC” and “EXPLICT” purposes?
- Data must be “ACCURATE” and “MAINTAINED”.
- Data must only be “RETAINED” for how long it is needed.
- Data must be PROCESSED LAWFULLY, transparently and fairly.
- Data must be processed securely and you must be able to prove this.
- Data held must be adequate, relevant and limited to what is needed.
1. Data collected must be for “SPECIFIC” and “EXPLICT” purposes?
Data that is collected should be for specific purposes that are clearly outlined. For example taking a customer’s address to be able to full fill their order. Or taking contact details to be able to respond to a customers query.
2. Data must be “ACCURATE” and “MAINTAINED”.
This one is not as straight forward but it essentially means that as much as possible, only accurate information is collected and this data is maintained. For example if you take a customers email address, and they have given permission to receive a newsletter. If they later revoke their permission to be emailed, this should be updated on their records,
3. Data must only be “RETAINED” for how long it is needed.
Quite straight forward. If you need to take information of a customer, for example their name and phone number, to inform them when an item is back in stock. You should not hold onto this for years, once it is no longer needed.
4. Data must be PROCESSED LAWFULLY, transparently and fairly.
When processing any data, it should be done in line with the law and fairly, You should also be fully transparent with the person or asset the data belongs to as to how their data is used. For example if you take someones data to process a credit application, they should be fully aware that you are processing a credit application on their behalf. You should also advise them that this will show up on their credit report and could have an impact on their score.
5. Data must be processed securely and you must be able to prove this.
Data that you take should be stored securely, and processed securely. For example, if you are taking payment details from a client online, then this should be through a secure and encrypted connection (https/SSL) and not through a plain text connection (http).
6. Data held must be adequate, relevant and limited to what is needed.
This is similar to point three, only holding onto data for as long as it is relevant. If you need to take personal data, then only take what is needed to action what needs to be actioned. For example, if you need to take an address for delivery, you don’t need to take their National Insurance number to make the delivery, there for you have no reason or need to take this data. It is not relevant.
Finally, the essence of GDPR
The essence of GDPR is, you only take the data thats required, its used only for the reason it was taken, you are transparent and secure about how you use the data and you only keep hold of it for as long as is needed.
Reducing the amount of private data, making sure its secure and destroying it when its no longer required.
As long as you follow the core principles, and are transparent about your use of data, you are in a reasonable GDPR shape.
More information on GDPR is available on the ICO website.
SIde Note: I am not legally trained, if you have any questions about GDPR I would recommend you seek professional legal advice.
Read more blog posts