• eScrap Beat

The New EU General Data Protection Regulation: 7 Principles to Govern Data Collection Practices

The necessity for securing and protecting customer data is the driving force behind the EU’s recent General Data Protection Regulation (GDPR) that went into effect on May 25. The questions surrounding the new EU directives is exactly how organizations will implement securing their data and what to expect when it comes to GDPR enforcement.

Additionally, some regulations are left up to interpretation as to how organizations should design their data protection and destruction strategies. Everyone’s approach towards compliance will probably be different for, even though the end result must be the same. The legislation is made up of seven key principles (all carrying equal weight), which will replace the eight rules that make up the existing, historically ambiguous directives. Under the new legislation, data processing and destruction must include:
  1. Lawful, fair and transparent processing – This principle emphasizes transparency for all EU data subjects. When the data is collected, it must be clear as to why the data is being collected and what the data will be used for. Organizations also must be willing to provide details surrounding the data processing when requested by the data subject. For example, if a data subject asks who the data protection officer is at that organization or what data the organization has about them that information needs to be made available.

  2. Purpose limitation – This principle means that you need to have a lawful and legitimate purpose for processing the information in the first place. Consider all the organizations who make you fill out a form with 20 fields, when all they would need to sell you that gadget is your name, email, shipping address and maybe a phone number in case they need to get ahold of you. Simply put, this principle says that organizations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.

  3. Data minimization – This principle instructs you to ensure the data you are capturing is adequate, relevant and limited. In this day and age, businesses collect and compile every piece of data possible on you for various reasons, such as understanding customer buying behaviors and patterns or remarketing based on intelligent analytics. Based on this principle, organizations must be sure that they are only storing the minimum amount of data required for their purpose.

  4. Accurate and up-to-date processing – This principle requires data controllers to make sure information remains accurate, valid and fit for purpose. To comply with this principle, the organization must have a process and policies in place to address how they will maintain the data they are processing and storing.

  5. Limitation of storage in the form that permits identification – This principle discourages unnecessary data redundancy and replication. It limits how the data is stored and moved, how long the data is stored, and requires the understanding of how the data subject would be identified if the data records were to be breached. To ensure compliance, organizations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places.

  6. Confidential and secure – This principle protects the integrity and privacy of data by making sure the data is secure. An organization that is collecting and processing the data is now solely responsible for implementing the appropriate security measures that are proportionate to the rights and risk of the individual data subjects. Negligence is no longer an excuse under GDPR, so organizations must protect the data from those who are either negligent or malicious.

  7. Accountability and liability – This principle ensures that an organization can demonstrate to the governing bodies that they have taken the necessary steps comparable to the risk their data subjects face. For example, GDPR requires organizations to respond to requests from a data subject as to what data is being held on them and promptly remove that data, if desired.

eScrap Beat Main

Have Questions?